Route public IP's to Lan adapter

  • My fiber provides a 64.x.x.x /30 for IP/GW which is assigned to the PfSense Wan adapter.  They also provide  a /26 public IP pool that is currently proxy arp'd to a private Lan /26 subnet, ie. 66.x.x.2 (wan) = 192.x.x.2 (lan).  I'm going to break down the /26 to a /27, /28, /29, & two /30's because I have one device needing a public /30 on a Vlan via a Lan connected L2 switch.  I'd like to use two public IP's from the /26 pool for the Vlan /30 rather than the fiber routed /30 on the Wan adapter as I have concern about using the same /30 as the Proxy Arp. When done I would have a /27, /28, & /29 proxy arp'd leaving two /30's to be routed, not 1:1 natted.

    Can someone offer a summary on if/how this can be done?
    Hope this isn't confusing, thanks.

  • LAYER 8 Global Moderator

    If they give you a transit /30 for you want and then another /36 that is routed to you.. Why would you want to use part of the /26 they give you as your transit… Just break up the /26 how you want and attach it pfsense and just turn off nat for that network is really all that is need to put a routed public network behind pfsense.

    You would then just create your firewall rules on your transit (wan) to allow the traffic you want into the routed segment behind pfsense.

  • Yesterday I did break up the /26 to the smaller subnets as I first described. I mentioned I want to do this so all but one /30 subnet is 1:1 nat as before the /26 was broken up.  So currently the /27 thru /29's are VIP Proxy's as before and still service those end devices with private IP's translated to a portion of the public Ip pool. For the /30, I peeled off, I want two public IP's routed from the public pool, an IP and a GW address, that can be assigned to one device on this /30.

    Where I'm researching now is how to route the /30 portion of public pool thru PfSense from Wan to Lan and then onward through a Vlan (as a VIP on the Lan adapter) across L2 segments to the Vlan tagged device.  Public IP's aren't normally assigned to a Lan adapter.  I read some indications that I'll need a /29 private subnet, if a Vlan is used, to carry the public /30 Ip's over a Vlan from Pfsense to the device, sound right?  The device needs only a gateway to the internet, not access to local network devices.  So I'm trying to generate the bullets, for example;

    a. Create VIP on Lan adapter with private subnet.
    b. Create VLan using VIP.
    c. Create route for /30 pubic pool to VLan address of edge device.
    d. ….

    johnpoz, you mention all I need to do is turn off nat (don't proxy the /30) and create a rule?  No static route or gw is needed?  Seems over simplistic. Is the routing done in PfSense simply by a rule being added? It's been my experience it requires both especially if nat is removed from the /30.  Not sure what would be come the gw address for the edge device as both the device Ip & Gw has to be a public address.

    Long story short, I'm trying to provide a /30 that the PfSense Wan is assigned by the fiber provider to an edge device without it actually being the same address pair.

  • LAYER 8 Global Moderator

    "Public IP's aren't normally assigned to a Lan adapter."

    Where did you get that idea?  Pfsense doesn't give two shits if the IP is public or in the rfc1918 space.. its just a network…  Just make sure its not natted.. Why would pfsense need a route for a network that is attached to it?  No router needs this it would automatically have route to network its attached too.

    Putting public space behind pfsense is NO different than putting rfc1918 space, you just do not nat it outbound to your wan IP..

  • Lets see how a public IP assigned to a Lan VIP goes.  I previously broke down a /26 to a /27, /28, /29, & two /30's. I un-natted one of the /30's from the public ip pool. So no proxy arp above 66.x.x.56/30.  To route 66.x.x.60/30, I created a VLAN100 assigned to the Lan interface. I gave the VLAN100 virtual adapter the IP address 66.x.x.61/30. It was at this point I lost GUI access via the Lan adapter. Traffic continued to flow but the only way I could reverse this was to connect via the OpenVpn interface and delete the virtual adapter.

    This virtual adapter also broke VLAN40 on another physical interface with the ARP table reporting the IP address on the other end of the site-to-site VLAN40 was unidentified. Not sure what to do next short of rebooting PfSense.  So I tried disabling and re-enabling the VLAN40 adapters on both ends of the link which restored normal operation of VLAN40.

    So what am I supposed to make of this behavior? Did I miss a step? I didn't get very far before major issues surfaced.

  • LAYER 8 Netgate

    Of course when you renumber the interface you are connected from you will be locked out until you renumber the workstation you are connecting from to the new network scheme (address, netmask, gateway).

    It is best to do this type of work connected to an interface you are NOT making changes to, if possible.

  • Derelict,
    I thought adding a virtual adapter to the lan adapter retained the base lan interface settings and simply added another IP tied to it.  And that it doesn't have to be in the same subnet.

    I gave another run at this instead using adapter (igb3) already having VLAN40 assigned to it.  Have 4 physical adapters but all in use in some way.  I added VLAN100 to igb3, assigned it 66.x.x.61, temporarily added an all traffic rule to VLAN100. This will be my gateway for the edge device. From the GUI I can traceroute via the VLAN100 adapter so I think the router portion is setup.  I expected I would have to add a route and gw to PfSense but apparently they are already in place.

    Next is configuring switches for VLAN100 and assigning the edge device which I've done before so I don't expect any snags.  Will report back if fully successful at providing edge device with public IP.

  • LAYER 8 Netgate

    Yes, you should be able to do that.

    You have to be connected to an address on the same VLAN.

    You can add a VLAN to a physical interface you are connected to on another VLAN.

Log in to reply