Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Custom Wan Configuration

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 4 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Altar
      last edited by

      Hello,

      My isp requires a very odd network configuration which is not supported by the pfSense installer.

      I need to configure the interface with a /32 netmask, then add a route to a gateway trough the wan interface and use this gateway as the default gateway.

      I managed to make pfSense work by reconfiguring the wan network interface in the shell using ifconfig and route but these changes are obviously not saved.

      How can I make these changes persistent ?

      Best Regards,

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        Which version of pfSense?

        Have you tried configuring your WAN interface through the web GUI? All configuration given through the web GUI is preserved in the master configuration file which is used to configure the system on startup.

        1 Reply Last reply Reply Quote 0
        • A
          Altar
          last edited by

          I'm using the last stable version of pfsense (2.0.1).

          It is impossible to do it trough the web gui because the web gui prevents you from adding a gateway that is outside of the wan subnet.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Try to config wan without gateway and set default gateway on routing.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • A
              Altar
              last edited by

              marcelloc >

              In pfSense,

              gateways = direct access to a host/net trough an interface | route add -host/net x.x.x.x/x -interface aaa
              routing = access to a host/net trough a gateway | route add -host/net x.x.x.x/x z.z.z.z

              So no can't do as I first need a gateway to be able to define a static route.

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                Try to work around odd provider's config with odd routing setup

                What did you applied on console that worked?

                creating a route to reach 0.0.0.0/1 and 128.0.0.0/1 could 'simulate' a default gateway.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • A
                  Altar
                  last edited by

                  Nothing fancy.

                  Add a route to the provider router trough wan interface so our pfsense knows it can reach it because they aren't on the same subnet.
                  Use the router as a default gateway.

                  This is totally valid, done it a millions times in other setup especially if you want all of the network traffic on the same subnet to go trough the firewall anyway…

                  route add -host gatewayip -interface em0
                  route add default gatewayip

                  As this is unsupported by the webgui, I'd like to find the place where I could put these lines so they would be executed at boot time.

                  It would also be very nice to have outside wan's subnet gateways supported natively by pfsense but I can live without it.

                  creating a route to reach 0.0.0.0/1 and 128.0.0.0/1 could 'simulate' a default gateway.

                  As far as my network knowledge go this cannot work… if you do this, your system will consider that every computer in the world are accessible without a gateway => send an arp request to get the mac and send the ip paquet directly to the mac. As nobody will ever answer to you except the computers on the lan, this won't work.

                  Also, I think the computer is not supposed to talk to anyone else on the lan and triggers a warning if you try to do so (data center environment).

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    As far as my network knowledge go this cannot work… if you do this, your system will consider that every computer in the world are accessible without a gateway => send an arp request to get the mac and send the ip paquet directly to the mac. As nobody will ever answer to you except the computers on the lan, this won't work.

                    You misunderstood me. A default gateway is a route to reach 0.0.0.0/0. As you can't create via gui a route to a /0 network, you can advance one bit and split default gateway in two routes.

                    This is totally valid, done it a millions times in other setup especially if you want all of the network traffic on the same subnet to go trough the firewall anyway…

                    /Freebsd and so pfsense use strict RFC configs. Route something to an ip that is not on your network, just like you said is a very odd setup.

                    I'd like to find the place where I could put these lines so they would be executed at boot time.

                    create a shell script and place it at /usr/local/etc/rc.d

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • A
                      Altar
                      last edited by

                      @marcelloc:

                      You misunderstood me. A default gateway is a route to reach 0.0.0.0/0. As you can't create via gui a route to a /0 network, you can advance one bit and split default gateway in two routes.

                      Won't be able to do it as I need to have a gateway to define routes in pfSense web ui.

                      @marcelloc:

                      /Freebsd and so pfsense use strict RFC configs. Route something to an ip that is not on your network, just like you said is a very odd setup.

                      It's maybe an odd setup but is commonly used especially in point to point connections (exemple : http://redmine.pfsense.org/issues/517) which pfSense handles like a charm.

