Running pfsense with the WAN and LAN subnets being the same? [Solved]

Anony_Moose · Oct 23, 2017, 3:10 PM

Hey guys,

I'm working on a project were I need to virtualize an entire subnet, unfortunately, the hardware I'm working on is also in that subnet. My current config is as follows:

WAN -> 10.162.150.138/24
LAN -> 10.162.150.2/24

I can't access the web interface from a machine connected to the LAN device on my pfsense box. I would assume this is due to NAT, so is there any way to make this work without having to change the entire subnet scope?

Thanks!

JKnott · Oct 23, 2017, 1:47 PM

With a router, you cannot have the same network addresses on both side. If both interfaces are on the same network, pfSense does not know which way to forward the packets. Try disconnecting the WAN connection and then accessing pfSense. If it works, that was the problem.

Anony_Moose · Oct 23, 2017, 2:15 PM

@JKnott:

With a router, you cannot have the same network addresses on both side. If both interfaces are on the same network, pfSense does not know which way to forward the packets. Try disconnecting the WAN connection and then accessing pfSense. If it works, that was the problem.

I know. My question was more along the lines of is there a way to do this, aside from having to change my upstream network?

Anony_Moose · Oct 23, 2017, 3:09 PM

Update:

I figured out how to do this in a sort of hacky way. Use two PFsense VMs.

PF-R1
WAN -> 10.162.150.2
LAN -> 10.162.155.1

(Connected via a VMNetX3 10GBe software link)

PF-R2
WAN -> 10.162.155.2
LAN -> 10.162.150.1

This allows the clients behind the second router to access the internet, as well as contact both routers in front of them.

Now on to my real reason for doing this, Squid Proxy! :o

johnpoz · Oct 23, 2017, 3:22 PM

That makes ZERO sense to do something like that.. I mean really!!!

But I will bite - what does squid proxy have to do with it?

Anony_Moose · Oct 23, 2017, 4:32 PM

@johnpoz:

That makes ZERO sense to do something like that.. I mean really!!!

But I will bite - what does squid proxy have to do with it?

So I work in an education environment, and we have one lab for our Comp. Sci. kids. This lab uses it's own subnet (10.162.150.0/24), just to make sure they don't get any ideas and try to mess with the other devices on the network. I'm currently going through and rebuilding a large portion of it to meet our new guidelines, and after I applied our new Fortigate firewall to that subnet, their video learning stuff basically died. I can't put them back on the old firewall for political reasons, so I need to be able to cache all of their video learning content. I'm not going to rebuild an entire lab to change an IP, and I can't put the pfsense box outside of their stack for again, political reasons, so I needed a way to maintain their subnet, but get a pfsense box in as a router to use squid.

Being such, I did the double route that I posted about above. I'll be testing to see how much of a performance hit I get, but they're virtualized on a R430 with 128GBs of RAM and 64 cores. I'll be giving it a passed through network card eventually, as to take that processing off of the CPU. The plan is to give them 4x1Gb uplinks, bond them as one WAN, and then use a VMnet to connect to their servers, and a 2x1Gb card to a switch for their physical uplinks (eg. client PCs).

Honestly if there's a better way to do this I'd love to know.

johnpoz · Oct 23, 2017, 6:55 PM

Still not getting why your stuck with this 10.162.150/24 address space? Where is the proxy in that info you just posted?

"just to make sure they don't get any ideas and try to mess with the other devices on the network"

So you locked down this network to not mess with other network stuff - ok… But they need access some video leaning stuff? Ok allow that on your firewall then.. What does double natting them to put their end device on the 10.162.150 get you??

Can you draw out this network.

Anony_Moose · Oct 24, 2017, 1:08 PM

https://imgur.com/a/rQlCP

It's really due to the fact that they have existing servers and clients with set IPs. It's not that their video learning doesn't work, it's that our district approved firewall rules currently limit per client bandwidth to less than what is required. I don't really have a way to change these guidelines.

I'm not trying to double nat them just for the IP space, I need squid cache more than anything.

johnpoz · Oct 24, 2017, 1:29 PM

Where in that drawing does it show that your clients need this 10.162.150/24??

Makes no sense that the client needs to be on this space… If you put your devices behind pfsense and its wan is 10.162.150.x Then all clients behind would be natted to this IP... They can be on any network you want them to be on that they don't need to get too..

For example if there is some network out there like 10.100.42/24 that they need to get to - then you wouldn't put them on 10.100.42..

You can make your clients any 10 address or 192.168 or 172.16-31 network... As long as they do not need to get to this address space... This is what IPAM is all about when dealing with rfc1918 space.. Are you saying that there is no rfc1918 address space that you can use that they do not need to get too.. ALL of rfc1918 space is in use? And they need to get there?

If it really came down to it - you could grab public space that they more than likely would never need to get too.. Say 6.x which is owned by the DOD and like impossible that they would need to get there.. This is frowned upon.. But it would work.. And would be much cleaner than your double nat with VM idea.. Clearly your clients don't need to get to this 10.162.155 network that your using as your transit network... So why not just put the clients directly on that network and nat them to yoru 10.162.150 network that the firewall allows already.

The CORRECT solution would be to get with who manages the IP space have them assign you a transit network to use to connect to the firewall and and what networks you can run behind the transit so you don't have to nat, etc.

Anony_Moose · Oct 24, 2017, 2:03 PM

The reason the clients need the 10.162.150.0/24 space is because that's the existing space. I need to be able to do this without disrupting their existing infrastructure. That's why I need to be able to use that space.

johnpoz · Oct 24, 2017, 2:49 PM

So what? Your clearly going to be disrupting the current setup if you put them all behind a single nat IP. The only reason it would make sense to need them to be on the same network is if all the devices were set to IPs on that space static on the device.

Or they had some software that was licensed to a specific IP, etc.

If you need your devices on this specific network and you want to put pfsense in front of them for firewall rules - then run it as a transparent firewall.. Easy Peasy Lemon Squeezy vs all this nonsense of 2 vms and double natting, etc.

Anony_Moose · Oct 24, 2017, 3:17 PM

@johnpoz:

….Or they had some software that was licensed to a specific IP, etc....

Bingo.

johnpoz · Oct 24, 2017, 3:38 PM

Well why didn't you say that from the get go?

The correct solution then is to just use pfsense as transparent firewall.