Balance on a block of IPs



  • hello all. I've purchased an XG-1537, and while I await delivery, I've got what I think is a simple question.

    We have a 1G line from Spectrum. It's on a 10G SFP if that makes any difference. They've assigned us a block of IPs. We have upwards of 200 clients utilizing this connection, and we want to make sure the outbound data doesn't all appear to come from one IP. So... what's the best way to 'balance' the outbound IPs ?

    thanks much!



  • Are you using NAT or are there enough addresses for everyone? If the latter, then there's nothing to do other than don't use NAT.



  • yes, I'll be using NAT. The overall concept here is 3 buildings (residential rentals) connected to a single datacenter. These buildings are loosely affiliated, and they will be in separate VLANs as they have no need to chat to each other save via email - which will be hosted in the datacenter. However, the people in these buildings wish to use Netflix and related media services. So... to keep Netflix from thinking there are too many people using the same IP, I'd like to ensure IP rotation or balance among connections. Hope this makes sense.


  • Rebel Alliance Developer Netgate

    You can do that with hybrid or manual outbound NAT rules. You can setup an alias containing the IP addresses from the block you want to use for outbound NAT, and then setup outbound NAT rules to translate from the inside network(s) to that alias.

    Depending on how the IP addresses are delivered to you, you might need to make some VIPs for them. If the addresses are a part of your WAN subnet, you'll need VIPs. If they are routed to you through a different WAN subnet, then you don't need VIPs.



  • I totally forgot about IP Aliases and how you can group them. that's perfect! thanks much ;)



  • @jimp said in Balance on a block of IPs:

    Depending on how the IP addresses are delivered to you, you might need to make some VIPs for them. If the addresses are a part of your WAN subnet, you'll need VIPs. If they are routed to you through a different WAN subnet, then you don't need VIPs.

    i'm afraid I don't understand the 'why' or 'how' of this. I just logged into one of my personal pfSense boxes, and I have a alias for 'Win10BlockList' for IPs I don't want the Win10 machines chatting with. Okay, so using that as an example, I went to 'Virtual IPs' in the Firewall menu, and begin the process of adding one. I can see no way to assign a VIP to the Alias. would you mind pointing me at the documentation which shows this?

    thanks much!


  • Rebel Alliance Developer Netgate

    There is no direct relationship between VIPs and aliases.

    The aliases collect addresses to use in firewall/NAT rules and so on.

    VIPs setup alternate addresses on the interface, for example to inform an upstream router on the same segment that the firewall will handle traffic for that address. See https://www.netgate.com/docs/pfsense/firewall/virtual-ip-address-feature-comparison.html