PFsense Routing Public IP

ziggy

I'm trying to assign a public ip to my server via the opt1 interface.
I'm following the pfsense book https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html and have obtained from my isp a wangw ip and a wan ip.
My current wan setup uses pppoe, so I change this to static ipv4 and enter the newly allocated ip's. However the wan interface fails to connect to the isp.
I dont see any point in going to the next stage - setting up the opt1 interface until I've cleared the wan hurdle?
Any ideas?

stephenw10

If your ISP requires PPPoE you can't just choose to use static, you must use PPPoE.

What sort of connection is it, DSL? What is the pfSense WAN connected to, a modem of some sort?

What information did the ISP give you for converting to this new IP type? Is it an additional IP?

Steve

ziggy

The connection is vdsl using the isp's modem in bridge mode.
The ISP said this: "I have assigned you xx.xx.xx.185/29 Host Range = { xx.xx.xx.185 - xx.xx.xx.190 }

You'll need to reconfigure your router and ensure you drop PPP as the allocation will not be routed until you have".

DaddyGo

@ziggy

Hi,

I think you put your first message in a bit misleading...
according to your second message, you can think of this:

https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html

or (in short)

https://www.aventistech.com/2016/02/19/pfsense-multiple-public-ip-in-wan-interface/

PS:
(for first reading)
I also thought you wanted to create a fixed IPv4 from the PPPoE address....

++++edit: if you want to create all this on OPT1 instead of the existing WAN, then OPT1 must also be configured as a WAN interface:
https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv4-wan-types.html

this will make an ISP WAN upstream GW + assigned 5 VIPs

stephenw10

It would be very unusual to see an ISP switching from PPPoE to static IPs on the same modem, in the same mode.
I'm not even sure how that would work.

It could be a statically assigned PPPoE IP. Or a subnet routed to dynamic PPPoE IP maybe. Or maybe the modem changes mode and it does the PPPoE and hosts the subnet on it's LAN directly.

Are there any public docs we can check for this from your ISP?

Steve

ziggy

Sorry, I wasn't explicit in my 1st post.

For clarity this is what I'm attempting to do:
Currently I use pppoe to connect to the isp who gives me a static ipv4 & ipv6 address.

For the future I want to retain the above config for my LAN and some other vlans. However, for my mailserver vlan I want to allocate its host with a different static ipv4 address.
I'd appreciate the forums views on best way to achieve this objective.

DaddyGo

@ziggy

will you have another modem?
with this config?

@ziggy The ISP said this: "I have assigned you xx.xx.xx.185/29 Host Range = { xx.xx.xx.185 - xx.xx.xx.190 }

ziggy

No, that wasn't the intent

DaddyGo

@ziggy

I read from the ISP message that PPPoE is terminated and you get a public IP block??????

ISP - You'll need to reconfigure your router and ensure you drop PPP as the allocation will not be routed until you have".

netblues

@DaddyGo Nope. Isp can't just terminate pppoe and use a publc ip block
ppp is layer 2, public ip is layer 3. Don't touch the router!

Typically when an isp says this, she means that the /29 range has been routed "behind" the pppoe ip address asigned to wan ppp interface.

https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html
Small WAN IP Subnet with Larger LAN IP Subnet is the case

DaddyGo

@netblues

so it's clear, but that's what you're saying....(the OP did not describe it!)
as you can see above I suggested this too

++++++many times you learn well when, they lead you through a thought process
not, if they tell you what to do....

netblues

@DaddyGo I know you did, I'm just suggesting the op to try the most common scenario.

DaddyGo

@netblues

Yup, it was a little bit strange thread...
I still hope it is for learning purposes

boring just writing solutions?
am I wrong?

and here it often happens, here in the forum, so the questioner never looks for things (answers) on his/her own

just get a ready solution.....
like f ....ng fast food restaurants, and meanwhile he/she loves delicious food, though he/she cannot prepare it
(however, pfSense is more than that, although it is a very popular stuff)

and tasty

THX

stephenw10

Yup, them routing the /29 to your existing IP is a much more likely scenario.

