Configure your Pace 5268AC with Static IPs for pfSense

  • Previously, this could only be done using CARP IP Aliases, but with the current firmware it is now allowing pfSense to use normal IP Aliases, so I thought I'd help others out with this post.  By using this new configuration, you will end up being able to use the Router Address that was previously assigned to the Pace 5268AC, and the WAN IP address (could change over time) of the Pace 5268AC, in addition to the IP addresses that you were already using.  This also bypasses the firewall in the Pace 5268AC.  With all this being stated, the setup is pretty much identical to the setup that AT&T will configure you with using the Supplementary Network / Add Additional Network settings.

    If you haven't changed the default LAN and DHCP settings, you can continue to use them, but you might want to exclude a block at the base.  I do not recommend changing the default LAN subnet, as it will make troubleshooting easier if something goes wrong.  The WAN interface of your pfSense can be setup to use either DHCP or a static IP address, though DHCP is much easier for troubleshooting. Once that is set, it all comes down to changes to Settings / Broadband / Link Configuration in the Pace 5268AC.  Instead of using the Add Additional Network section, you need to use the Add Cascade Router section (see below):

    The Network Address setting can be ANY of the IP addresses in your IP block, and it doesn't matter which one you chose.  Most will either use the first IP address in the block, or the Router Address that AT&T used when setting up Add Additional Network, it doesn't matter which you use.  The Subnet Mask is the same that was used under Add Additional Network.  The router for the secondary subnet is your pfSense device.  If the WAN interface IP address is not available in the dropdown, enter it into the IP Address text box. When using DHCP always use the dropdown, as the Pace 5268AC will internally register the MAC address, in case the DHCP address should change.  Make sure to select the appropriate radio button and click Save.  That's it for the Pace 5268AC configuration, now you just need to configure your pfSense device.

    In pfSense, you need to create a Virtual IP Alias for each of the public IP addresses that you have, under Firewall / Virtual IPs.  Here are the settings for each alias:

    • Type: IP Alias

    • Interface: The WAN interface that your Pace 5268AC is plugged into.

    • Address(es):

    • Subnet Mask (dropdown): The significant number of bits in your public static IP subnet mask

    If you have 5/8 IPs (5 usable of 8 as defined by AT&T), you will actually get 6 usable, and you would select 29 from the dropdown (28 for 13/16, 27 for 29/32, etc.).  Don't forget to create an entry for the Router Address that was previously being taken by the Pace 5268AC, as it is now usable.  Once that is done, you can then use those IP Aliases within pfSense.  To use the AT&T WAN IP address of the Pace 5268AC, just configure pfSense to use the IP address of the WAN interface (LAN of the Pace 5268AC), which is the LAN IP address that you gave it earlier.


    P.S.  On the LAN side of the Pace 5268AC I am seeing ~970Mb up/down.  I am waiting for a new pfSense device to get that full BW, as my old pfSense device maxes out at around 430Mb(up)/267Mb(down).

    UPDATE 10/07/2018
    I've been using my new pfSense appliance for about 4 months now, along with a managed Cisco switch that it feeds into, and this has been working flawlessly. I have 32 static IP addresses for hosting web applications and other IoT things. My latency to the Google DNS servers ( is 7ms, for those who are interested. Due to security concerns I won't post tracert information, but I can describe it:

    1. The pfSense gateway address that you are connected to.
    2. The gateway address of the RG.

    You might be asking why the gateway address of the RG is there when using Virtual IP Aliases. Well, that's how routing works. Even though it is using the RG gateway address, pfSense is modifying the outgoing packet to set the source IP address as the Virtual IP address. You can't bypass the RG, and you really don't want to, as it has the required certificates to communicate with the AT&T network.

  • So this completely bypasses the RG entirely?

    Can you post a tracert to any site showing the first 2 hops?

    At&t Static ip required?

  • Can you post a tracert to any site showing the first 2 hops?

    Asking the important questions. This technique is unfortunately of limited benefit if all traffic still passes through the RG's LAN subnet.

  • @gpz1100 Sorry for the late reply, but this site isn't sending notification emails. Nothing completely bypasses the RG, as it is physically required to communicate with the AT&T servers. What does happen though is that the static IPs of the specified range are passed through the RG to it's LAN side w/o any processing. And yes, this only works for static IP addresses, as this is of no use for dynamic IP addresses. If you have a dynamic IP address, just use the DMZ option.

  • @mwp821 it passes through the RGs LAN connectors, but on the public static IP subnet. The RGs LAN will have 2 subnets, that of the RG LAN, and that of the public static IP subnet that you have been assigned. In order to communicate with the RG you will need to use the RG LAN IP address, and for your public IP usage you will need to setup Virtual IP Aliases on the WAN interface of your pfSense appliance, that you have sitting behind the RG. The easiest way to do this is to setup the RG DHCP server, configure the WAN interface of your pfSense appliance to use DHCP, and create the Virtual IP Aliases on the WAN interface for your static IP subnet.