                      @marcelloc:

                      create a shell script and place it at /usr/local/etc/rc.d

                      Thanks. It works like a charm but I hope I won't run into other issues because the wan has no gateway.

                      Still would be nice for this setup to be supported by pfSense.

                      1 Reply Last reply Reply Quote 0
                      • A
                        Altar
                        last edited by

                        Ok. First batch of issues.

                        1°) Automatic outbound NAT rule generation is broken.

                        I need to manually add outbound nat rules to have nat working. Can live with it for now but I don't what it implies.

                        2°) I wanted to use pfSense as a transparent bridge for the two computers behind it but I realized I can't do it because they won't be on the same subnet as the wan (/32 of course) and I can't create a direct route to a host without a gateway.

                        The work around is to have all the external ips defined as "proxy arp" on the firewall and do a 1 to 1 nat.

                        I also found these two tutorials : http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet & http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet which explains my problem and how to solve exactly what I needed.

                        But a simple fix to all of these workarounds would be to have pfSense allow us to add routes to network/host without a gateway, just like route in the shell allows us to do it and for gateways just check if the gateway is accessible according to the routing table instead of requiring it to be in the wan's subnet. Don't know if it's possible or not :)

                        Anyway thanks for everyone's time, my current problem is solved.

                        Best Regards and Happy Holidays.

                        1 Reply Last reply Reply Quote 0
                        • dotdashD
                          dotdash
                          last edited by

                          Do you really mean a /32 for the WAN?
                          I had an install with a /30 for the WAN with an additional /28 subnet.
                          I used the /30 for the Interface, set the gateway as the provider's side of the /30.
                          I then added an Alias IP in the /28 on the WAN and then used CARP for the additional VIPS in the /28. Works as expected. I use manual NAT.
                          If you have a default gateway set on a different subnet like the Magikist blog guy, you are doing it wrong. I don't care if M$ accepts it…

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            @dotdash:

                            I don't care if M$ accepts it…

                            me too  ;)

                            Routing based on interfaces but not on ips, as the tutorial shows could be done, but it's realy odd.

                            Looks like roads without lines

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • A
                              Altar
                              last edited by

                              @marcelloc:

                              @dotdash:

                              I don't care if M$ accepts it…

                              me too  ;)

                              Yeah, we should probably request pfSense to drop the support of a gateway outside the wan's subnet in pfSense for ppp/pppoe connections because it's a M$ nonsense… wait isn't it supported in linux and bsd as well ?!? and if I have to guess, it has probably been added way earlier in bsd's environment than it has in microsoft's (2k3 requires a registry hack to make it work).

                              @marcelloc:

                              Routing based on interfaces but not on ips, as the tutorial shows could be done, but it's realy odd.

                              Looks like roads without lines

                              Sounds like the basics to me… your system needs to know who are his neighboors and how he can address them or he won't be able to do anything (well you could spam every interface but that ain't RFC). That's what you do when you configure your interface with an ip and a subnet.

                              You can resume assigning 192.168.1.2/24 with the default gateway 192.168.1.1 to wan : (this is what you are used to do)

                              1°) assign ip 192.168.1.2 to your computer
                              2°) add a route to 192.168.1.0/24 trough wan interface
                              3°) add 192.168.1.1 as the default gateway

                              What I do :

                              1°) assign ip X.X.X.X to your computer
                              2°) add a route to Y.Y.Y.Y/32 trough wan interface
                              3°) add Y.Y.Y.Y as the default gateway

                              On your end, it changes absolutely nothing. On the other end, that's the isp issue.

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                @Altar:

                                My isp requires a very odd network configuration

                                @Altar:

                                Sounds like the basics to me…

                                ???

                                I do not like flames, so congratulations on your basic/odd successful setup.

                                This is my last post on this topic.

                                Best Regards,

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • dotdashD
                                  dotdash
                                  last edited by

                                  PPTP is a separate case that I wasn't aware we were discussing.
                                  But whatever, good luck with your special ISP. I'm done with this topic.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.