Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Source address is always originate from gateway when using /29 subnetting public IP for hosts behind pfsense

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 372 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ccy
      last edited by

      I subscribe a fixed IP package from ISP. They assign me a range of public IP in /29 subnet.

      As example to describe my issue, I use 123.123.123.184/29 subnet.

      They are 8 addresses in this subnet and their purpose:

      IP Address Usage
      123.123.123.184 Subnet address
      123.123.123.185 Gateway
      123.123.123.186 Public IP
      123.123.123.187 Public IP
      123.123.123.188 Public IP
      123.123.123.189 Public IP
      123.123.123.190 Public IP
      123.123.123.191 Subnet broadcast address

      Besides the gateway 123.123.123.185, there are 5 usable public IP addresses.

      The pfSense documentation do mention how to use those public IP address either by 1:1 NAT or set public IP as destination in forward rule. However, I am planning to assign these public IP to backend host directly.

      The ISP does not allow me to set the public IP address as static IP address in WAN connection. Instead, it shall authenticate via PPPoE service first, and it will return the gateway IP address: 123.123.123.185 upon success authentication. Furthremore, pfSense doesn't allow us to add PPPoE interface as member in a bridge interface, so I am not able to use other public IP address in host directly.

      I activate another port OPT1 in pfSense node:

      1. Set IPv4 static IP address to OPT1: 192.168.50.1/24.
      2. Define a virtual IP for interface OPT1 with one public IP address 123.123.123.190/29.
      3. Add a PASS rule in Firewall for OPT1 interface for all traffics.
      4. Add a PASS rule in Firewall for WAN interface destine to 123.123.123.184/29 network for ingress traffic.

      I then configure my other host with this IP address:

      IP Address: 123.123.123.186
      Subnet mask: 255.255.255.248
      Gateway: 123.123.123.190

      This host can now send outbound and receive inbound requests in both directions. So far so good. This method sacrifice one public IP address, but I think it is better solution compare to 1:1 NAT.

      However, I notice the outbround traffic from the host are originated from gateway instead of it's own public IP address. This is what I try to send an outbound request:

      $ curl -s http://ipecho.net/plain
      123.123.123.185
      

      I expect the source of request should be 123.123.123.186.

      If I change the static IP address setting in OPT1 to DHCP (there is no DHCP server in OPT1 network), both inbound and outbound still work as is. And I try

      $ curl -s http://ipecho.net/plain
      123.123.123.186
      

      So surprise, the source of request is 123.123.123.186.

      I don't understand why it work but setting DHCP for the OPT1 without DHCP server answer the requests do take longer time to boot the pfSense machine. I am sure there are many DHCP lease requests send from OPT1 frequently.

      Is this a good way to use PPPoE based subnetting public address in hosts behind pfSense? And is there any way to avoid the DHCP setting in OPT1 interface?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.