Peculiar routing: gateway outside the LAN segment



  • Hellos!

    My hoster is using a somewhat peculiar setup concerning routing from one customer server to others within the same LAN segment.

    Apparently to prevent customers from "stealing" neighboring IP addresses, their routers/switches are configured to drop packets sent from one host in the LAN to another. All traffic needs to go through the router.

    Now I'm in a bit of a twist. How do I set that up in PFSense?

    Concrete example. My server has the address 2a01:4f8:101:11a4::/64, and the router has 2a01:4f8:101:11a0::1/59. Which means the gateway is not in my /64 subnet (understandably), but I also cannot extend my netmask to /59, since I need to route all traffic through the gateway, also that for other servers in the gateway's /59.

    In a Vyatta test installation, I configured the router to have a /128 IP address, set the default gateway to 2a01:4f8:101:11a0::1 and configured an interface-route to there via the proper eth.

    Unfortunately, PFSense does not allow me to set a gateways outside the host's network segment.

    Any idea what to do here?

    (I should add that I'm using PFSense 2.0 RC3 with the IPv6 support git-synced from github.com/smos.)



  • push

    No ideas about this? Come on… It must be possible to configure this in PFSense!

    The same issue by the way also applies to IPv4.



  • The same reason that we have not implemented this for ipv4. It breaks sound network design. It is a rather peculiar thing and very low on the wih list.



  • @Locutus:

    push

    No ideas about this? Come on… It must be possible to configure this in PFSense!

    The same issue by the way also applies to IPv4.

    I presume you also use hetzner for your hosting. My solution was to make a specific route for their gateway adress. That should work.



  • Yep, indeed Hetzner. :)

    I had tried that solution with a static route for the LAN segment via the Hetzner gateway before, but it failed because I added a route for the full LAN segment which was ignored / overridden by the LAN interface route. Stupid me. :)

    After getting a hint in the Hetzner forum, I now added TWO static routes, one for the first and one for the second half of my LAN segment, and that worked nicely. Those routes were added correctly to the routing table, and since they are more specific (longer network mask) than the actual LAN route, they take precedence.


Locked