Multiple static IP on different gateway

firewalled_lotusdew · Nov 4, 2022, 6:17 PM

Dear Community,

I am trying out the community edition of pfSense for my home network. I have requested 3 static IPs from my ISP but their gateways are on different subnets.

IP 1: a.b.59.x Gateway: a.b.59.1
IP 2: a.b.60.y Gateway a.b.60.1
IP 3: a.b.77.z Gateway a.b.77.1

I have only 1 WAN and 1 LAN interface.

I was able to setup the first IP and gateway but not sure how to add additional static IPs which are not on the same gateway as the first one. I am guessing aliasing on Virtual IPs is not the way to go.

I intention is to NAT these static IPs on internal LAN interfaces.

Is it possible to configure a single instance of pfSense to be able to use multiple static IPs on different gatways and route it to appropriate LAN IPs ?

Can someone please share a direction in which I need to research ?

viragomann · Nov 4, 2022, 6:34 PM

@firewalled_lotusdew
Normally it shouldn't be needed to configure multiple gateways if all are on a single WAN. One should be sufficient, but this depends on the gateway configuration.

Simple assign the additional public IPs to the WAN as virtual IPs of type IP alias. Then you can use them in port forwarding rules to redirect traffic destined to them behind pfSense or as well in outbound NAT rules for masquerading.

stephenw10 · Nov 4, 2022, 6:34 PM

Hmm, that's an odd setup. What sort of WAN is that?

What subnet size are those IPs in?

Yes, it's possible to add additional IPs to the WAN to match that but it will require significantly more config. It may not be possible to forward traffic on them because the replies will always go back via main interface gateway.

Steve

firewalled_lotusdew · Nov 4, 2022, 7:28 PM

@stephenw10 I see. Well thats the way my ISP has given me the static IPs. I can try and reason with them that I need them on the same gateway - but its always hard to get to a technical person who understand it well.

I was afraid that I wont be able to route back the traffic to appropriate gateway - from what I understand that seems to your concern as well.

This is what I have from ISP. Do you suggest I go back to ISP and get them on the same gateway ? If thats not possible - do you foresee any other solution ?

stephenw10 · Nov 4, 2022, 7:40 PM

Can you show us what info they actually gave you?

What is the actual WAN connection type here?

firewalled_lotusdew · Nov 5, 2022, 5:28 AM

@stephenw10 Yes

They gave me an initial public static IP
123.176.59.217 with gateway 123.176.59.1
Then they gave me additional two of the following IPs
123.176.60.77 with Gateway 123.176.60.1
123.176.62.177 and gateway 123.176.62.1

The connection from the DSL modem is set in bridge mode and the pfSense Appliance has the static IPs configured.

All these IPs might have an upstream gateway. I am not an networking expert per say (just basic knowledge) - so if I set the gateway as upstream gateway by running a trace route - does that work ? As they are all in subnet 123.176.0.0 ?

bingo600 · Nov 5, 2022, 5:53 AM

@firewalled_lotusdew
What subnet mask(s) did they give you, for those 3 ip's ?

Hmmmm .... Something is "fishy" w. those ip's

whois 123.176.59.217
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '123.176.56.0 - 123.176.59.255'

% Abuse contact for '123.176.56.0 - 123.176.59.255' is 'datacomteam@mirtelecom-bd.com'

inetnum:        123.176.56.0 - 123.176.59.255
netname:        MIRTELECOM
descr:          Mir Telecom
descr:          Level-7, Red Crescent Borak Tower
descr:          71-72, Old Elephant Road, Eskaton Garden
country:        BD

whois 123.176.60.77
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '123.176.60.0 - 123.176.63.255'

% Abuse contact for '123.176.60.0 - 123.176.63.255' is 'ipas@cnnic.cn'

inetnum:        123.176.60.0 - 123.176.63.255
netname:        CSLC-NET
descr:          China Sports Lottery Technology Development Co., Ltd
descr:          Yijing Building, No.23 Dong San Huan Nan Lu,Chaoyang District
descr:          Beijing,China,100021
country:        CN

whois 123.176.62.177
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '123.176.60.0 - 123.176.63.255'

% Abuse contact for '123.176.60.0 - 123.176.63.255' is 'ipas@cnnic.cn'

inetnum:        123.176.60.0 - 123.176.63.255
netname:        CSLC-NET
descr:          China Sports Lottery Technology Development Co., Ltd
descr:          Yijing Building, No.23 Dong San Huan Nan Lu,Chaoyang District
descr:          Beijing,China,100021
country:        CN

They are assigned to different "entities"

/Bingo

firewalled_lotusdew · Nov 5, 2022, 8:26 AM

Ah - I didnt give the exact IP - switched out a few numbers - funny that it goes to China. But I thought it would still give enough information in terms of specifics.

