Best practice with multiple subnets on WAN

  • Rebel Alliance Moderator


    a customer installation got additional IP ranges (/28s and /29) for their setup. Problem is, the ISP won't route them to their already existent /29 subnet but configured it by using the first IP as their GW address. As WAN and default GW are now on the first /29, how can we best catch those additional subnets/IPs and route them back via their own gateway?


  • LAYER 8 Netgate

    Get a new ISP. They're the ones who need to take a look at whatever "best practices" are in play here.

    You are asking for ugly, hacky workarounds, not best practice (which would be the new subnet routed to an existing address on the /29).

    You might be able to get away with Proxy ARP VIPs on WAN as long as the existing gateway IP address will accept traffic sourced from those addresses. I can't think of anything that will work other than another physical interface on the same layer 2 to them set up as multi-wan if the current gateway will not accept the traffic. Maybe someone else knows.

    You might even be able to create an inside interface using the /28 and, coupled with the proxy ARP VIPs it might work there.

  • LAYER 8 Global Moderator

    so let me get this right..

    So you had a /29, lets call it

    Where lets say is the ISP an your gateway.  And you have the rest of the 29 to use.

    They then added non adjacent /28 and another /29..  but instead of routing this to your say address they just created these layer 3 networks on the same layer 2 your is on??

    Yeah with Derelict here - Get a new ISP ;)  That is not how you would best practice do it, that is not how it should ever be done.. If they can not just increase your first /29 with adjacent space and give you say a /27 to give you the IPs you wanted then they should route your new networks to your existing network.  So the you can do whatever you want with them.

  • I've the same situation on a pfSense, two /29 and one /28, non adjacent and not routed. Each subnet has its gateway.
    Each unique utilizable address of the ranges is added as VIP to the WAN interface and there is only one upstream gateway set in pfSense and any response is routed to it.

    Why want you route packets back to the proper subnet gateway while they are also accepted by the first GW?

Log in to reply