CIDR based setup



  • I have a CIDR address block from my broadband provider (Cox) with the following (somewhat changed to protect the innocent):

    WAN: 68.96.25.28/255.255.255.224,gw 68.96.25.1

    CIDR block:
    Subnet 98.175.61.224/28
    Netmask 255.255.255.240
    Suggested default gw 98.175.61.226
    First usable 98.175.61.226
    Last usable 98.175.61.238
    Broadcast 98.175.60.239

    I have setup a machine w/3 nics (WAN, LAN, OPT1) where OPT1 would be used for the CIDR block.
    What I would like to do is to have the CIDR block for my internet facing webservers,dns, and mail server(s) that I will be hosting. But have the LAN wired machines using a 192.168 network w/DHCP.

    Is this possible?
    I know just enough network to confuse myself with all of the options offered.

    From what my provider has told me, I use the CIDR block for the "Router IP" info.

    I really appreciate everyone's help,



  • This should be relatively easy to set up. On the WAN side, add the address as specified. On the LAN side, configure the router with a static address of 98.175.61.226/28. Then just manually configure your servers to use the remainder of the addresses and it should 'just work'. If you want to set up DHCP, use the range .227-.238.

    You probably need to disable NAT for the LAN interface (so disable automatic NAT and create a rule for your NATed LAN).



  • Update…
    on the WAN interface I have set the 68.96.25.28/27, with a gw of 68.96.25.1
    on the LAN interface I have it set to "none" for bridge, and 192.168.1.1/24
    on the OPT1 interface (renamed to CIDR) I have set to static, with 98.175.61.226/28 with a gw of 98.175.61.225

    For the Firewall rules, I have set up the CIDR interface to all anything (tcp * * * * *) -- at least until everything works

    So.... I can successfully ping FROM the pfSense CIDR interface to one of the boxes in the 98.175.61.x network --- however, none of the boxes from that network can ping back to the 98.175.61.226 address (static address for the CIDR interface)

    What am I missing?

    The boxes from the LAN side are all working fine (writing this from one of those clients... ), but need to get the 98.175.61. boxes to route through the pfSense box.

    Thanks for any help anyone can offer,
    Patrick



  • Don't set a gateway on the OPT1 interface, this interface doesn't connect to the Internet.

    You probably need to go into the NAT Outbound rules and disable automatic rule generation. I haven't used pf in a setup like yours so I could be wrong about what pf does automatically, but it's probably trying to NAT your external subnet, which is exactly what you don't want. You'll need to manually create a NAT rule for your LAN interface:

    Interface: WAN
    Source: Network, 192.168.1.1/24, any port
    Destination: any

    Leave the remaining options at their default settings. That should get everyone talking to each other and the Internet. You also probably want to disable the FTP helper in the interface settings.

    If you want ping to work though (at all), you'll need to allow more than just TCP (ping uses ICMP). Change protocol to 'any' if you want to actually allow all traffic, but please set up a proper firewall eventually! Note that the firewall will filter all other traffic (from the CIDR) too, and important things like DNS run on UDP, so it may look like your router isn't working when it actually is if your ruleset is wrong.

    Edit: In 98.175.61.224/28 the first usable address should be 98.175.61.225, do you know why the ISP is suggesting .225 is unusable? By convention this would normally be the address of your pfSense box on the OPT1 interface (though it doesn't really matter, just make sure it matches the default gateway on your OPT1 clients).



  • ITS WORKING!!!  ;D

    After setting up the interfaces like I listed below, my biggest issue was firewall rules.  After creating a rule for the CIDR interface to allow anything from the CIDR net I was able to ping and get out from the CIDR network.  And after setting up a rule on the WAN side to allow the right ports through to the CIDR network I was working.

    Now that I know things are working, I can go back now and setup "proper" firewall rules.

    I have tried several different setups from dd-wrt, untangle, and others over the past 3 weeks but was never able to configure any of those to actually work.
    Thank you to all that have made this product so awesome!!

    Patrick



  • Great! ;D

    At the very least I'd recommend you remove that gateway entry for the OPT1 interface though. As far as I understand your configuration there is no Internet gateway available at 98.175.61.225 (that's what your pfSense box is for!). You should only ever fill that box on interfaces that face the Internet.


Locked