Adding a Subnet to an Interface
-
@nogosubnet dude I have no idea what your talking about.. Your dsl isp device being in bridge mode or pfsense setting up a bridge has zero to do with each other.
Do you have bridge setup in pfsense between wan and bge1?? And clients on bge1 network are pulling IPs via dhcp from your isp?
And that has zero to do with a specific public range being routed to you..
Please show this screen!
a bridged connection from a router
Is not a bridge in pfsense..
The routed subnet is /29 block of IPv4 addresses, so these are assigned via Static IPv4
What does that have to do with bridge in pfsense? You do not need to bridge in pfsense.. To be able to assign a public IP range to one of its interfaces.
-
This post is deleted! -
I think he is trolling you.
So many things dont make any sense from him. -
@marv21 No, not trolling, - I am actually trying to find a solution to the problem ...which is definitely not going to be with a group of people who are clearly incapable of reading several carefully-worded explanations and understanding that what they are dealing with is a basic network configuration (yes, I understand more about these issues than I let on).
Either way, though, and regardless of the above, I now know for definite that what I outlined here is not possible with pfSense (plus that there are zero workarounds) and will not be wasting any more time with a seemingly ignorant and hostile forum. I am also seriously glad that I did not waste several hundred pounds on a Netgate paperweight.
Incidentally, if you want answers from people it helps if you are capable of formulating a question specific enough to elicit the information you require ...and if you can avoid demanding the same information from people over and over again when the above could be used far more effectively. Also, should an image be required, it helps if the OP can be given an outline of the required format, labels, etc..
For anyone else wanting to know the conclusion of this post, and in summary: if you have (in this case) a personal computer, a webserver, and pfSense running on its own board (with a 2-port LAN card (bge0 for the personal computer and bge1 for the webserver)), bridged from a router (with DSL line to the router), and with a requirement to connect to the webserver from the personal computer, you will not be able to: in theory you should be able to route a connection request from the personal computer (LAN) to the webserver (OPT1) but, in practise, this is not possible with a pfSense configuration and there are no workarounds.
In my case there is also the issue of a routed subnet on the webserver side, which was variously added as a Routed IP Subnet on the router side and into the OPT1 configuration under the webConfigurator but, whether added to just one or both, neither configurations worked ...and even with this left out completely it was still not possible to establish a connection between the personal computer and the webserver.
Those who have replied insist on the problem being down to firewall rules, but this has been exhaustively ruled out (with the firewalls on both the webserver and personal computer disabled) and with fully open rules connecting all the interfaces; so, no, the indications are that this is is very definitely down to some serious limitations and possible coding issues in the pfSense software.
-
@nogosubnet said in Adding a Subnet to an Interface:
bridged from a router (with DSL line to the router
<rolleyes>
Your shooting yourself in the foot dude if your creating a bridge with pfsense.. And you can not even post a simple screenshot.
Why do you think you should bridge pfsense? Why??
You clearly can not state your issue correctly - or even post a specific screenshot when asked..
How do you think you could talk to something inside a bridge if you have no IP in this bridged network on pfsense?? But there is ZERO reason to bridge it.. ZERO!!
If you have your /29 bridged all the way to your webserver - then its not freaking routed.. Your PC is directly attached to your isp network through the bridge..
How would something with a public IP attached to some ISP via a bridge talk to a rfc1918 address?? If the network is actually routed to you - then route it to pfsense public IP that it gets through your bridged "Draytek" on its wan - rfc1918 connected to pfsense, and some other network connected to pfsense can route between each other just fine.
-
@nogosubnet said in Adding a Subnet to an Interface:
very definitely down to some serious limitations and possible coding issues in the pfSense software.
I understand your frustration but that’s incorrect. pfSense will route between its networks unless blocked by the firewall. So there’s something else going on but unfortunately we don’t know enough to help.
Re:bridging, I think you’re saying you bridged your ISP router so your pfSense has a public IP? That’s fine, but then saying your pfSense is bridged is confusing, since pfSense itself can be set up as a bridge.
-
@steveits yeah he seems to have bridge all the way through to his webserver?? Bridge on edge router, and another bridge on pfsense. Yet he states this /29 is routed to him..
An no if that is how he is setup he will not be able to talk to this rfc1918 hanging off pfsense. Just not possible without pfsense having an IP in the /29 on the bridge it can route via to the rfc1918 space
-
@johnpoz the bridge is from the router.
