Should my VIPs (Proxy ARP) include the router's public ip?

  • I'm using a pfSense box connected to a Comcast commercial gateway device.  The gateway doesn't support true bridged mode but I have disabled all NAT and all firewall functions.

    I was given a /29 subnet of public addresses but the Comcast gateway uses one for administration purposes.

    I've assigned the pfSense box my first useable public ip address and it works great but I'd like to use the rest of my public addresses using 1:1 NAT or something similar (via Proxy ARP).

    Do I need to create individual VIPs for each public address or can I just create one for my entire subnet?  If I create one for the entire subnet it will include both the Comcast gateway address and the address I've assigned to pfSense's WAN interface.

    Thanks for any help!

  • You don't want to add either the WAN interface's IP or the Comcast gateway address as virtual IPs.  The gateway address in particular would be bad as pfSense would claim it owns the IP and your routing would stop working.  Adding the WAN interface IP in theory won't hurt anything (ifconfig would filter out the alias since the IP is already applied to the interface), but it is still bad practice.

  • Thanks for the reply!

    So are you saying to add the individual ip addresses in my subnet excluding the WAN address and gateway address?

    I did try adding the entire subnet and it didn't work.  It also didn't seem very useful because I then had to NAT the entire subnet instead of being able to use the individual addresses…

  • Correct, you will add one VIP for each additional IP that you want pfSense to own.  The WAN interface already owns one of the IPs and the Comcast gateway own another.

Log in to reply