Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reaching the limits of PAT, scaling up with more WAN IP's? (using ProxyARP&VIP)

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 639 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 2
      21hertz
      last edited by

      Hey,

      The number of users in one of our networks have increased to over 6000 concurrent clients.
      We're using Manual Outbound NAT on one WAN IP-address to NAT all these clients at the moment (internal traffic is not NAT:ed though) and of course this will become a problem when there aren't enough ports left to use.

      We already got a few more unused IP-adresses on the WAN subnet, routed by another router, which I'm ready to setup.

      Since it is not possible to have multiple WAN-adresses that share the same gateway/subnet, I have to use Virtual IPs I guess.

      I'm not sure how to setup this. I've added two Virtual IP's with Proxy ARP, from the same subnet as the WAN (one of them being the same IP as the WAN IP).

      Now, under the NAT Outbound rules, I want to add a "PAT rule" to match all my LANs to my virtual IPs.
      But I can only choose ONE virtual IP when configuring Translation, and no way to configure a group of "Virtual IPs"?
      And If I add a whole network/subnet with IP-adresses as a Virtual IP, I guess pfSense will try to use all IP-adresses on that subnet even though I only want to use a few IP's from that WAN subnet, not all IP's from the whole subnet.

      I must be missing something here..

      Edit: re-phrased my questions.

      pfSense user for 8+ years on network with 5k+ active users.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        If you want to point your outbound NAT to a pool, you need to create an alias of hosts, consisting of the public ips you want in the pool. Then use manual outbound nat and change the translation address to the alias. You will be presented with options for the pool. You can also enter a subnet directly, but I haven't tried that method.

        1 Reply Last reply Reply Quote 0
        • 2
          21hertz
          last edited by

          @dotdash:

          If you want to point your outbound NAT to a pool, you need to create an alias of hosts, consisting of the public ips you want in the pool. Then use manual outbound nat and change the translation address to the alias. You will be presented with options for the pool. You can also enter a subnet directly, but I haven't tried that method.

          Yes, but I don't think I can do that since all the WAN IP's we got are on the same subnet using the same gateway. And its not possible in pfSense to add multiple IP's that are on same subnet even though they are on different interfaces. If you try to add another interface using an IP that are on the same subnet on existing interface, you will get this error message: The following input errors were detected: "IPv4 address 10.1.1.170/28 is being used by or overlaps with: WAN (10.1.1.168/28)."

          I tried to setup this using Virtual IPs with ProxyARP but still not sure if that is the way to go since it it rises other questions, like multiple IP's showing up with the same MAC-address (our ARP spoofing surveillance is triggered by this).

          pfSense user for 8+ years on network with 5k+ active users.

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            You didn't mention you were running a double NAT and had multiple interfaces with the same gateway. If you had a wan with a public IP and multiple IPs on the subnet, the instructions I gave would work fine. I doubt if anyone is going to be able help you running a strange config like that. What is the purpose of having multiple interfaces going to the same gateway? AFAIK, you still can't run multiple routing tables in pfSense.

            1 Reply Last reply Reply Quote 0
            • 2
              21hertz
              last edited by

              @dotdash:

              You didn't mention you were running a double NAT and had multiple interfaces with the same gateway. If you had a wan with a public IP and multiple IPs on the subnet, the instructions I gave would work fine. I doubt if anyone is going to be able help you running a strange config like that. What is the purpose of having multiple interfaces going to the same gateway? AFAIK, you still can't run multiple routing tables in pfSense.

              Sorry, IP-adresses were just an example, not using double NAT.

              Anyways, I got this figured out now. I got side-tracked with proxyarp, which is not necessary in this case.

              How I solved it?

              • Just added more WAN IP's as Virtual IP's with Type Alias (as they can be on the same subnet as the physical WAN).
              • Added these Virtual IP's and also the physical WAN IP as an alias group ("ALL_WAN_IPs").
              • Added PAT-rule using the "ALL_WAN_IPs" alias. With Round Robin with Sticky Address.

              It seems to be pseudo-sticky though. Clients uses different WAN IP's on different connections. My understanding of Sticky Address was that it uses the same WAN IP for the all connections based on the source (client) IP.

              One thing that I still don't understand is that the clients never seems use the physical IP-address from the WAN interface, even though it's included in the Host Alias "group".

              pfSense user for 8+ years on network with 5k+ active users.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.