Recipe for Pfsense becoming a static router for a /28 subnet
-
You can't use the same subnet on two interfaces, a router doesn't know where to send the traffic.It's not what I'm asking.
I merely want the subnet I have to be linked to an ethernet interface.
The PPPoE-interface needs to be bridged with a classless interface. 20.0.0.1 then comes available for other devices.I have 1 subnet 20.0.0.1/29
Pfsense takes IP 20.0.0.1I know I can also take 20.0.0.2~6 with the Pfsense using Virtual IP's on the PPP-interface.
These different WAN-IP's can be used for catering multiple LANs.I have no problem setting up all that.
But I now have a scenario where I want something different.
Something even more simple than that and it's what a lot cable modems/routers are already doing.Some ISP's give you a modem/router that has, for instance 40.0.0.1/29 IP.
You can can connect 5 devices to that modem/router 40.0.0.2~6I want a Pfsense to do exactly the same thing.
It receives 20.0.0.1/29 through PPPoE and I want to to connect 5 devices to it on a switch.
The Pfsense needs to route them to the Internet, just like an ISP modem/router with bridged subnet would.I merely need to bring out the logical interface pppoe0 to a physical interface igcx, so I have 20.0.0.1 on an ethernet interface and set a static route.
If Pfsense can't do it, it can't. I can accept that.
But from a network point of view it's a totally normal scenario.I have no problem setting up this (with virtual IP)
igc0 -> connected to fibre modem
igc0.6 -> created vlan6
pppoe -> login using pppoe on igc0.6 (20.0.0.1/29 + virtual IP 20.0.0.2)igc1 -> lan1 192.168.188.1/24 (use NAT rules to use WAN IP 20.0.0.1)
igc2 -> lan2 192.168.168.1/24 (use NAT rules to use WAN IP 20.0.0.2)Now I want to use 20.0.0.3~6 for foreign devices, but I have nothing to connect it to.
-
@frater Sharing a subnet on two interfaces would be a bridge:
https://docs.netgate.com/pfsense/en/latest/bridges/index.html -
@frater I don´t understand now what you want. It is the same result when you do it with VIPs.
-
I can't bridge classless interfaces.
Tell me which interfaces I need to bridge given my last scenario!
I can create a logical interface with the name bridge on igc3 and give it a bogus IP IP 172.20.1.1/30
I can then bridge it with PPPPOE0 and connect foreign devices to igc3.If it works, it works.
I just can't test it now as I only have remote connections with pfsenses in that scenario and it's all production.And where do I tell it to route all traffic from those subnets directed to 20.0.0.1 to the Internet?
-
@frater said in Recipe for Pfsense becoming a static router for a /28 subnet:
igc1 -> lan1 192.168.188.1/24 (use NAT rules to use WAN IP 20.0.0.1)
igc2 -> lan2 192.168.168.1/24 (use NAT rules to use WAN IP 20.0.0.2)Rereading this again, you do want NAT for the internal interface but want it to use 20.0.0.2 instead of the default 20.0.0.1? (you wrote "do not want to use network translation" originally). That would be the outbound NAT mentioned in the first reply. Add the IPs as VIPs on the WAN/PPPOE connection, and add an outbound NAT rule to translate using that IP. Here's an outbound rule translating a 192.168.x.x network to a VIP Alias on WAN:
-
Rereading this again, you do want NAT for the internal interface but want it to use 20.0.0.2 instead of the default 20.0.0.1?No I do not want NAT.
I just gave that example to make clear that THAT scenario was no problem for me and I implemented quite often.
The 20.0.0.3~6 for foreign devices is my only problem.I want static routing
Even a simple Fritz!Box can do it.
Given a /30 subnet I have 2 IP's.
A Fritz!Box does NAT on 1 IP and a Cisco that is connected to the Fritz!Box has the 2nd IP and routes everything through the Fritz!Box. -
@frater No, surely not! The FB use one address and the provider router the other! You must have a GW to send traffic to the provider!
-
Surely YES
the router gets a /30 using PPPoE on a fibre connection
The 2nd IP is for the Cisco.The provider's gateway is outside the /30 network
The Cisco has a static IP on its WAN and has the FB as its gateway.
-
@frater Ok, I had a think failure. Sorry for that. But for what you want static routing?
-
In fact I'm not getting a /29 but will be getting a /27 network and I want to give more than 25 companies an Internet connection.
They all want a WAN IP without firewalling.The ISP gives me that subnet through PPPoE.
I will probably do it with a Mikrotik which needs a simple configuration to do this.I was wondering if I can do it with a Pfsense.
I also have a few places where I have a /29 subnet and Pfsense is a central router for a few companies (using VIP's)
I would like to be prepared if a company suddenly wants a WAN-IP and do his own firewalling.
I only have the subnet available on the PPPoE-interface. -
The simplest solution is to call your ISP and tell them "please I want my solution to be routed, not bridged" then they will give you a private network for the WAN side and route your network through that. Most providers can do that. Then you can configure 20.x.x.x on the "LAN side", just disable NAT altogether and you're set.
Otherwise. You should be able to bridge PPPOE and and eth interface and then set an IP address of that network in the bridge interface, then set other IP addresses on your devices with gateway your pfsense.
It sounds similar to what I have with OVH
OVH gives me a /29 and a gateway outside of that subnet.So on my WAN I configure my IP address as a /32, and then I add a route to the gateway (yes that is what I said, and a default) and then a default through the actual gateway
For example, I have:- Network: x.y.z.232/29
- Gateway: x.y.z.254
So I did this:
route add -host x.y.z.254 -iface em0 route add default x.y.z.254It's weird.... but it works
-
@andres-asm as a follow-up, while at the beginning what I did was bridge two virtual ethernet interfaces so I could give my internal VMs public IP addresses, I ended up switching to virtual IPs attached to the wan interface and 1:1 NAT.
But I get it, clients usually don't want to deal with NAT.