Help with Multi-WAN, additional routed IP Block

althornin · Jan 10, 2012, 6:18 PM

Hey guys,
I've been beating my head against this for a while today, and I just can't seem to get it to work the way I expect.

Basics:
Running pfsense 2.0.1
I have a multi-WAN setup. All of that works fine.
Some of the WAN links are actually subnets, and I can create VIPs and NAT on those additional IPs appropriately.

One of the WAN links is new, and is only a /30 (for routing purposes only). The IP is 38.104.aaa.bbb
I have been assigned a block of IP addresses (38.110.xxx.yyy/28) that is routed to me through the above wan link.

I want to be able to create VIPs in this new block, and NAT them accordingly to use various services through the public IPs. However, my attempts to do so have failed.

What is the appropriate method to do this?

jimp · Jan 10, 2012, 7:45 PM

Using 'other' type VIPs for this should work fine, or even proxy ARP, or IP alias would work.

As they are routed to you, they'll hit the router no matter which type you choose.

So what didn't work when you tried?

althornin · Jan 10, 2012, 7:58 PM

@jimp:

Using 'other' type VIPs for this should work fine, or even proxy ARP, or IP alias would work.

As they are routed to you, they'll hit the router no matter which type you choose.

So what didn't work when you tried?

Well, that worked fine.
I was trying to use CARP VIPs, which require to match an interface subnet, so i was trying to create a new interface containing the subnet and route it through the new WAN connection.
All in all, making it vastly more complicated.

However, what if I do need CARP? What can I do then?

jimp · Jan 10, 2012, 8:04 PM

Add one IP Alias VIP to get a foothold in the new subnet (for each CARP node), then you can add the rest as CARP VIPs.

That gets you the required address inside the subnet that CARP wants.

althornin · Jan 10, 2012, 8:27 PM

@jimp:

Add one IP Alias VIP to get a foothold in the new subnet (for each CARP node), then you can add the rest as CARP VIPs.

That gets you the required address inside the subnet that CARP wants.

Ok, thanks!

And much simpler than the craptastic way I was trying to do this.

cmb · Jan 10, 2012, 11:46 PM

For routed subnets, you do not want VIPs (other than type Other), just have them routed to a CARP IP on your main IP block.

jimp · Jan 10, 2012, 11:49 PM

Unless you want to bind services to them with something like relayd, but otherwise yeah, Other on its own is best if they're just for NAT.

althornin · Jan 11, 2012, 1:05 PM

@cmb:

For routed subnets, you do not want VIPs (other than type Other), just have them routed to a CARP IP on your main IP block.

Ok, great.