There are some IPs though that will do this with a numberless p2p link on the WAN which pfSense cannot match directly.

Steve

chpalmer

@stephenw10 said in PFsense Routing Public IP:

It would be very unusual to see an ISP switching from PPPoE to static IPs on the same modem, in the same mode.

It is not common but it is done. We had what our ISP called a "bridged connection". It confused me for about 30 seconds until the tech explained it. But basically the DSL modem with no router and no method for login.. (Zoom 5715) Then our router set with a static IP. Issue is that security is very lacking in this kind of circuit.

netblues

@ziggy said in PFsense Routing Public IP:

The connection is vdsl using the isp's modem in bridge mode.
The ISP said this: "I have assigned you xx.xx.xx.185/29 Host Range = { xx.xx.xx.185 - xx.xx.xx.190 }

You'll need to reconfigure your router and ensure you drop PPP as the allocation will not be routed until you have".

Well, this is straight and clear.
The isp is asking the client to drop and reconnect ppp so isp provisioning (most probably radius) can also assign the route for the added network.

So its pppoe over vdsl with a bridged modem. Its a subnet routed behind a /30 wan.
( i doubt it is unnumbred since this doesn't work with all routers)

DaddyGo

@chpalmer It is not common but it is done.

exactly,

Not too long ago....

This is exactly what happened at the endpoint of one of our more serious customer.
An IP block was required and the original PPPoE connection was terminated.

True in this case we are talking about an FTTB and not a modem or other ISP CPE at the endpoint, but from a Raisecom ISCOM GPON SFP (ONT) - which is drives the pfSense WAN.

Ergo there is a switch from PPPoE in the ISPs world of thought and in the solution set.

senseivita

Not the topic, an idea maybe;

My ISP did away with static addressing many years ago, I use PPPoE too but with an ONT. The fascinating thing from this is that I can dial several connections over the ONT (also in bridge mode) and each will get its public IPv4 address and /64 IPv6 block. The amount of addresses I can get doesn't make them static though so, to fix that I tunnel to a cloud-deployed pfSense (or OPNsense for one-click L2 with ZeroTier).

Vultr is my favorite for this, Scaleway is awesome too and dirt cheap but Euro-zone only. They need to assign you an IP to give you service, as long as your instance lives, which is your new front anyway, the address is yours--or you can always reserve it for like a US dollar more. The instance would be like EUR/USD 5 with a data cap around a 1TB/mo. Unlimited in the case of Scaleway. At the prices the static IPv4s were when they were phased out, this workaround at the current exchange rate, which is 2x as high, I'm still saving about 26x the cost per month.

Only your application users (inbound tothe/fromthe cloudfront) would use that anyway, as you'd still be using your local exit for normal traffic. If you just need to reach stuff behind the firewall, ZeroTier is much cheaper than a static IP--free for up to 100 users I believe, but you get support if you pay so it's a win-win. Another option is a reverse proxy, like HAProxy in pfSense and a DDNS updater on meth that updates no matter what while still counting your API calls.

There's Cloudflare's Argo tunnel service too, and their gateway thingy, which is like a forms-auth reverse proxy--sort of like ADFS WAP. If you deploy things that need to know their public address though (TURN, Skype4B Edge), a cloud firewall gives you a real IP, low latency and very lock price. Netgate has another product, maybe it works for that. All I know is that it routes A LOT, like A really LOT.

Now I forgot what I came here for… Good luck !

DaddyGo

@skilledinept "Now I forgot what I came here for… Good luck !"

thank you for the little brainstorming

I personally don't like PPPoE it's a tunnel protocol, just think of MTU
and very specifically does no good, for example, to IPS

stephenw10

@netblues said in PFsense Routing Public IP:

The isp is asking the client to drop and reconnect ppp so isp provisioning (most probably radius) can also assign the route for the added network.

Ha, yeah I think you nailed it here! They are just asking to re-stablish the ppp session. That seems far more likely.

Comprehension fails all round!

Steve