Secondary address space on the WAN interface (different gateway)

  • My ISP recently allocated another IP range on our corporate Internet connection.  The new one is a public /29.  Unfortunately, it has a different gateway than my first /29 range.  So something like this…

    Initial IP range: x.y.z.a/29 gateway (but public)
    New IP range:  b.c.d.e/29, gateway (but public)

    What I had expected from the ISP was an additional grant using the same gateway (not sure that that was even a reasonable expectation, but that's what I thought I'd get), so that I could add the additional IPs as VirtualIPs.  Since this new range has a different gateway, I'm not sure how to do that in pfsense.  The ISP says that these IPs come in on the same physical interface from them - but I'm not sure how make use of these in pfSense.  Is there a way to add a new "virtual" (?) interface on the same physical interface?

  • Proxy arp is capable in this situation. or if you have multiple modems you could create loadbalancing/failover situation

  • How would I actually do it?  Attached is snip from my proxy arp screen, but I don't see any obvious way to specify the new connection/gateway

  • Try to look for load balancing there  might be your answer

  • Ok - so it works, but I'm not sure how it works.

    From the new IP range, I created a Proxy ARP entry for 1 of the new Virtual IPs (x.y.z.1/32), on the same physical interface. 
    Next, I created a NAT rule forwarding HTTP traffic from x.y.z.1/32 to an internal web-server.
    Then, I tried connecting externally to http://x.y.z.1 - and I saw the web-page of my web browser.

    So - great, it works!  But what I'm confused about, is how it worked.  Without having the new gateway specified somehow (since the Proxy ARP entry doesn't let you add a gateway), how am I able to hit this from off-site?  Does this mean that my ISP has routed the IP to me?


  • You don't need the gateway, in those scenarios it's generally the same as your default gateway. A better scenario is having your ISP route that second block to you, that way you aren't wasting 3 IPs, network, broadcast and gateway addresses, out of that subnet. There's no need to assign subnets like they're doing there (it'll work, just not the best way).

  • Then how does it work?  The first IP block from my ISP had a "gatewayA" which is assigned to my physical interface.  The second grant that I got today had "gatewayB", which I'm not specifying anywhere.  I'm going through and adding each IP from that new range as Proxy ARP VirtualIPs (e.g.,, etc. instead of, and creating NAT rules for each, but since "gatewayB" isn't ever specified anywhere within pfSense, I'm not sure how/why it's working.

  • Gateway B has the same MAC as gateway A so it only has to use gateway A. If B were on a different router from A, you'd have issues as currently configured, in that case you'd just set it up as a second Internet connection on a separate interface (as that's what it would be).