ISP provides me 30 IPs (/29). What is the PROPER way to add these to pfSense?
-
I am going crazy with what should be a simple task – yet I can't seem to figure this out so I am simplifying my question.
ISP gives me 30 IPs ( a /27).
x.x.x.225 -- x.x.x.254
The first ip (x.x.x.225) is used as the gateway, which leaves me 29 remaining IPs to use.
pfSense WAN is setup using x.x.x.226 and NAT is working as expected, users from LAN are showing x.x.x.226 as their public ip.
I now wish to load the remaining IPs into pfSense for use as "Virtual IPs". So I could do a 1:1 NAT, OR, use them for NAT on my LAN2 and LAN3 subnets.
My question is, WHICH of the 4 choices for Virtual IPs should I be using? I am currently using IP Alias but not sure if I am doing that right?
If I am using IP Alias do I set them up 1 at a time? Or do I just put the whole subnet in once?
I am trying to enter them one at the time using x.x.x.227 /32. Should I only enter it once as x.x.x.225 /27 ???
I keep seeing something about "this is NOT a CIDR notation" and I'm just not understanding how to load these VIPs into the system.
-
a /29 subnet gives only 6 ips not 30
192.168.0.225 - 192.168.0.230
If you no not have two boxes for failover, you can set it as a proxy arp or an ip alias on 2.0.
Then, create outbound nat rules to assign an outgoing ip to a specific lan/subnet/host.
Marcello Coutinho.
-
a /29 subnet gives only 6 ips not 30
192.168.0.225 - 192.168.0.230
If you no not have two boxes for failover, you can set it as a proxy arp or an ip alias on 2.0.
Then, create outbound nat rules to assign an outgoing ip to a specific lan/subnet/host.
Marcello Coutinho.
Apologies, I meant /27 (was late last night).
So when adding as IP Alias (as it seems that is more flexible option) – do I add the entire block in one entry? OR do I add them individually? I see that it wants me to select the notation /32 or /31 ... /27 etc... If I am adding a single IP would I select /32 -- will that work even though my block of IPs is /27? This is the part that has me confused.
-
For an ip alias, folow freebsd compatibility and use a /32
For a carp, you must tell the right bitmask /27
-
For an ip alias, folow freebsd compatibility and use a /32
That is not correct and has not been recommended for years. You must use the same subnet mask as the main IP now.
For a carp, you must tell the right bitmask /27
Correct.
Both IP Alias and CARP are added one at a time, not in a block. Only Proxy ARP can add in a block/subnet.
Though in your case since this is all in the WAN subnet adding proxy ARP type VIPs is enough. You do not need the overhead of having the IPs assigned as an alias or CARP. That is if you want to use them only in NAT rules. If you want to bind services on the firewall to those IPs, then they would need to be IP Alias or CARP. Really any of those three would work in that kind of setup.
-
Answered to OP's PM. If my advice helped I hope that OP is going to publish it.
-
Thanks to everyone I now have what "appears" to be a working config.
Here are the steps I took.
For the basic /30 link to ISP I setup the /30 IP on the WAN interface.
I then added my /27 public ips as VIPs using IP Alias - as pointed out above, use /32 and add them 1 at a time.
Since I have a Layer 3 switch attached to my LAN interface, with 3 routed subnets + the pf LAN interface subnet, I had to create 3 routes in pfSense with the gateway pointing to the switch IP on the pf LAN Subnet.
THEN - TO MAKE MY LIFE EASIER (and this may differ for you), I created a Network-Type "ALIAS" in pfSense and added my 4 LAN subnets to that alias.
Then I turned on MANUAL OUTBOUND NAT (AON = MANUAL).
I edited the default 2 LAN subnet rules and changed the LAN Subnet to my "Network-type ALIAS".
Then finally, I edited the default LAN Firewall Rule and where it originally said "LAN SUBNET" I simply changed that to my "Network Type Alias".
EVERYTHING SEEMS TO BE WORKING – AT LEAST AS FAR AS OUTBOUND TRAFFIC USING VIPs.
My next project is to get VPN working using one of those VIPs as the destination. Whether this will continue to work remains to be seen.
MANY MANY THANKS TO ALL WHO HAVE HELPED IN MY NUMEROUS THREADS ON THIS ISSUE.
ALSO -- A Special thanks to "Metu69Salemi" who was relentless in his efforts helping me through PM.