The router has to the first piece of hardware after the DSL line, correct?
...and the mainboard running pfSense has to go next in line, right?
...and all the guides indicate that the router (in this case a Draytek Vigor 2860) has to be in bridged mode (which makes sense because, otherwise, the pfSense setup would just be another device alongside the PC and the webserver communicating with the internet but otherwise serving no purpose); hence the router is working in bridged mode in order to allow pfSense to control the internet traffic to and from the PC and the webserver (not to mention any traffic between the PC and the webserver).
I am certain that I am not wrong in this, and I can confirm that I have not added any bridge configuration under the webConfigurator. - If that is going to be required, then fair enough, but, as it stands at the moment, I have not configured any bridge and can access the internet from the PC, via pfSense, with no problem.
I will reset pfSense and submit a screenshot of the dashboard, which will hopefully clarify some things.
-
@nogosubnet said in Adding a Subnet to an Interface:
I have not added any bridge configuration under the webConfigurator.
Then pfsense would HAVE TO HAVE an IP in your /29
If so then you you could route between your rfc1918 on lan and the network on your opt1 network.. As long as device in lan is using pfsense lan IP as its gateway, and device in your /29 is using pfsense IP on opt as its gateway.
-
@johnpoz How do I route from an RFC? - I thought that they were simply that, - not interfaces. The LAN uses the pfSense WAN by default (I am using the internet connection from that at the moment).
I do not have private networks blocked (if that is a potential issue - and the source of the RFC note), so I guess that all I need now is a pfSense bridge between WAN and OPT1?
-
@nogosubnet said in Adding a Subnet to an Interface:
he LAN uses the pfSense WAN by default (I am using the internet
What??
Here expanded drawing.
I have a device on my rfc1918 network on lan.. This device would use pfsense lan IP of 192.168.1.1 as it gateway. Now my routed public network. In my example 12.13.14.0/29 where pfsense IP in this network is 12.13.14.1 and your webserver is 12.13.14.2 - it would be using pfsense 12.13.14.1 as its gateway.
if your webserver wants to go to 192.168.1.100, it would send that traffic to pfsense. Pfsense would say oh yeah I am connected to this 192.168.1/24 network - let me send that on. As long as the firewall rules on opt allow it.
Do you have some gateway hard coded in your opt1 rules? Please post your opt1 rules, and your lan rules. There should be no gateway setup in the firewall rules - or your policy routing. Which if you are, then there would need to be a rule above this policy route that allows your traffic.
-
@johnpoz OK, - I will post those and confirm that I have created no firewall rules at all at the moment, except the auto-generated BOGON rules.
WAN:
LAN:
OPT1:
-
@nogosubnet bogon would only go on WAN interface..
Lan rules would default to any any, and opt1 interface would have NO rules by default. You would have to create 1, say a any any rule to get started with.
-
@nogosubnet why would you have bogon on your OPT? Bogon would include rfc1918.. Please post Screenshot of rules.. not some ascii art..
edit:
Out of the box wan would have block rfc1918 and bogon.
Lan would have antilock and any any rule
opt1 would have nothing - you have to create rules on new interfaces. So create an any rule - and there you go you can route between lan and your public network on opt1When you route public space on pfsense lan side network, you also want to make sure your not natting it.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html
-
There you go.. What about your nat rules? If you do not edit those your public space network would be natted to your pfsense wan IP.
But with those rules - you would be able to talk from your webserver on your opt network to your lan network. As long as you didn't put something in floating blocking it.
-
@johnpoz - thanks, - just tested, but not working.
-
@nogosubnet well from your webserver can you ping the IP of pfsense lan IP, 192.168.1.1 in my expample drawing?
Out of the box any say windows box, or pretty much anything with a firewall would not allow access from some IP that is not its local network.
You have no rules in floating right?
-
@johnpoz I have no rules under floating, no, and I have now put together a NAT rule, too:
Also:
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms -
@nogosubnet why would you have that rule? Makes no sense for such a rule.. And it wouldn't ever work anyway..
Your saying that is sent to pfsense wan IP, send it to pfsense opt1 address.. What would that do?? pfsense opt1 address is not your webserver..
-
@nogosubnet said in Adding a Subnet to an Interface:
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64There you go.. Your routing to rfc1918 space from your webserver. If you can not talk to say 192.168.1.x, then it has a firewall on it not allowing it, or its not using pfsense as its gateway.
