Spectrum Static Public IP address without router (in bridge mode) and with PfSense

JKnott

@eugene-0

If I'm reading that right, you have 3 routers, including pfsense. Why do you have that WAN router that has the address assigned to it? That's where pfsense should be.

stephenw10

@eugene-0 said in Spectrum Static Public IP address without router (in bridge mode) and with PfSense:

<WAN>Router (Static IP with netmask /32 and has its gateway. This IP is my Public IP address)

That doesn't make much sense. Anything with a /32 subnet mask is not going to be able to connect to anything unless it's point-to-point or a VIP on an interface with a larger mask.
That's the pfSense WAN?

If you public IPs on the LAN side of the router they are probably routing a subnet to you via some other IP. I doubt that's a /20 unless you're paying for that.

Steve

JKnott

@stephenw10

All a /32 can do is identify an interface. Some routing protocols use a /32 to identify a router. It won't work as a point to point link, which requires a /31, as 2 addresses are needed.

stephenw10

P-t-P doesn't require a subnet at all, all traffic leaving from it can only go to the otherside of the link so it doesn't matter. Most PPPoE sessions are like that for example:

[2.5.2-RELEASE][admin@pfsense.fire.box]/root: ifconfig pppoe0
pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
	description: PLUSNET
	inet 143.194.232.98 --> 172.16.13.252 netmask 0xffffffff
	inet6 fe80::fad1:11ff:fec1:5b57%pppoe0 prefixlen 64 scopeid 0x11
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

FreeBSD/pfSense requires it to be set to be set so it can be used for routing. Without any subnet mask specified it would throw errors in numerous places. As I understand it at least.

Steve

Eugene 0

Sorry, the second netmask is /30 and not /32.

Yes, I have a Business account with Spectrum, and I pay for a static IP address.
I'm trying to save energy by excluding the router in Bridge mode. I have the network connected to a server that works 24/7.

I would like to have:
Spectrum Modem -> <WAN>PfSense (5 total Ethernet ports including wan) -> Server, SmartTV, Security Cams,

At this moment, I have: (NO PfSense Connected)
Spectrum Modem -> <WAN> Spectrum Router (bridge mode - this has Static IP address connected to gateway /20 netmask) -> <WAN>Router with wifi (Static IP with netmask /30 and has its gateway. This IP is my Public IP address) -> Server, SmartTV, Security Cams.

I tried different variations for network connection, works fine:
Spectrum Modem -> <WAN> Spectrum Router (bridge mode - this has Static IP address connected to gateway /20 netmask) -> <WAN>PfSense (Static IP with netmask /30 and has its gateway. This IP is my Public IP address) ->Router with wifi -> Server, SmartTV, Security Cams.

Simple explaining: Can I create two routers in PfSense to work in series with two different subnet masks? The first router should be in Bridge mode.

Spectrum Modem -> WAN PfSense static IP /20 netmask -> WAN PfSense static IP /30 netmask -> LAN PfSense with internal IP 192.168.1.1.

stephenw10

@eugene-0 said in Spectrum Static Public IP address without router (in bridge mode) and with PfSense:

Can I create two routers in PfSense to work in series with two different subnet masks?

No, but you shouldn't have to.

Are you sure the spectrum router is using a static IP on it's WAN? You have admin access to that device?
What do spectrums docs say about 3rd party routers?

Steve

Eugene 0

@stephenw10
I have access to the Spectrum Router in bridge mode. I checked and yes 100% has static IP.

I do not know the Policy regarding 3 Party routers.

One more thing: excluding the Spectrum router in Bridge mode and instead connect the PfSense with WAN settings - IP address connected to gateway /20 netmask (exact same IP settings and gateway from Spectrum router in bridge mode) = I get an internet connection but my public IP is not real one instead I get the IP from Spectrum router in Bridge mode.

stephenw10

Ok, and you don't want to use the static public IP from the /30 on an internal interface?

Then I would add the IP as a VIP on the WAN and change your outbound NAT rules to use that instead of the WAN address.
Since they appear to be routing the /30 to you you can probably use both IPs from it if you want.

To test that first add the VIP on WAN then go to Diag > Ping anf make sure you ping out usig the VIP as the source IP.

Steve

Eugene 0

@stephenw10
I would like to use IP from /30 netmask -I do not want to use IP from /20 netmask.
The reason is: IP from Netmask /20 is blacklisted on multiple services.

stephenw10

So add it as a VIP and test it.

Eugene 0

@stephenw10
Nop, does not work.

Eugene 0

I will try to explain differently:
I have one Static Public IP provided by Spectrum (I pay for Static IP): y.y.y.y /30 netmask with Gateway y1.y1.y1.y1

My connection:
Spectrum Modem -> WAN Spectrum router (bridge mode) static IP x.x.x.x /20 netmask with Gateway x1.x1.x1.x1 -> WAN Router (my personal router) static IP y.y.y.y /30 netmask with Gateway y1.y1.y1.y1 -> Server, Web Cams. TVs with internal IPs 192.168.2.2.-192.168.1.254.

I want to remove the WAN Spectrum router (bridge mode) and use Pfsense with 5 Ethernet ports.
Spectrum Modem -> WAN PfSense IP x.x.x.x/20 netmask with Gateway x1.x1.x1.x1 -> WAN Pfsense IP y.y.y.y /30 netmask with Gateway y1.y1.y1.y1 -> Server, Web Cams. TVs with internal IPs 192.168.2.2.-192.168.1.254.

I tried to make a configuration:
Spectrum Modem -> WAN Pfsense IP x.x.x.x/20 netmask with Gateway x1.x1.x1.x1 -> VIP Pfsense IP y.y.y.y /30 + NAT

I tried to ping externally and internally IP x.x.x.x - works fine; I have an internet connection, but public IP is still x.x.x.x

I can Ping IP y.y.y.y internally but not externally.
all ports and rules are open

I think: it probably does not work because I did not indicate Gateway y1.y1.y1.y1 for IP y.y.y.y /30 in the VIP - I do not know-how.

Also, I tried to make a configuration:
Spectrum Modem -> WAN Pfsense IP y.y.y.y /30 netmask with Gateway y1.y1.y1.y1 -> VIP Pfsense IP x.x.x.x/20 + NAT
With this configuration, the Internet does not work

stephenw10

If they are actually routing the /30 to you then the gateway address, y1.y1.y1.y1, will actually be on the Spectrum router. The /30 exists only between the Spectrum router and your existing router.
Is that the case?

If not then I'd suggest looking to see if anyone else has already done this. I'm sure someone will have tried.

Steve

Eugene 0

Eugene 0

The first 3 pictures are settings from the router in bridge mode.
The last picture with settings from 3rd party router (for wi-fi, Server, TVs).

stephenw10

Ok, well I'm not sure how many of those setting actually apply when it's in bridge mode. Those NAT setting in particular seem unlikely to apply here since the router behind it is using that IP directly.

I also note that the bridged router is showing the x1.x1.x1.x1 as being DHCPv4 and not static as you said. However we can't see the WAN setup there, it could just be a display glitch.
Does pfSense work there with it's WAN set as DHCP?

Given what we can see I would have expected the /30 IP to work as a VIP. Can we see exactly how that was setup?

I could imagine it might require a different MAC to work which would be a problem.

It could be a completely separate subnet enabled on the same link (ugly!) and might require using the /30 upstream gateway. In which case you would have to add the gateway and outbound NAT rules to use it.

Steve