Routing Public IP range



  • Hi all,

    Once of my customers has recently changed ISP and have been provided with a wires only service. At time of ordering a /29 range was requested.

    In the past (including my own line) I have just been provided with the single /29 subnet. Use one IP for the router and others as aliases or other direct devices.

    With this connection I have been provided with a /30 and the /29. I have followed the guide here https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html but it does not mention how to NAT the /29.

    Do I need to use 2 routers here with router 1 having the WAN on the /30 (1 ip as the gateway and 2nd as the WAN IP and then LAN (or OPT1) using the first /29 ip with no outbound NAT and then a 2nd IP from the /29 on the 2nd routers WAN address and enable NAT through the the LAN side for the private 192.168.x.x /24 subnet.

    I have it working with 2 routers as I have described but would love to do this in a single box but can't see how.

    1st router is pfSense 2.4.5 3x Gbit ports. 2nd is an old Draytek which I want to get rid of.

    Hope someone can answer.

    Thanks in advance.



  • Anyone able to take a look at this one please?


  • LAYER 8 Global Moderator

    @dorianwoolger said in Routing Public IP range:

    but it does not mention how to NAT the /29.

    Why would you nat it?

    If you have a /29 public, just create your network behind pfsense with that /29, the /30 is what would be on your wan.

    You can have say lan with a rfc1918 network, and optX with your /29 public network.

    If you want to use the /29 anywhere and nat, then you would just use those as VIPs on your wan.. And then do whatever natting you want with the vips.



  • Thanks for the reply. It's a very small business and they don't really need a /29 but its what's been provided by the new ISP.

    the /30 is just a transport subnet and is not presented to the outside world. The /29 is what is to be seen by the outside.

    So from your comments.

    • Set WAN up with the /30 as defined by ISP with lower IP as gateway and the higher one as WAN IP.

    • Add the /29 as VIPs on the WAN interface

    • LAN as a normal RFC1918 subnet

    I assume then use Hybrid (or manual) Outbound NAT to expose one of the /29 IPs as the external IP.

    Hope thats correct.


  • LAYER 8 Global Moderator

    So they are using a rfc1918 /30 ?

    Yeah you just use hybrid outbound nat. Or manual if you want - once you create a vip it will become available as your outbound nat address on the interface.

    vip.png



  • No the /30 is not private.
    The below is from the ISP but I have modified the IP's

    "This has been configured with the following subnets:

    79.x.x.0/29

    80.x.x.12/30

    Our core is on 80.x.x.13 therefore you'll need to configure your end onto 80.x.x.14 with a subnet mask of 255.255.255.252 and .13 as the gateway.

    79.x.x.0/29 is routed to 80.x.x.14."

    So set WAN up as the /30 using .14 as the IP and .13 as the GW and assign the /29 as VIPs

    LAN interface will just be a normal 192.168.x.x /24 net
    Outbound NAT will be configured as per your image above.

    Many thanks for your replies.


  • LAYER 8 Global Moderator

    @dorianwoolger said in Routing Public IP range:

    Our core is on 80.x.x.13 therefore you'll need to configure your end onto 80.x.x.14 with a subnet mask of 255.255.255.252 and .13 as the gateway.

    Where does that state that is not available from the public? So you could use that address as your normal wan for natting rfc1918 networks behind pfsense..



  • Found out on a call I had with them when it did not work. I tried ignoring the /29 to start with and when that was not working I contacted them.


  • LAYER 8 Global Moderator

    Well they should clearly state that in their instructions.. Because this makes no sense.. You give me a public IP, and it common to assume that it would be available via the public internet.. It's a public IP.. If they do not make it reachable via the public, why are they wasting public IPv4 addresses for?? They should use rfc1918 or the CGnat range 100.64.0.0/10.. Not public IPv4 space that is valuable...

    Makes NO sense!!! No wonder we are short on IPv4 space - people wasting them.. Not giving them back when they don't use them... We had a /16 we use a fraction of that.. We sold off, and now we are down to a /19 which still lots of space for growth, etc.. So atleast they are being used - be we never use public IPv4 where it makes no sense to. If your not going to make it available to the public then no reason to use up what could be public.



  • Could not agree more. Seems mad that the /30 does not (and according to the ISP) will not work.

    Will give the VIPs a go and report back.

    Thanks for your time.


  • LAYER 8 Moderator

    @dorianwoolger said in Routing Public IP range:

    Will give the VIPs a go and report back.

