Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    A handful of "getting started" routing questions

    Scheduled Pinned Locked Moved Routing and Multi WAN
    9 Posts 3 Posters 895 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rlmalisz
      last edited by

      Long-time Gnatbox/GBOS user here. The fan on the GB850 started whining, GTA has closed up shop, so with recommendations from folks at the UBNT forums, decided to go with pfSense. Purchased a Netgate 6100, which is probably overkill, but would rather have some future-proof against increased bandwidth, etc. We have a block of 5 static IP addresses.

      1. if our block of usable IPs is WW.XX.YY.2-6, I would describe that as WW.XX.YY.2/29. Gateway will be WW.XX.YY.1. I have plowed through a chunk of the Netgate tutorials, and there seems to be some implication that I need to use VIPs to make this all work. Is that true? I can't just NAT/port-forward required services to the correct internal servers using IP addresses or aliases?
      2. everything suggests that local interfaces shoudn't have gateways explicitly assigned. But our DMZ (and quite a few of our LAN) machines have static internal IPs. With the Gnatbox, I was explicitly assigning these in the firewall to what you'd expect, and for DHCP, had the server handing out the same. The Netgate DHCP config allows providing a gateway for clients. If I leave both blank, for AA.BB.CC.0/24, what will the gateway default to? AA.BB.CC.1?
      3. lastly, not a routing question per se. I have assigned the WAN2 port on the 6100 to be our DMZ interface. From everything I have read/seen, that will route just like any other NIC, right?

      Thanks in advance. Spent a fair while getting all the NAT stuff done, swapped the 6100 in for the GB850, and got nothing. I suspect I have some basic errors in the WAN interface settings, but would like to swat as many flies when I am next hooked up to the 6100 as possible.

      --Richard

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @rlmalisz
        last edited by

        @rlmalisz said in A handful of "getting started" routing questions:

        I need to use VIPs to make this all work. Is that true? I can't just NAT/port-forward required services to the correct internal servers using IP addresses or aliases?

        pfSense needs to know those other IP addresses belong to it. Add them to the WAN (Firewall/Virtual IPs) as IP aliases and then in the NAT rule the Destination dropdown will have the aliases listed also.

        local interfaces shoudn't have gateways explicitly assigned

        If we're on the same page, that's talking about the LAN interface doesn't need a gateway. Client devices on the LAN do need the pfSense set as their gateway, which you can do via DHCP.

        assigned the WAN2 port on the 6100 to be our DMZ

        The names of the ports on the device itself are irrelevant, you can use them for whatever you need.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        R 1 Reply Last reply Reply Quote 0
        • R
          rlmalisz @SteveITS
          last edited by

          @steveits So I have set up "Virtual IP"s for the extra WAN addresses. I can describe them in the comment field, but not give them meaningful names. I have IP Aliases set up for these IPs as well, and would expect that it's okay to use those aliases in NAT port forwards. Is that not true?

          And I am sure this is okay, but can't hurt to ask while there are experts around: I mis-described the WAN definition above. It's actually XX.YY.ZZ.6/29, gateway is XX.YY.ZZ.1. One of the WAN-facing server addresses is XX.YY.ZZ.2. It's my hope that there isn't some convention that the base address in the subnet will get used by the Netgate as its primary. I can move things around, but there would be some disruption to the server sitting at .2 while a move to .6 propagates through the DNS universe. Given this definition of the WAN subnet, will the Netgate use .6 as its primary?

          --Richard

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @rlmalisz
            last edited by

            @rlmalisz The .6 would be the primary. You can check Status/Interfaces or go to http://checkip.dyndns.org/ from behind it.

            Yes you can use aliases in the NAT rules.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            1 Reply Last reply Reply Quote 0
            • Z
              zulasch
              last edited by

              I have also a /29 subnet from my ISP, because my router is a Fritzbox I am not able to use Virtual IPs because the Fritzbox is not able to make a port forwarding / Exposed Host to a MAC with multiple IP (aliases)

              Is there any way to add more physical networkinterfaces with each own public ip from the /29 subnet?

              WW.XX.YY.2/29 - WAN2
              WW.XX.YY.3/29 - WAN3
              WW.XX.YY.4/29 - WAN4
              ...

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @zulasch
                last edited by

                @zulasch Possibly VLANs but the Fritzbox would presumably need to communicate on the VLAN... If not that then extra NICs in the pfSense router.

                Can the Fritzbox just set the pfSense as its DMZ and forward all traffic?

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote ๐Ÿ‘ helpful posts!

                1 Reply Last reply Reply Quote 0
                • Z
                  zulasch
                  last edited by

                  unfortunately the Fritzbox don`t support DMZ, just the Exposed Host function but this allows only one IP with a unique Mac address. This is also the big fail of the Fritzbox.

                  What do you mean with extra NICs? Because I have multiple NICs but this dosen't work:

                  WW.XX.YY.2/29 Gateway WW.XX.YY.1 -> WAN2 (NIC 1)
                  WW.XX.YY.3/29 Gateway None -> WAN2 (NIC 1) <- This is not working, i get the following error:

                  The following input errors were detected:
                  IPv4 address WW.XX.YY.3/29 is being used by or overlaps with: WAN2 (WW.XX.YY.2/29)

                  I have foud that some has the same issue and tried OPNSense, and so I decided to try it... It works, on OPNSene I am able to add extra NICs with the same /29 Subnet. But I dont want to switch to OPNSense, because I like the pfSense.

                  Is this a pfSense limitation?

                  zulasch

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @zulasch
                    last edited by

                    @zulasch I've always done that using a virtual IP. I suppose it makes sense that it blocks you because otherwise pfSense doesn't know where to route traffic for those other interfaces...if the route is set up the same on all of them (WW.XX.YY.0/29 is on WAN1 but also WAN2...check Diagnostics/Routes in both products to compare).

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    1 Reply Last reply Reply Quote 0
                    • Z
                      zulasch
                      last edited by

                      Yes, virtual IPs is the correct way, but this f..k Fritzbox

                      The routes are looking the same...

                      pfSense routes:

                      Destination	Gateway	        Flags	Use	Mtu	Netif	
                      default	        WW.XX.YY.201	UGS	6859567	1500	vtnet0	
                      ...
                      WW.XX.YY.200/29	link#1	        U	307660	1500	vtnet0	
                      WW.XX.YY.205	link#1	        UHS	188	16384	lo0
                      ...
                      

                      OPNSense routes:

                      
                      Proto   Destination            Gateway  Flags   Use     MTU     Netif   Netif (name) 
                      ipv4	default	          WW.XX.YY.201	UGS	NaN	1500	vtnet0	WAN202	 	
                      ...
                      ipv4	WW.XX.YY.200/29 	link#1	U	NaN	1500	vtnet0	WAN202	 	
                      ipv4	WW.XX.YY.202	        link#1	UHS	NaN	16384	lo0	Loopback	 	
                      ipv4	WW.XX.YY.203	        link#2	UHS	NaN	16384	lo0	Loopback	 	
                      ipv4	WW.XX.YY.204	        link#5	UHS	NaN	16384	lo0	Loopback	 	
                      ...
                      

                      I really don`t understand the difference between OPNSense and pfSense in this topic...

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.