Single public IP subnet on WAN scenario but pfSense router as default gateway for WAN clients

jankol

Hello,
I am pretty new in pfSense and this is my first post here on the forum. I have a Netgate 6100 box at home. I have a x.y.z.248/29 IPv4 subnet and /56 IPv6 prefix provided by my ISP. The assigned IPv6 prefix on the WAN side is routed over a different /124 network, which works perfectly. I have created several /64 prefixes out of that prefix for my local purposes with no problem. The "pain" is /29 IPv4 subnet. It is not routed in the same way, but the first IP from this subnet (x.y.z.249/29) belongs to ISP, and from my point of view it is the WAN gateway.

My scenario is completely the same as described in the documentation here: Single IP Subnet on WAN.

I have successfully configured all to a working state:

• Created bridge (BRD0) between WAN2 and LAN1 interface
• Disabled IPv4 for WAN2 and LAN1 interfaces, enabled IPv4 for BRD0 interface, assigned IP is x.y.z.250/29.
• Disabled IPv6 for BRD0, interface, enabled and set up IPv6 for WAN2 and LAN1 interfaces (mentioned /124 network for WAN2, /64 prefix for LAN1 interface)
• WAN2 => ISP, LAN1 => Server with public static IP x.y.z.254/29 using x.y.z.249 default GW
• LAN2 - LAN4 => LAG to local private networks (behind L3 switch) hidden behind NAT (Outbound NAT rules set for those networks on BRD0 interface using remaining VIPs from the assigned /29 subnet) This is not important for my problem. LAG is not needed, but I wanted to try it.

I am not sure about the correctness of this setup, so I described it here. It works anyway, but I am not sure whether I have done it all correctly.

Problems:
On the server, I am running two web services (one at standard HTTP/HTTPS ports and one at non-standard ports 8096/8920). I would like to somehow use one of the other VIP for the second web server so both web servers could run on standard ports. I was thinking about some sort of port forwarding from VIP (ports 80/443) to server IP (ports 8096/8920). I could have two domains e.g. domain.com for webserver1 and web2.domain.com for webserver2. I am OK with this solution.

I am also running pfBlockerNG on the router, but it does not work for the server as outbound traffic from the server is not processed by the pfSense firewall. I think that this is because the default GW on the server is set to ISP GW and packets from the server to that GW are just forwarded from LAN1 to the WAN2 interface on the layer2 level.

So my question is:

• Can I use somehow my router as a default gateway for the server? When I tried so, the internet on the server was not working. I was able to ping the router and also WAN GW, but internet access was not working. In the mentioned pfSense documentation is mentioned that this does not work, but I do not understand why. Why the router cannot forward packets to the internet from the LAN1 interface to the WAN2 interface and then to WAN GW? I do not fully understand bridging so most likely this is why I have no idea what going on here.

Now I am thinking of hiding a server behind NAT (this I wanted to avoid in the beginning) and setting up a port forwarding for the mentioned ports/web servers. External NAT IP would remain the same (x.y.z.254) + one VIP would be used to port forward to the second web server.

Any ideas or at least an explanation for the beginner why the router cannot be the default GW for the server?

I am sorry if this is duplicated post. I tried to search first but was not so successful. If this is a duplicated post, please just share links to the relevant posts where I can learn more about my problem.

Regards,
Jan

viragomann

@jankol said in Single public IP subnet on WAN scenario but pfSense router as default gateway for WAN clients:

Can I use somehow my router as a default gateway for the server?

No, not if you bridge the servers network to the WAN.

In the mentioned pfSense documentation is mentioned that this does not work, but I do not understand why. Why the router cannot forward packets to the internet from the LAN1 interface to the WAN2 interface and then to WAN GW?

You need to send the upstream packets the upstream gateway.
pfSense will not forward the packets, since it is not the upstream gateway for this network, but it's within the same subnet as the server. So it's not responsible for routing traffic to the internet in this subnet.

Why don't you state the ISP gateway as default gateway on the server as mentioned in the documentation?

I do not fully understand bridging so most likely this is why I have no idea what going on here.

It very similar as if you would connect all involved interfaces (ISP, WAN2, LAN1) to a switch. It connects the devices on layer 2.

jankol

@viragomann,
thank you for confirming that using pfSense as the default gateway for the server is not possible in bridge mode.

My main motivation for the alternative setup (compared to documentation) was the ability to control upstream communication from the server to the internet (so pfBlockerNG could block advertisements and possibly do port forwarding VIP => Server IP). I hoped that it is somehow possible to make pfSense capable of recognizing that a packet from the server is going to the internet and forwarding the packet through the WAN2 interface to ISP GW.

Most likely I will remove the WAN2/LAN1 interfaces bridge and hide the server behind NAT, like the rest of my private networks.

Regards,
Jan

viragomann

@jankol said in Single public IP subnet on WAN scenario but pfSense router as default gateway for WAN clients:

My main motivation for the alternative setup (compared to documentation) was the ability to control upstream communication from the server to the internet (so pfBlockerNG could block advertisements and possibly do port forwarding VIP => Server IP). I hoped that it is somehow possible

You can do this anyway. All traffic to and from the server have to Pass pfSense, hence you can block and oass whatever you want.
This is also true for pfBlocker rules.