Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    private ip for WAN , public ip for LAN

    Scheduled Pinned Locked Moved NAT
    6 Posts 5 Posters 556 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joregartinez
      last edited by

      Hi,

      I have just installed pfsense 2.4 for a SOHO I work and I'm getting problems with the routing.
      I have asked my ISP for a /29 network with public ips for the DMZ, but instead of giving my directly what I asked they gave me a this:

      WAN 10.219.16.244/30
      LAN 152.206.43.32/29
      (these are not the real ips the gave me)

      So, I have something like this:
      Sin título.png

      the connection between my pfsense and the isp gateway works just fine but there is no way i get internet connection.
      What I'm missing here?

      (I've done this before but with a public IP on the WAN side)

      Hope you could help me!
      Thanks anyway

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Have you tried reversing them? WAN at 152.blah? Why would they assign you a LAN network?

        1 Reply Last reply Reply Quote 0
        • J
          joregartinez
          last edited by

          i have not really tried as you suggested because i have called back my isp and they reassured me the networks are exactly as i explained. so i assume they mean what they say and it is not an error

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by

            personally,out of ideas, i will try as @kom suggested, igore the 10.219 and configure with 152.208. maybe they have an upstream device with that 10.219 that is out of your control

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              If they routed your public /29 to you, then you need to make sure you turn off nat.. Or you would be natting to the transit network IP (ie the private on your wan) so no that more than likely would never work.

              You can most definitely route a public netblock over a rfc1918 transit..

              Where you might have problem here is the pfsense with its rfc1918 on wan that is only transit and they do not nat upstream, so no internet. Will have an issue checking for its updates and getting packages, etc. It would need to use its lan IP as source which is on the public /29 to get to the internet.

              edit: Just spitballing here, but you might be better off using the /29 they gave you as vips on your wan so that pfsense could then nat to the vips and itself would be able to get internet.. The guy that would know for sure the best way to set this up would be @Derelict

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by Derelict

                @joregartinez You can use it just like that I think with the /29 configured on your DMZ interface. In that case, you would probably want to disable NAT for it (enter hybrid NAT mode and put a NO NAT rule for the /29 there.)

                Binding services on the firewall itself (Like a VPN Server) should be able to be told to listen on the DMZ address, but I can think of things the system is going to do that will break that, like the host route to the other side. You might need a VIP on the WAN for that. Outbound NAT for connections from the firewall itself should be able to be told to use the DMZ address as well using manual outbound NAT but I have never tried that. Seems it should work just fine but you might hit some kind of route-to weirdness I'm not thinking of. But if you have a VIP on the WAN for service binding you might as well just use that.

                It is generally a bad idea (as in it breaks things) to NAT connections from the firewall itself and from the WAN address. You will want to do exactly that, though.

                If you do put a VIP on the WAN make it a /32. Note that hosts on the DMZ will not be able to access that VIP because they will not know it is not on their local subnet.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.