Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 Wan Subnets on same gateway

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Scott9069
      last edited by

      Hello everyone,

      Have a weird issue I cant seem to resolve or find any help with by searching.  I'm on PfSense 2.3.2 latest.  My ISP gave me a /30 to start with.  I have that working fine.  I just requested a /28 and received that..  However, the /28 is being statically routed by the ISP to my /30 IP.  Did not think this would be an issue but I can seem to get anything on the /28 to pass traffic to pfsense.  I have setup a wide open 1:1 Nat for a server in my lan and I don't even see anything in the firewall rules that show it's being attempted.  But if I packet capture I can see it is trying.

      ANY help at all would be great..  here is what I have tried so far.

      VIP on 2 different IP's in the /28 (not the first or last) have tried both Alias and Proxy ARP
      Setup 1:1 Nat on WAN int to the internal IP.
      Firewall rule allowing ALL to pass to the internal Lan address.

      I have also tried a simple port forward and still nothing in the logs..

      I am guessing there is something I am missing due to the ISP static routing the new subnet to the /30 IP.  I am just at a loss right not what it might be..

      Anyone have any ideas??

      Thanks
      Scott

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        I have zero background in this, but you don't route to an IP, you route to a Layer 2 device. In this case, the IP packet will contain the MAC address of your WAN interface, which so happens to have two subnets assigned, and the IP address of the Destination IP. The Destination IP should never change except when going through a NAT.

        I guess I'm not quite sure what you mean by

        the /28 is being statically routed by the ISP to my /30 IP

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          If they routed the /28 to you then you can put the /28 behind pfsense and you don't need to nat, only firewall.  You would not setup a 1:1 nat in such a scenario..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • S
            Scott9069
            last edited by

            "If they routed the /28 to you then you can put the /28 behind pfsense and you don't need to nat, only firewall.  You would not setup a 1:1 nat in such a scenario.."

            Johnpoz,

            Thanks for the reply..  I am not sure what you mean "behind pfsense"  Behind like the LAN??

            Thanks
            Scott

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              yes behind like any other subnet that is not a wan. Traffic would route and be firewalled through pfsense but not natted.  If you still want to nat that you could create those IPs as Vips on on the wan interface they are routed too and nat them that way.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.