As of now I am trying to understand how I can route WAN interface to different IPs with their own individual gateway.

viragomann · Nov 5, 2022, 8:30 AM

@firewalled_lotusdew
Did you simptry out yet is the other two gateways are really needed?

bingo600 · Nov 5, 2022, 10:05 AM

@firewalled_lotusdew
Please supply the subnet mask(s) you got for the ip's

firewalled_lotusdew · Nov 5, 2022, 10:24 AM

@bingo600 The mask is 255.255.252.0

You mean expect 123.176.60.77 to be routed via 123.176.59.1 ?

bingo600 · Nov 5, 2022, 10:56 AM

@firewalled_lotusdew

The 255.255.252.0 mask "covers 1024 ip addesses" aka. 4 Class-C networks.

Could you please supply the first REAL 3 octets of your ip addresses ? - A.B.C.?? , the ?? part is irellevant , if you dont want to supply.

Well actually it's just the C part that's interesting , if you got a 255.255.252.0 mask (a /22).

Chances are that you can use a 255.255.252.0 mask on your WAN , and "cover all" ip's asigned with the same def-gw.

/Bingo

Patch · Nov 5, 2022, 2:12 PM

From a network configuration advice surely only the lest significant digit are relevant. The ones which a consistent between all of his IP address do not need to be publicly disclosed.

That and the network mask which may cover all public IP given.

Although I guess 123.176. is rubbish and perhaps the remainder is more accurate.

bingo600 · Nov 5, 2022, 12:02 PM

@Patch
You mean like i wrote here

@bingo600 said in Multiple static IP on different gateway:

Well actually it's just the C part that's interesting , if you got a 255.255.252.0 mask (a

viragomann · Nov 5, 2022, 12:26 PM

@firewalled_lotusdew said in Multiple static IP on different gateway:

You mean expect 123.176.60.77 to be routed via 123.176.59.1 ?

pfSense routes any packets destined to an IP out of its own subnets to the default gateway.
The point is if the gateway accepts a source IP outside of its subnet. Only the ISP will know the answer, but you can easily check it out.
For forwarding packets for such IPs, you can ask your ISP to route them to your primary IP, if he doesn't that anyway.

In the past, I had three different public subnets, all with their own network addresses, gateways and broadcast IPs on a single WAN interface. I configured only gateway of the first one on pfSense and all worked well out of the box.

Derelict · Nov 5, 2022, 2:26 PM

@patch said in Multiple static IP on different gateway:

From a network configuration advice surely only the lest significant digit are relevant. The ones which a consistent between all of his IP address do not need to be publicly disclosed.

That and the network mask which may cover all public IP given.

Although I guess 123.176. is rubbish and perhaps the remainder is more accurate.

With a /22 netmask the last 10 bits are significant, not the last octet.

They should provide XX.YY.Real-address.real-address

XX.YY should be used to indicate they are identical for both the addresses and the provided gateways.

And, of course, the provided subnet masks.

stephenw10 · Nov 5, 2022, 3:38 PM

Mmm, depending on which bits were swapped those subnets may or may not be inside the same /22. Currently they are shown as not being which would mean they could not share the same gateway.

firewalled_lotusdew · Nov 5, 2022, 3:50 PM

@stephenw10 Yes I realize that these IPs dont fall within the same subnet I think based on the calculations below. So I am assuming they cannot be routed

As you can see the range is from 123.176.56.X to 123.176.59.254.

So the static IPs 123.176.60.X and 123.176.62.X wont be routable via the gateway 123.176.59.1 I believe. Please let me know if i am understanding correctly ?

stephenw10 · Nov 5, 2022, 3:57 PM

Yes, they cannot use the same gateway.

Hoe is the DSL modem configured here? Is it really a modem only? I assume you are not using PPPoE here?
Is the 'modem' itself acting as the gateway?

firewalled_lotusdew · Nov 5, 2022, 4:03 PM

@stephenw10 @stephenw10 The DSL modem has a fiber connection and it has 4 lan ports. One of the LAN port is configured into bridge mode which lands on the static IP confgured on pfSense WAN.

It might be possible to portmap the remaining 3 LAN into bridge mode as well and land them on seperate static IPs on any interface but that topology will mean I need multiple instances of pfSense I guess. I am trying to avoid that.

I dont know if a better idea would be to front the pfSense with a reverse proxy with different static IPs ... I am quite out of depth here.