Public VIP for semi-private OpenBGP interface?



  • I'll try to be succinct, and would be thrilled with some advise.  Apologies–some of this is stuff I only have basic understanding of....

    We're trying to get ACME working with Amazon Route53 domain verification (bear with me why I'm posting here)

    We run OpenBGP, as our ISP gives us multiple VLANs--among those are 2 for commodity internet, and 1 that peers with 2 caching networks.  It turns out one of those networks has just 2 hops to Amazon AWS (great latency).  Connectivity from any client on our LAN, or even from other interfaces on pfsense works like a charm.

    The problem is, the caching interface's IP is in the "private" 100.64.0.0/10 shared transition space, so the api requests that ACME is trying to send to Route53 won't route past the BGP peer (and into a public address space).

    Our ISP has been helpful, and has made the suggestion to "apply a public IP to the loopback address and source through that address."  As far as I can tell, the closest thing to that in pfsense land is to set up one of our public IPs as an IP Alias (or maybe a different type of VIP) on that interface.  Unfortunately, just doing that did not seem to resolve the issue.

    Maybe it's because the public IP I'm trying to use is already included in the subnet for the rest of our public IPs, one of which is an already defined interface?  Or maybe I need to set up a firewall-based static route? Or outbound NAT?



  • I'm doing well this week with answering my own posts…

    Got this working by creating the IP Alias on the cache interface, then setting up outbound NAT for "This Router" as the source to the