Small WAN IP Subnet with Larger LAN IP Subnet

Reeko

My ISP gives me 2 subnets: a /30 and a /29. The smallest one works as an interconnection between the ISP and us through a VLAN numbered 16. The larger ones are public IPs. We have one nic for LAN and one for this WAN setup. I established communications with the /30 creating the VLAN, assigned it to the WAN interface, and configured an IP. I can ping the next hop, however, I cant navigate to the internet. The ISP says that is necessary to configure the public IPs. So, I use one of the /29 addresses to the WAN, but still, I can't navigate.

What am I missing here?

SteveITS

@reeko Are you using NAT with the /29 subnet being on the LAN side? That's the setup of our data center, though with a /25. That should just work.

If these should be WAN IPs and NAT is being used, then what you probably want is a virtual IP address.

Reeko

@steveits Hi Steve thanks for your reply. I'm really confused with the NAT.

I have 3 NICs:
(A) - My LAN. This NIC has several VLANS where my clients connect.
(B) - WAN1: The ISP gives me a single IP and a gateway address over a VLAN.
(C) - WAN2: The ISP gives me 2 subnets: /29 (public address) and /30 (interconnection with the ISP) over a VLAN.

WAN1 works fine. My clients have internet from WAN1. My problem is how to configure WAN2.

This is what I have done:

1-. Create VLAN 16
2-. Assign to interface WAN2
3-. Set address of the /30 subnet to the VLAN 16
4-. Set an address of /29 subnet to the WAN2 interface

I can ping the other side of the ISP through the VLAN16. However, I can't access the internet. So, how should I configure NAT to get service?

Thanks in advance.

viragomann

@reeko said in Small WAN IP Subnet with Larger LAN IP Subnet:

I can ping the other side of the ISP through the VLAN16.

The gateway IP you got from the ISP?
I assume the gateway is part of the /30 subnet.

Did you add the gateway IP in the WAN2 interface settings?

4-. Set an address of /29 subnet to the WAN2 interface

The WAN IP of the /30 has to stay in the interface settings. It is needed to talk to the gateway.

Is the /29 routed to your primary WAN2 IP?
If it is you can simply forward it by NAT (maybe 1:1).
Otherwise you have to add each IP of the /29 as virtual IP of type "IP Alias" to WAN2.

However, I can't access the internet. So, how should I configure NAT to get service?

If you want to access the internet using an IP of the /29 you have to configure the outbound NAT (if not using NAT 1:1). 1:1 maps one internal IP to one external, if this is what you want.

Reeko

@viragomann Yes, the ISP gateway is the /30 subnet over a VLAN. If I can ping the other side of the ISP, I assume the interface is talking with the ISP right?

Should I let the WAN2 with none address?

How should I configure Outbound NAT?

How should I route the /29 to the primary WAN2 IP?

Thanks for the help on this. I'm new on this kind of stuff

viragomann

@reeko said in Small WAN IP Subnet with Larger LAN IP Subnet:

Should I let the WAN2 with none address?

No. I guess, your got an IP of the /30 for your router and a gateway from the ISP. So your IP and the gateway are necessary on WAN2 for the connection.

How should I route the /29 to the primary WAN2 IP?

This can be done by the ISP. My assumption is, that this is already done.
This means, when someone wants to connect to an IP of the /29 the packets are routed to the primary WAN2 IP (of the /30).

How should I configure Outbound NAT?

This depends on your needs. NAT 1:1 means that one public IP is mapped to one internal. Hence you can internal also not have more IPs the the /29 and each certain internal host has a certain external IP.
If you want to use multiple public IPs on a single host, do not use 1:1, but simply port forward it.

When not using 1:1, do you want to a single IP for upstream connections or multiple?

Maybe you can provide more infos about what you really want to achieve.

Reeko

@viragomann Hi there. I just want to provide internet to my clients connected to the LAN through this service. At this moment, I don't need all the /29 subnet addresses. The ISP told me that in order to go out to the internet, the package should come from the /29 subnet.

Making some tests, if I make a traceroute from a virtual IP of the /29 subnet to 8.8.8.8, the package goes out through the ISP, which means that the interconnection between me and the ISP is working. Now, I don't have any idea how to route the traffic from any of the VLANs over the LAN pass-through this service.

Thanks a lot for the help. I really appreciate that

viragomann

@reeko
You should make a decision if you want to NAT the traffic 1:1 or 1:many.
The default is 1:many. Which means, for outbound traffic many internal hosts get out with the same public IP.

Again: my assumption is, the whole /29 subnet is routed to you and you can use all IPs for your purposes.

For setting up this go to Firewall > NAT > outbound. If the outbound NAT is in automatic rule generation mode, switch to hybrid and save that.
Then add a new rule:
interface: WAN2
source: Network <your internal subnet>
Translation address: Other subnet, enter your external IP below and set the mask to /32

All other options can stay at default values. Enter a description and save it.

