Multiple wan ip blocks on a single interface
-
My ISP gave me a fiber connection to my box and trying to get this working properly.
I have both of these blocks coming in via one fiber line into my WAN interface.x.x.159.72/29
and
x.x.163.0/24I have read both of these articles in the manual and it helped enough to get me internet but it is routing through the /29 ip block
https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html
https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.htmland found this topic https://forum.netgate.com/topic/119374/multiple-wan-blocks-on-single-interface but didn't seem to have much details.
This is my setup
ISP->WAN(ix0)(159.74)(Gateway-159.73)->LAN(ix1)(DHCP 192.x.x.x.)
**The additional IPs I have setup in the Virtual IP and work as intendedNow for the /24 block I have setup a VLAN(ix1) and no gateway. I am running DHCP to hand out the IPs from the /24 block.
I had setup outbound NAT to Do Not Nat on the VLAN interface and the source is the x.x.163.0/24
Then I had setup the Firewall rules to allow all from wan to VLAN and on the VLAN All to the WAN (I have a rule to block traffic to the LAN. *may not be needed but its there.)The computer on the /24 vlan gets it dhcp lease and talks to the world. The issue is when I go to check "whatismyipaddress" it comes back with x.x159.74.
If I make a gateway of x.x.163.1 the system shows it as offline until I do a static route to that ip from the WAN gateway interface and assign the 163.1 gateway to the VLAN.
Once I do that the computer lets say is (x.x.163.5) looses connection. If I do a tracert 1.1.1.1 the first reply is x.x.163.2 and then the second/following reply's are nothing (*).
TLDR: How do I DHCP my public /24 IP block off my VLAN and have no NAT but keep Firewall rules?
Thank you for helping me on this issue.
-
@demonmaestro said in Multiple wan ip blocks on a single interface:
TLDR: How do I DHCP my public /24 IP block off my VLAN and have no NAT but keep Firewall rules?
So this /24 is "routed" too you? via your /29 - that would be a normal sort of setup where the /29 is your transit.. If that is the case you would put your /24 on lan side vlan/network and setup pfsense IP in this vlan to .say .1 of your /24 and use it just like any rfc1918 behind pfsense, just turn off outbound nat for that network.
This would be one of those scenarios where turning off automatic outbound nat makes sense.. Just outbound nat your rfc1918 vlans and not your public vlans.. If the /24 is routed to you, you could even subnet it out break that /24 up into multiple subnets/vlans..
-
So basically i got it setup correctly?
Or what am I doing wrong. -
@demonmaestro said in Multiple wan ip blocks on a single interface:
he issue is when I go to check "whatismyipaddress" it comes back with x.x159.74.
You seem to have not done your outbound nat correctly if you seeing your transit IP. Or this /24 is not actually routed to you?
-
interface (vlan) source(x.x.163.0/24) destination * NAT Address set to NO NAT
-
Dude post up your outbound nat page please... So your doing a hybrid?
-
The folks at Lawrencesystems got me hooked up. Ended up being a bridge issue.
Thank you for your help @johnpoz
-
A bridge issue? You made zero mention any bridges ;)
-
I didn't have a bridge.
A bridge was needed.Sometimes in life a bridge is needed in life to get from point A to point B.
-
No a bridge would NOT be needed if the traffic was "routed" to you as I asked..
So they don't have it routed just directly connected <shakes head> these isp and complete lack of any networking understanding at all. If you have a /29 already, this makes for a perfect transit network for your /24.. Directly attaching it sad really.
-
Then how would you go about it? If you want the /24 on a vlan,IPs DHCP to the computers/servers,block certian ports?
-
Already told you exactly how you do it... But you can not do that if its not actually routed to you... If you bridged your wan to your lan.. Then its not routed..
-
I just got off the phone with the ISP and they said that both IPs are setup on the interface. So working with a bridge is the correct way to set this up.
Sorry for the issues this may have caused. -
Not the way I would do it no... I would just use vips and do a 1:1 nat..
Atleast then you could subnet your /24 and it it for multiple networks behind vs just bridged to single L2..
Can you get them to actually just route that /24 to you.
-
the /29 i am using 1:1 and vips
The /24 there is way too many IPs to 1:1 for my use case.
But as far as subneting it out. I might do that on other blocks down the road.
Thank you again for your help.
-
Your not going to be able to subnet it out if its directly connected and your bridging it.
Why is /24 too many for a 1:1? Not like you have to setup each on on its own, you just do a 1:1 for the whole /24
Your x.x.163.0/24 would just map to say 192.168.163/24 where .1 is .1 and .2 is .2 and so on..
The correct solution for using a /24 would be for the /24 to be routed to you..
