ISP Provided Lan and Wan Blocks
-
I am currently in the process of switching to a Business Fiber Connection provided by an ISP. They have given me a single static IP WAN block (216.50.72.xxx/31) and a LAN block (216.50.76.xxx/30). I came across this link (https://community.spiceworks.com/topic/2267693-comcast-edi-ip-blocks) which seems to align with the below pfSense configuration.
Is the documentation I found (https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html) the correct guide for setting up pfSense?
Assuming after this then I can use the ISP Provide Lan IP's in place of WAN 1 and WAN 2 in the port forwarding section. Or just directly assign them to a machine.
-
This post is deleted! -
@badincite Thatโs the doc but typically this would be the setup if the IPs were to be used on LAN devices, or a DMZ network. If on LAN you could use a second router between this one and your actual LAN.
For use on a NAT rule they would need to be on WAN, i.e. the address being NATted.
-
@steveits Okay so it would probably be best to spin up a second pfsense and configure it that way. Then assign the two Public Lan Block IP's as WAN1 and WAN2 "Virtual IP" like I have now.
So something like this
PFSENSE ACCESS ROUTER FIBER WAN INTERFACE 216.50.72.xxx/31 LAN INTERFACE 216.50.76.xxx/30ACCESS ROUTER LAN INTERFACE to WAN INTERFACE OF NAT ROUTER
PFSENSE NAT ROUTER EXISTING WAN1 216.50.76.2 WAN2 VIRTUAL IP 216.50.76.3
-
@badincite right. Iโm assuming they are routing the /30 to the /31 IP which would be the normal setup here. Though usually it is done with a /30 on WAN since the WAN needs to talk to its gateway. As long as pfSense can get out itโs ok.
-
@steveits My WAN provider has provided me with a /31 IP address, and my LAN has a /30 IP address. When I tried to assign the first IP of the /30 as the pfsense LAN, I received an error message stating, 'This IPv4 address is the network address and cannot be used.' Since the first IP is the network address and the last IP is the broadcast, if pfsense uses the second IP, I will be left with only a single usable IP.
Currently, I have assigned the second IP to pfsense and the third IP to a test VM. I have gotten everything working by adding a rule all traffic from the WAN interface to the third Public LAN ip I assigned to the VM.
-
@steveits I just changed the subnet to a /29 on the LAN side so it would allowed me to use the 216.57.76.36 on the interface. Is that really going to hurt anything not sure if anything really would be using the broadcast address.
-
@badincite Yeah they'll have to explain how it works in their setup. A /30 and /29 are much more typical, or else just assign a WAN subnet as a /29 and not need a second IP. Our data center uses a public subnet for its LAN, but our office uses a /29 and has an IP and virtual IPs.
If you use someone else's IP (which is technically what you've done by expanding your subnet) then your router won't be able to route to those IPs. That may not matter for your case.
-
@steveits It says I have 4 IP's in the Internal IP block /30. So I'm staying the the provide range the provided just with a different subnet so I can use the 1st IP.
-
@badincite Ah. On the LAN side they may not route that extra IP to you.
-
@steveits When I tested it using the first IP for the router's address, it worked correctly and I was able to use the 2nd and 3rd IP. After doing some more reading, I found a post where they were able to assign the LAN Block IPs as Virtual IP's, eliminating the need for two routers. I may try this out to simplify my configuration.
Here's the link to the post: https://community.spiceworks.com/topic/2248511-pfsense-configuration-isp-provided-wan-and-lan -
That actual works just tested it. Guess I'll just do that makes it easier
-
@badincite A routed /30 is silly.
If they provision a /29 a customer can use 5 IP address on "LAN."
If they provision two customers on the same /29 with /30s instead, they can each use 1 IP addresses on LAN.
So they are effectively wasting 3 usable IP addresses so they can serve two customers instead of just one.
The same theory applies with shorter prefixes, of course, but the percentage of "waste" goes down dramatically.
-
@badincite said in ISP Provided Lan and Wan Blocks:
That actual works just tested it. Guess I'll just do that makes it easier
Sounds like they weren't routing the /30 to the 216.50.72.xxx/31 IP after all, then? Well at this point I usually "back away slowly" as that often helps in not worrying about a problem anymore. :)
-
@steveits It seems they are routing the /30 addresses to the /31 address. If I wanted my actual public IP to be in the /30 range, I would have to handle the routing from the /30 internal out to the /31. I was able to achieve this by using a secondary router to route the public IP in front of my current router. When I checked "What is my IP?" on Google, it returned the /30 IP address. However, when I added the LAN Block as Virtual IP's, "What is my IP?" returned the /31 IP address. Nevertheless, I can still NAT the /30's through and use them for my individual web servers, which is all I need. Still have to use a /29 with them in order to use the 4 IP block but they all work.
-
Got everything up and working now with the LAN block as virtual IP's.
FYI: For anyone changing the WAN adapter assignment, I found that I needed to go back through the CLI instead of the web browser to reassign all adapters before it would start routing traffic. Initially, I made the change on the adapter in Esxi, but nothing connected to the internet. Then, I created a completely new adapter and assigned it as the WAN interface in the web browser, but still, nothing happened. Eventually, I went through the CLI assignment for just the WAN and LAN, and then traffic started routing again. After that, I was able to reassign and reset the interfaces with the web browser.
