Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing Public IP range

    Scheduled Pinned Locked Moved Routing and Multi WAN
    18 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dorianwoolger
      last edited by

      Hi all,

      Once of my customers has recently changed ISP and have been provided with a wires only service. At time of ordering a /29 range was requested.

      In the past (including my own line) I have just been provided with the single /29 subnet. Use one IP for the router and others as aliases or other direct devices.

      With this connection I have been provided with a /30 and the /29. I have followed the guide here https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html but it does not mention how to NAT the /29.

      Do I need to use 2 routers here with router 1 having the WAN on the /30 (1 ip as the gateway and 2nd as the WAN IP and then LAN (or OPT1) using the first /29 ip with no outbound NAT and then a 2nd IP from the /29 on the 2nd routers WAN address and enable NAT through the the LAN side for the private 192.168.x.x /24 subnet.

      I have it working with 2 routers as I have described but would love to do this in a single box but can't see how.

      1st router is pfSense 2.4.5 3x Gbit ports. 2nd is an old Draytek which I want to get rid of.

      Hope someone can answer.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • D
        dorianwoolger
        last edited by

        Anyone able to take a look at this one please?

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          @dorianwoolger said in Routing Public IP range:

          but it does not mention how to NAT the /29.

          Why would you nat it?

          If you have a /29 public, just create your network behind pfsense with that /29, the /30 is what would be on your wan.

          You can have say lan with a rfc1918 network, and optX with your /29 public network.

          If you want to use the /29 anywhere and nat, then you would just use those as VIPs on your wan.. And then do whatever natting you want with the vips.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • D
            dorianwoolger
            last edited by

            Thanks for the reply. It's a very small business and they don't really need a /29 but its what's been provided by the new ISP.

            the /30 is just a transport subnet and is not presented to the outside world. The /29 is what is to be seen by the outside.

            So from your comments.

            • Set WAN up with the /30 as defined by ISP with lower IP as gateway and the higher one as WAN IP.

            • Add the /29 as VIPs on the WAN interface

            • LAN as a normal RFC1918 subnet

            I assume then use Hybrid (or manual) Outbound NAT to expose one of the /29 IPs as the external IP.

            Hope thats correct.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              So they are using a rfc1918 /30 ?

              Yeah you just use hybrid outbound nat. Or manual if you want - once you create a vip it will become available as your outbound nat address on the interface.

              vip.png

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                dorianwoolger
                last edited by dorianwoolger

                No the /30 is not private.
                The below is from the ISP but I have modified the IP's

                "This has been configured with the following subnets:

                79.x.x.0/29

                80.x.x.12/30

                Our core is on 80.x.x.13 therefore you'll need to configure your end onto 80.x.x.14 with a subnet mask of 255.255.255.252 and .13 as the gateway.

                79.x.x.0/29 is routed to 80.x.x.14."

                So set WAN up as the /30 using .14 as the IP and .13 as the GW and assign the /29 as VIPs

                LAN interface will just be a normal 192.168.x.x /24 net
                Outbound NAT will be configured as per your image above.

                Many thanks for your replies.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  @dorianwoolger said in Routing Public IP range:

                  Our core is on 80.x.x.13 therefore you'll need to configure your end onto 80.x.x.14 with a subnet mask of 255.255.255.252 and .13 as the gateway.

                  Where does that state that is not available from the public? So you could use that address as your normal wan for natting rfc1918 networks behind pfsense..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • D
                    dorianwoolger
                    last edited by

                    Found out on a call I had with them when it did not work. I tried ignoring the /29 to start with and when that was not working I contacted them.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Well they should clearly state that in their instructions.. Because this makes no sense.. You give me a public IP, and it common to assume that it would be available via the public internet.. It's a public IP.. If they do not make it reachable via the public, why are they wasting public IPv4 addresses for?? They should use rfc1918 or the CGnat range 100.64.0.0/10.. Not public IPv4 space that is valuable...

                      Makes NO sense!!! No wonder we are short on IPv4 space - people wasting them.. Not giving them back when they don't use them... We had a /16 we use a fraction of that.. We sold off, and now we are down to a /19 which still lots of space for growth, etc.. So atleast they are being used - be we never use public IPv4 where it makes no sense to. If your not going to make it available to the public then no reason to use up what could be public.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • D
                        dorianwoolger
                        last edited by

                        Could not agree more. Seems mad that the /30 does not (and according to the ISP) will not work.

                        Will give the VIPs a go and report back.

                        Thanks for your time.

                        1 Reply Last reply Reply Quote 0
                        • JeGrJ
                          JeGr LAYER 8 Moderator
                          last edited by

                          @dorianwoolger said in Routing Public IP range:

                          Will give the VIPs a go and report back.

