Routing public IPs with single /29
-
Hi, is it possible to have a single /29 block of 5 useable IPs from your ISP, use one for your pfSense WAN and then route the rest of the block through either separate physical interface or to a VLAN on my switching infrastructure?
I know I can do a bridged connection to the WAN with additional OPT interface and that will work, but I can't find a way to get traffic limiting working on that. I can also do 1:1 NAT but some parties don't want to be NAT'd at all and they want me to pass them a public IP straight to their own WAN interface.
So, in essence, is there a way to have IP X.X.34.226/29 on the pfSense and be able to route to someone on the LAN network X.X.34.227/29 without using Bridging or 1:1 NAT?
-
By the way, if someone could rather guide how to perform traffic limiting on a bridged interface, that may also be a better solution for me than using 1:1 NAT.
-
@lparker The best way is to have the ISP route the /29 to a different public WAN IP, then you can use the /29 internally. See:
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.htmlOtherwise the router doesn't know where packets for that subnet are supposed to go. (hence the bridge)
1:1 NAT does work as we've used that for publicly accessible web servers before. I have however seen software complain...at least several years ago Plesk/Parallels required a public IP.
No info on the limiting sorry. :-/
-
@steveits Thank you, I did see that article but I've really only seen /30 to /29 routing done by a few remaining T1 providers and some Fiber circuit providers. Not that popular anymore with the lack of IPv4 space these days.
I'll definitely give the 1:1 NAT option some more testing - we're moving away from Yardi Cube (formerly WUN Systems) Medusa which had this capability, so will take some convincing for the clients that currently have their public IP's routed.
-
@lparker I have not looked for that for a business ISP but we do use it for our data center with a /25 and similar for IPv6.
For 1:1 I pfSense handles the outbound NAT for you.
-
@steveits Yes, it was surprisingly easy to set up the 1:1 NAT logic. For the Medusa, its used for someone who rents single office tenant spaces to their own clients so lots of small VLAN's with one or two clients requesting public IP's directly.