Adding route for different subnet on same physical interface

  • How can I add a route in the pfSense that will allow it to access 2 different subnets on the same physical interface. I am connected to an ONT which has the IP address The ONT is doing Layer 3 tunneling to connect me to the network So I have assigned the address to the WAN interface with gateway But it complaints of no route to the destination network.

    I have explored the route command but nowhere it allows me to specify the route that does not have a nexthop on reachable subnet. e.g. I simply wanted to add the route

    route add -host re0

    but the route command for FreeBSD tried to manipulate re0 as symbolic host name for the nexthop host. My problem is that I do not have a next hop host. If I issue the command:

    route add -net

    ping fails with TTL expiry.

    I have tried giving alias IP to the WAN interface from 192.168.50.x address, but does not work. The setup for ONT is such that all packets going to will be tunneled to the far end, so the source address for these packets must be, otherwise the far end rejects these packets.

    I did try putting in the static ARP entry for in the table from another address in the, but all in vain :(.

    I will appreciate any help in this regard.


  • How can I add a route in the pfSense that will allow it to access 2 different subnets on the same physical interface. I am connected to an ONT which has the IP address The ONT is doing Layer 3 tunneling to connect me to the network So I have assigned the address to the WAN interface with gateway But it complaints of no route to the destination network.

    This doesnt make much sense.

    After your description:

    [WAN] (
      [LAN] (
        |–----ONT([other_side_of_tunnel] (
    clients (192.168.50.x/24)

    Could you fill in the correct IP's of what you have where since this can obviously never work.

    Basically you go in the webinterface to "System" –> "static routes"
    And add a static route.,7001.0.html

    Static Routes:
    The dropdown for the interface defines on which interface the gateway for the remote subnet is reachable.
    NOT that on the selected interface is the static route applied on inbound traffic.

    So the rule you would need looks like:
    Interface: LAN
    Network: 202.143.42.x/??  (or whatever subnet you have on the other side of the tunnel)
    Gateway:  (IP of the ONT)

  • My apologies for missing out the network diagram in the first post. Below is a detailed one to explain the scenario that I have:

    [Remote ONT]
    [Local ONT]
    WAN =
    LAN =

    The WAN connection is actually a Layer 3 tunnel through ONT. On the WAN interface of pfSense, the default gateway is, because all the traffic which comes to WAN interface must be forwarded to the local ONT, which will tunnel it, send it to the remote ONT where it gets unwrapped and is sent over the intranet of the ISP and eventually to the internet. This is the setup that my ISP has given me.

    I have used this setup successfully over Windows, by giving the interface connected to the Local ONT following configuration:

    IP :
    Netmask :
    Gateway :

    Though Windows complaints of having the gateway on the different subnet, but probably it automatically adds route for it in the background, because this configuration works perfectly fine. Though I have not tried, but I think the following command on Linux should also have worked:

    route add -net re0

    which effectively means that the network is also reachable on the re0 interface, so the gateway is accessible. However, in pfSense, either using the Static Route tab or using Shell, the command route does not work in this syntax. It requires that after the host or network, the default gateway for the next hop MUST be provided. In my case, there is no next hop, in fact same network is accessible on the physical interface on which the WAN network is available.

    I am using pfSense 1.2 on Xeon server.

  • I'm not sure if i undestood how exactly this ONT works, But what i would try:

    1: Set the WAN IP to, default gateway
    2: Add a VIP of to the WAN.

  • I tried this configuration but it did not work. Sniffing on the network showed that the outgoing requests from the WAN interface are going with source IP set to, which is the incorrect source IP.

    The packets must be sent with source IP set to, otherwise these get rejected after getting unwrapped at the far end ONT. The sequence is below:

    1. LAN packet IP =
    2. WAN packet IP (using NAT) =
    3. Local ONT Tunnel packet IP (after wrapping) =
    3. Remote ONT Tunnel packet IP (before unwrapping) =
    3. Remote Network Packet IP (after unwrapping) =

    So is being used only for tunneling. The actual IPs are The 2 solutions that I have in mind are:

    1. Use another machine with dual NIC which can route from network to network.

    2. Use network on the 3rd NIC on pfSense machine.

    Right now I hope I can avoid both of these solutions  by using either Virtual IP, Static Route, VLAN or combination of all and more.

  • If you want that the traffic additionally appears to come from the VIP you have to enable "Advanced Outbound NAT" (firewall–>NAT-->outbound).

    Basically leave the existing rule
    interface: WAN,
    source: your_lan_subnet
    souce-port, destination, destination-port: any
    -->Set your VIP as NAT-Address
    NAT-port: any
    static-port: yes (or no, doesnt matter)

  • Works like a charm :). Thanks a lot for your help.

    I also want to setup a failover using dual-wan. Since my other internet connection is a PPPoE, so I am using a router after pfSense, which actually makes the internet connection using PPPoE whereas the pfSense sees it as normal internet.

    I have made the settings according to MultiWAN guide v1.2. Have also added Outbound NAT rule for the OPT1 interface too, since I need to use Advanced Outbound NAT. However, when I unplug the WAN cable, I assume that the internet traffic would automatically be shifted to the OPT1 interface, but it does not appear to be doing so. The Load Balancer status shows correctly that the WAN is down but OPT1 is up. But still the traffic from LAN does not get routed.

    At this time, however if I plug in the WAN cable again, the traffic starts to get routed properly through WAN, as the Load Balance detects that WAN is now up again.

    Any hints to what may be wrong, as it appears from the forum that many people have been able to use failover with dual -WAN successfully using the guide. Can this be because of the advanced outbound NAT?


  • Did you create static routes for the DNS to the second WAN?

  • I will try that out today. I am actually using same DNS servers for both the connections, but gateways for both ISPs are different. If I add a route to the DNS server for WAN2, wouldn't it disturb the original route to WAN1?

    Actually when I take WAN1 cable out, I can not even ping DNS server through pfSense, which in my opinion should have automatically shifted WAN2.


    pfSense itself only uses the routing table definitions.
    Since the DNS forwarder runs on pfSense, pfSense can not loadbalance the DNS.

    –> You need to create a static route for at least one DNS-server to the gateway of the second WAN.

  • Thanks, the settings that you have mentioned do work. But I am now having another problem with my setup.

    The VIP (ProxARP) that I have defined can not be pinged on the WAN interface. This is the real IP which hosts services, or forwards the ports to LAN machines. I have even lowered the firewall on the WAN but to no success.

    Another requirement is that the WAN VIP should can also be pinged on the switch to which the WAN is connected. I have a few VoIP gateways connected to the same subnet as that of VIP and use VIP as the default gateway address. But none of the VoIP gateways can ping the VIP of the WAN.

    Browsing through the forums, I found out that both ProxyARP and Other VIP can not be pinged from the WAN. The CARP VIP can be pinged, but the problem is that CARP VIP can only be defined on the interface which has the same subnet. In my case, the subnet for the virtual IP and the interface IP are different.

    Is there some other configuration that can be tried which would allow me to have my VIP globally accessible?


  • Just because you cannot ping it doesnt mean it doesnt work.
    Why do you need to ping it?

    The port-forwards from the VIP should still work.

  • Because the VoIP gateways are using the VIP of the WAN interface as their default gateways. The VoIP gateways are connected to the same switch as that of WAN interface. When I sniff the traffic, I only find broadcast ARP requests from VoIP gateways for the MAC address of the VIP interface, but the VIP interface does not reply back.

    Unfortunately there is no option of setting a static ARP entry in the VoIP gateway, otherwise I could have tried that.

Log in to reply