Secondary address space on the WAN interface (different gateway)



  • My ISP recently allocated another IP range on our corporate Internet connection.  The new one is a public /29.  Unfortunately, it has a different gateway than my first /29 range.  So something like this…

    Initial IP range: x.y.z.a/29 gateway 192.168.1.1 (but public)
    New IP range:  b.c.d.e/29, gateway 10.0.0.1 (but public)

    What I had expected from the ISP was an additional grant using the same gateway (not sure that that was even a reasonable expectation, but that's what I thought I'd get), so that I could add the additional IPs as VirtualIPs.  Since this new range has a different gateway, I'm not sure how to do that in pfsense.  The ISP says that these IPs come in on the same physical interface from them - but I'm not sure how make use of these in pfSense.  Is there a way to add a new "virtual" (?) interface on the same physical interface?



  • Proxy arp is capable in this situation. or if you have multiple modems you could create loadbalancing/failover situation



  • How would I actually do it?  Attached is snip from my proxy arp screen, but I don't see any obvious way to specify the new connection/gateway

    http://postimage.org/image/2lhonjpxg/



  • Try to look for load balancing there  might be your answer



  • Ok - so it works, but I'm not sure how it works.

    From the new IP range, I created a Proxy ARP entry for 1 of the new Virtual IPs (x.y.z.1/32), on the same physical interface. 
    Next, I created a NAT rule forwarding HTTP traffic from x.y.z.1/32 to an internal web-server.
    Then, I tried connecting externally to http://x.y.z.1 - and I saw the web-page of my web browser.

    So - great, it works!  But what I'm confused about, is how it worked.  Without having the new gateway specified somehow (since the Proxy ARP entry doesn't let you add a gateway), how am I able to hit this from off-site?  Does this mean that my ISP has routed the IP to me?

    Thanks!



  • You don't need the gateway, in those scenarios it's generally the same as your default gateway. A better scenario is having your ISP route that second block to you, that way you aren't wasting 3 IPs, network, broadcast and gateway addresses, out of that subnet. There's no need to assign subnets like they're doing there (it'll work, just not the best way).



  • Then how does it work?  The first IP block from my ISP had a "gatewayA" which is assigned to my physical interface.  The second grant that I got today had "gatewayB", which I'm not specifying anywhere.  I'm going through and adding each IP from that new range as Proxy ARP VirtualIPs (e.g. 1.2.3.4/32, 1.2.3.5/32, etc. instead of 1.2.3.4/29), and creating NAT rules for each, but since "gatewayB" isn't ever specified anywhere within pfSense, I'm not sure how/why it's working.



  • Gateway B has the same MAC as gateway A so it only has to use gateway A. If B were on a different router from A, you'd have issues as currently configured, in that case you'd just set it up as a second Internet connection on a separate interface (as that's what it would be).


Locked