    Actually, if those /29 range IPs are cleanly routed to you, there's no need to define them as VIPs other then if you use one of them as e.g. OpenVPN service IP. That one you'd need to define as a VIP (Alias IP style most commonly). Any other IP you only use for e.g. a server behind pfSense you can just setup your port forward or 1:1 NAT and be done. pfSense only needs to "know" the IP itself if it should use it with an actual service (like OVPN). If you just want to NAT inbound or outbound, you don't have to define the IPs, you can just use them (as they are routed to you anyway). You can also do a bit "nasty" IP'ing and if you don't use the /29 as a real network segment behind pfSense, you can "use" the boundary IPs (broadcast/network) as outbound NAT IP and save you one/two "real" IPs for internal services later on. ;)



  • @JeGr If I don't set them up as VIPs then they won't be available for selecting in the Outbound NAT rules. The /30 does not route to the outside world. Don't ask me why as above, as waste of IPs :)

    Every other connection where I have suppled a router for the customer (including my own leased line) just has as single customer range provided for use. This is the first time I've been given the /30 and /29. First thing I did to test the line was set up a PC using the /30 and nothing.

    After contacting the ISP to say the line was not working they told me the /30 would not route to external and that the /29 must be used. So a quick test with a spare router set with WAN on /30 LAN on /29 with NAT disabled and a PC on the 2nd /29 IP worked.

    At this time I don't want the /29 on the inside hence this post.
    Looks like the answer is to put the /29 as VIPs on the WAN interface and manually configure the outbound NAT.

    To be honest, I probably should have though of that myself but I was over complicating it in my head thinking that the 2 subnets would require 2 routers.

    Brain not working well, too many things going on. :)

    Just glad for forums where other brains are available :)


  • LAYER 8 Global Moderator

    Here is a question for you - are those NOT Theirs? the /30 they give - would you mind PM me the actual address so I can look it up, and see if routed? And to where?

    I have seen companies just use other peoples IPv4 inside their own network.. So it doesn't waste their public IP space.


  • LAYER 8 Moderator

    @dorianwoolger said in Routing Public IP range:

    @JeGr If I don't set them up as VIPs then they won't be available for selecting in the Outbound NAT rules. The /30 does not route to the outside world. Don't ask me why as above, as waste of IPs :)

    That's just UI stuff. But if you enter that IP yourself or create an alias with the public IP you can use it in an Alias just fine. You definetly don't have to specify the IPs if they are routed. We've got a /22 routed to our hosting cluster, if I had to declare every freakin' IP as an alias, I'd die of old age ;)

    Every other connection where I have suppled a router for the customer (including my own leased line) just has as single customer range provided for use.

    Normally I'd say it's even better that way as with routed IPs - like I stated in my post above - you can do much more than being forced to use them via Alias IPs. So routed IPs > bigger IP range on WAN.

    This is the first time I've been given the /30 and /29. First thing I did to test the line was set up a PC using the /30 and nothing.

    That's the weird part. We got a /29 as transfer network (because the cluster needs at least 3 and the ISP needed 2 itself) and that IPs are fully usable. There normally is no reason why they should behave any other way besides the ISP doing some weird stuff like @Johnpoz suspects. Or they have a filter/firewall in front of it (even weirder).

    After contacting the ISP to say the line was not working they told me the /30 would not route to external and that the /29 must be used.

    That's really f***ed up design...

    Looks like the answer is to put the /29 as VIPs on the WAN interface

    Only if you need it for services on the firewall. Anything else just use the IP and be fine. No need to set them all up. Also I'd try that nifty little outbound NAT magic using the broadcast or network IP to get myself 2 spare IPs ;)


  • LAYER 8 Global Moderator

    Yeah he gave me the actual public IP of his transit.. And it does route, and the company listed as owning it, is his ISP..

    It just doesn't get to the end.. So its like they have a firewall actually on purpose blocking access.. Which really doesn't make any sense to me..

    Why would you waste a perfectly good public IPv4 as a transit that your not going to let them use on the public?? They must have IPv4 to just burn.. Which is part of the reason there is a shortage of IPv4 in the first place...

    If your not going to let them use those, why not just use CGnat range for such addresses? So you don't waste your public IPv4 space.


  • LAYER 8 Moderator

    @johnpoz said in Routing Public IP range:

    It just doesn't get to the end.. So its like they have a firewall actually on purpose blocking access.. Which really doesn't make any sense to me..

    What a mess. Don't understand that at all.

    Why would you waste a perfectly good public IPv4 as a transit that your not going to let them use on the public?? They must have IPv4 to just burn.. Which is part of the reason there is a shortage of IPv4 in the first place...

    Completely agree. Really nasty.


  • LAYER 8 Global Moderator

    And them breaking them down to /30s even waste more of the space.. You could use a larger transit, and just let the customers use specific IPs in say a /24 or /23, etc. Wastes less IPs than subing them down to /30s..

    Very confusing setup to be sure.

    They must be sitting on a shiton of IPv4 space..



  • Hi all, just thought I would report back on this one.

    Finally got to site today to do the config. Set the WAN up on the /30 and added a couple of the /29 range as aliases. Set Outbound-NAT to manual and configured LAN to use one of the /29

    Worked a treat, so thanks for the help.


Log in to reply