Custom Wan Configuration
-
Hello,
My isp requires a very odd network configuration which is not supported by the pfSense installer.
I need to configure the interface with a /32 netmask, then add a route to a gateway trough the wan interface and use this gateway as the default gateway.
I managed to make pfSense work by reconfiguring the wan network interface in the shell using ifconfig and route but these changes are obviously not saved.
How can I make these changes persistent ?
Best Regards,
-
Which version of pfSense?
Have you tried configuring your WAN interface through the web GUI? All configuration given through the web GUI is preserved in the master configuration file which is used to configure the system on startup.
-
I'm using the last stable version of pfsense (2.0.1).
It is impossible to do it trough the web gui because the web gui prevents you from adding a gateway that is outside of the wan subnet.
-
Try to config wan without gateway and set default gateway on routing.
-
marcelloc >
In pfSense,
gateways = direct access to a host/net trough an interface | route add -host/net x.x.x.x/x -interface aaa
routing = access to a host/net trough a gateway | route add -host/net x.x.x.x/x z.z.z.zSo no can't do as I first need a gateway to be able to define a static route.
-
Try to work around odd provider's config with odd routing setup
What did you applied on console that worked?
creating a route to reach 0.0.0.0/1 and 128.0.0.0/1 could 'simulate' a default gateway.
-
Nothing fancy.
Add a route to the provider router trough wan interface so our pfsense knows it can reach it because they aren't on the same subnet.
Use the router as a default gateway.This is totally valid, done it a millions times in other setup especially if you want all of the network traffic on the same subnet to go trough the firewall anyway…
route add -host gatewayip -interface em0
route add default gatewayipAs this is unsupported by the webgui, I'd like to find the place where I could put these lines so they would be executed at boot time.
It would also be very nice to have outside wan's subnet gateways supported natively by pfsense but I can live without it.
creating a route to reach 0.0.0.0/1 and 128.0.0.0/1 could 'simulate' a default gateway.
As far as my network knowledge go this cannot work… if you do this, your system will consider that every computer in the world are accessible without a gateway => send an arp request to get the mac and send the ip paquet directly to the mac. As nobody will ever answer to you except the computers on the lan, this won't work.
Also, I think the computer is not supposed to talk to anyone else on the lan and triggers a warning if you try to do so (data center environment).
-
As far as my network knowledge go this cannot work… if you do this, your system will consider that every computer in the world are accessible without a gateway => send an arp request to get the mac and send the ip paquet directly to the mac. As nobody will ever answer to you except the computers on the lan, this won't work.
You misunderstood me. A default gateway is a route to reach 0.0.0.0/0. As you can't create via gui a route to a /0 network, you can advance one bit and split default gateway in two routes.
This is totally valid, done it a millions times in other setup especially if you want all of the network traffic on the same subnet to go trough the firewall anyway…
/Freebsd and so pfsense use strict RFC configs. Route something to an ip that is not on your network, just like you said is a very odd setup.
I'd like to find the place where I could put these lines so they would be executed at boot time.
create a shell script and place it at /usr/local/etc/rc.d
-
You misunderstood me. A default gateway is a route to reach 0.0.0.0/0. As you can't create via gui a route to a /0 network, you can advance one bit and split default gateway in two routes.
Won't be able to do it as I need to have a gateway to define routes in pfSense web ui.
/Freebsd and so pfsense use strict RFC configs. Route something to an ip that is not on your network, just like you said is a very odd setup.
It's maybe an odd setup but is commonly used especially in point to point connections (exemple : http://redmine.pfsense.org/issues/517) which pfSense handles like a charm.
create a shell script and place it at /usr/local/etc/rc.d
Thanks. It works like a charm but I hope I won't run into other issues because the wan has no gateway.
Still would be nice for this setup to be supported by pfSense.
-
Ok. First batch of issues.
1°) Automatic outbound NAT rule generation is broken.
I need to manually add outbound nat rules to have nat working. Can live with it for now but I don't what it implies.
2°) I wanted to use pfSense as a transparent bridge for the two computers behind it but I realized I can't do it because they won't be on the same subnet as the wan (/32 of course) and I can't create a direct route to a host without a gateway.
The work around is to have all the external ips defined as "proxy arp" on the firewall and do a 1 to 1 nat.
I also found these two tutorials : http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet & http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet which explains my problem and how to solve exactly what I needed.
But a simple fix to all of these workarounds would be to have pfSense allow us to add routes to network/host without a gateway, just like route in the shell allows us to do it and for gateways just check if the gateway is accessible according to the routing table instead of requiring it to be in the wan's subnet. Don't know if it's possible or not :)
Anyway thanks for everyone's time, my current problem is solved.
Best Regards and Happy Holidays.
-
Do you really mean a /32 for the WAN?
I had an install with a /30 for the WAN with an additional /28 subnet.
I used the /30 for the Interface, set the gateway as the provider's side of the /30.
I then added an Alias IP in the /28 on the WAN and then used CARP for the additional VIPS in the /28. Works as expected. I use manual NAT.
If you have a default gateway set on a different subnet like the Magikist blog guy, you are doing it wrong. I don't care if M$ accepts it… -
I don't care if M$ accepts it…
me too ;)
Routing based on interfaces but not on ips, as the tutorial shows could be done, but it's realy odd.
Looks like roads without lines
-
I don't care if M$ accepts it…
me too ;)
Yeah, we should probably request pfSense to drop the support of a gateway outside the wan's subnet in pfSense for ppp/pppoe connections because it's a M$ nonsense… wait isn't it supported in linux and bsd as well ?!? and if I have to guess, it has probably been added way earlier in bsd's environment than it has in microsoft's (2k3 requires a registry hack to make it work).
Routing based on interfaces but not on ips, as the tutorial shows could be done, but it's realy odd.
Looks like roads without lines
Sounds like the basics to me… your system needs to know who are his neighboors and how he can address them or he won't be able to do anything (well you could spam every interface but that ain't RFC). That's what you do when you configure your interface with an ip and a subnet.
You can resume assigning 192.168.1.2/24 with the default gateway 192.168.1.1 to wan : (this is what you are used to do)
1°) assign ip 192.168.1.2 to your computer
2°) add a route to 192.168.1.0/24 trough wan interface
3°) add 192.168.1.1 as the default gatewayWhat I do :
1°) assign ip X.X.X.X to your computer
2°) add a route to Y.Y.Y.Y/32 trough wan interface
3°) add Y.Y.Y.Y as the default gatewayOn your end, it changes absolutely nothing. On the other end, that's the isp issue.
-
-
PPTP is a separate case that I wasn't aware we were discussing.
But whatever, good luck with your special ISP. I'm done with this topic.