If you've added the public IPs to the interface as virtuals, you can select them in the drop-down at translation address.

Assuming the WAN2 gateway is not the default, you additionally need to policy route the traffic from the internal subnet out to WAN2 gateway. This is done by firewall rules, which allow the upstream traffic.
In the pass rules simply open the advanced options and go down to gateway and select WAN2 GW.
However, consider that such a policy routing rule passes all matching traffic to the stated gateway! In other words, it does not allow access to internal destinations.
So for internal access like DNS to pfSense you need to add an additional rule which allow only this and set it to the top of the rule set.

Reeko

@viragomann From I see, your assumption is correct. The /29 subnet is routed by the ISP, so I'm able to use any of those addresses to go out to the internet.

Considerer that my ISP is using a VLAN16 with the /30 subnet that I bound to the WAN2 interface. So the interface name is (re1.16)

So, should I set an /29 address to the WAN2 (re1) interface?

Reeko

@viragomann The ISP provides internet using a VLAN. I created a VLAN on the WAN2 interface. I assigned this VLAN. Once assigned, I use one address from a /30 subnet. The Subnet is 10.3.90.0/30. I used the address 10.3.90.2 and as a gateway 10.3.90.1 (ISP side). With this, I can ping the ISP side. Now, I created a VIrtual IP / Alias with address 200.35.89.51 / 29. Then create an outbound rule on the WAN to not nat the 200.35.89.48 /29 network (I have 2 ISP on the same box). If I make a trace using the virtual IP, I can go out to the internet. If I make a trace where the source is the VLAN network, I cant reach google.com for example. This confirmed that the ISP is routing the package using the public subnet (200.35.89.48/29)

Then, I set to the WAN2 interface the address 200.35.89.50 and create a GW with the 200.35.89.51 address (the virtual IP alias).

If I make a trace with WAN2 as a source, I can't reach 8.8.8.8, Why? What is missing here?

viragomann

@reeko said in Small WAN IP Subnet with Larger LAN IP Subnet:

The Subnet is 10.3.90.0/30.

So that's a private address. That would be really worth to mention before.
So the network is used by the ISP as a transit network only. So you cannot use this IP as source for upstream connection.
The private address is not routed in the internet and is only known by your ISP.

So you have to use one of the public IPs of the /29 for outbound NAT.

Also nobody can access the 10.3.90.0/30 from the internet.

Reeko

@viragomann I'm sorry, I thought I explained the situation clear. Yes, the ISP is using that private network just for transit. How do I configure this to make it work? I have a similar situation with another company with a cisco router. I have set up like one interface with the /30, then another with the /29, a 0.0.0.0 0.0.0.0 /30 route, /29 as an inside nat, and /30 as outside. This works fine. But I don't know how to replicate this setup on pfsense. So, how should I do it?

Reeko

@viragomann I want to thank you for your guidance. I really appreciate your time on this topic. Finally, I solved the problem, just adding an outbound rule on the /30 interface where the source is the VLAN over the LAN interface, destination any, and translating to one of the /29 addresses. With that, our clients can go out to the internet using this service.

So, if anyone finds a scenario like this, this is what I did:

1-. Set up the interconnection: use one of the /30 addresses and create a GW with the other address on the interface connected to the ISP

• Interfaces - Select the one connected with the ISP
• Configuration Type: Static
• Ip Address: one of the /30 (usually the highest)
• Add a new gateway
• Gateway Name: as you want
  Gateway IP: the other address
  Add
  Save

2-. Create an IP alias: Firewall - Virtual IP - Add

• Type: Ip Alias

• Interface: The one connected to the ISP

• Address: One of the public address

• Save

3-. NAT outbound rules: one with static port and another without static port. Firewall - NAT - Outbound

• Outbound Type: Hybrid

• Save

• Add Rule
  Interface: The one connected with the ISP
  Address Family: IPV4 + IPV6 (if you use IPV6)
  Protocol: Any
  Source: LAN network. If you have multiples VLAN on
  your LAN, then the source should be the
  network of the VLAN you need to go out to
  the internet
  Destination: Any
  Translation: The Ip alias that was created before.
  Dropdown the list to find it
  Check the Static Port for one of the rules. Then create
  another one exactly like before but without the static
  port checked
  Save

4-. Set a policy to use the gateway of your ISP: Firewall - Rules - LAN (or VLAN on the LAN) Tab and add a rule where the gateway is your interface connected with your ISP.

• Firewall - Rules - LAN (or VLAN over your LAN) Tab and then click on Add

• Interface: The LAN or VLAN on the LAN interface

• Address Family: IPV4 + IPV6

• Protocol: Any

• Source: Lan or Vlan Net

• Destination: any

• Display Advanced options and scroll down until find Gateway

• Select the gateway created before

• Click Save

And that's it. This works for me. Maybe is not too fancy but, works fine.

Thanks everyone for the help.