                          Actually, if those /29 range IPs are cleanly routed to you, there's no need to define them as VIPs other then if you use one of them as e.g. OpenVPN service IP. That one you'd need to define as a VIP (Alias IP style most commonly). Any other IP you only use for e.g. a server behind pfSense you can just setup your port forward or 1:1 NAT and be done. pfSense only needs to "know" the IP itself if it should use it with an actual service (like OVPN). If you just want to NAT inbound or outbound, you don't have to define the IPs, you can just use them (as they are routed to you anyway). You can also do a bit "nasty" IP'ing and if you don't use the /29 as a real network segment behind pfSense, you can "use" the boundary IPs (broadcast/network) as outbound NAT IP and save you one/two "real" IPs for internal services later on. ;)

                          Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                          D 1 Reply Last reply Reply Quote 0
                          • D
                            dorianwoolger @JeGr
                            last edited by

                            @JeGr If I don't set them up as VIPs then they won't be available for selecting in the Outbound NAT rules. The /30 does not route to the outside world. Don't ask me why as above, as waste of IPs :)

                            Every other connection where I have suppled a router for the customer (including my own leased line) just has as single customer range provided for use. This is the first time I've been given the /30 and /29. First thing I did to test the line was set up a PC using the /30 and nothing.

                            After contacting the ISP to say the line was not working they told me the /30 would not route to external and that the /29 must be used. So a quick test with a spare router set with WAN on /30 LAN on /29 with NAT disabled and a PC on the 2nd /29 IP worked.

                            At this time I don't want the /29 on the inside hence this post.
                            Looks like the answer is to put the /29 as VIPs on the WAN interface and manually configure the outbound NAT.

                            To be honest, I probably should have though of that myself but I was over complicating it in my head thinking that the 2 subnets would require 2 routers.

                            Brain not working well, too many things going on. :)

                            Just glad for forums where other brains are available :)

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Here is a question for you - are those NOT Theirs? the /30 they give - would you mind PM me the actual address so I can look it up, and see if routed? And to where?

                              I have seen companies just use other peoples IPv4 inside their own network.. So it doesn't waste their public IP space.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • JeGrJ
                                JeGr LAYER 8 Moderator
                                last edited by

                                @dorianwoolger said in Routing Public IP range:

                                @JeGr If I don't set them up as VIPs then they won't be available for selecting in the Outbound NAT rules. The /30 does not route to the outside world. Don't ask me why as above, as waste of IPs :)

                                That's just UI stuff. But if you enter that IP yourself or create an alias with the public IP you can use it in an Alias just fine. You definetly don't have to specify the IPs if they are routed. We've got a /22 routed to our hosting cluster, if I had to declare every freakin' IP as an alias, I'd die of old age ;)

                                Every other connection where I have suppled a router for the customer (including my own leased line) just has as single customer range provided for use.

                                Normally I'd say it's even better that way as with routed IPs - like I stated in my post above - you can do much more than being forced to use them via Alias IPs. So routed IPs > bigger IP range on WAN.

                                This is the first time I've been given the /30 and /29. First thing I did to test the line was set up a PC using the /30 and nothing.

                                That's the weird part. We got a /29 as transfer network (because the cluster needs at least 3 and the ISP needed 2 itself) and that IPs are fully usable. There normally is no reason why they should behave any other way besides the ISP doing some weird stuff like @Johnpoz suspects. Or they have a filter/firewall in front of it (even weirder).

                                After contacting the ISP to say the line was not working they told me the /30 would not route to external and that the /29 must be used.

                                That's really f***ed up design...

                                Looks like the answer is to put the /29 as VIPs on the WAN interface

                                Only if you need it for services on the firewall. Anything else just use the IP and be fine. No need to set them all up. Also I'd try that nifty little outbound NAT magic using the broadcast or network IP to get myself 2 spare IPs ;)

                                Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Yeah he gave me the actual public IP of his transit.. And it does route, and the company listed as owning it, is his ISP..

                                  It just doesn't get to the end.. So its like they have a firewall actually on purpose blocking access.. Which really doesn't make any sense to me..

                                  Why would you waste a perfectly good public IPv4 as a transit that your not going to let them use on the public?? They must have IPv4 to just burn.. Which is part of the reason there is a shortage of IPv4 in the first place...

                                  If your not going to let them use those, why not just use CGnat range for such addresses? So you don't waste your public IPv4 space.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 1
                                  • JeGrJ
                                    JeGr LAYER 8 Moderator
                                    last edited by

                                    @johnpoz said in Routing Public IP range:

                                    It just doesn't get to the end.. So its like they have a firewall actually on purpose blocking access.. Which really doesn't make any sense to me..

                                    What a mess. Don't understand that at all.

                                    Why would you waste a perfectly good public IPv4 as a transit that your not going to let them use on the public?? They must have IPv4 to just burn.. Which is part of the reason there is a shortage of IPv4 in the first place...

                                    Completely agree. Really nasty.

                                    Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz

                                      And them breaking them down to /30s even waste more of the space.. You could use a larger transit, and just let the customers use specific IPs in say a /24 or /23, etc. Wastes less IPs than subing them down to /30s..

                                      Very confusing setup to be sure.

                                      They must be sitting on a shiton of IPv4 space..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 1
                                      • D
                                        dorianwoolger
                                        last edited by

                                        Hi all, just thought I would report back on this one.

                                        Finally got to site today to do the config. Set the WAN up on the /30 and added a couple of the /29 range as aliases. Set Outbound-NAT to manual and configured LAN to use one of the /29

                                        Worked a treat, so thanks for the help.

                                        1 Reply Last reply Reply Quote 1
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.