Routing public IPs



  • Hi Guys,
    I have an ESXi server on OVH. I have setup 3 virtual switches, WAN, LAN, DMZ.
    WAN is attached to both the pfsense VM and the WAN interface
    LAN and DMZ are just attached to pfsense. [1]

    I have a /28 range of IP addresses that I want to route, I assigned them to the DMZ interface and created a proxyarp(via the virtual ip page) on the WAN interface for the range to accept arp traffic for those IPs.
    On the WAN interface I just set a random private IP and set the gateway manually via cli/shellcmd(gateway is in a different subnet)[2], OVH require you to assign a mac address to each IP you use aswell, I put the assigned mac address on this interface.
    I changed the NAT rules to manual and modified them so the random-private-ip-of-wan/32 gets the source address of the first IP in the /28 range(i.e. the IP the dmz interface gets) and the same with the LAN-Addresses.

    However I fail to get internet access, and no longer understand why. Any help is appreciated.

    I followed the following guide for setting up the PFsense VM: http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5 [1]
    and this one for attempting to route the IP range: http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet [2]



  • How did you assign them to the DMZ interface? Why not use one of the public IPs for the WAN and port forward that one to the correct server? Then you would not have to worry about setting somethings via the command line and risk having them overwritten by a reboot or upgrade. Do you have multiple public IP ranges in use?



  • Hi podilarius,
    Thanks for the reply, I assigned them as instructed in the tutorial( http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet ), so just configure the DMZ interface with ip-range/28.

    Why not use one of the public IPs for the WAN and port forward that one to the correct server?
    Its a range /28 range of IP, I would like, if possible to assign them out to various servers via static dhcp entries. Could do NAT 1:1 but would prefer to do routing.

    Then you would not have to worry about setting somethings via the command line and risk having them overwritten by a reboot or upgrade.
    Would still have to do it via command line(its ok shellcmd handles it wonderfully for rebooting/upgrading) as pfsense won't allow me to add a gateway that is outside the range of the subnet.

    Do you have multiple public IP ranges in use?
    Just have one IP range the /28 one mentioned above.



  • Not familiar with that kind of setup. I personally have never seen that work.



  • No worries! thanks anyways, hopefully somebody else will know :)

    From reading that tutorial this is my understanding so far:
    The proxy arp allows the WAN interface to take the arp requests for my /28 range.
    The nat rules change the source ip on outbound packets for LAN/WAN to be the first IP in my /28 range.
    and the manually set gateway on the WAN interface should allow for communication in/out.



  • Ended up getting this working! possibly a bit unique to OVHs setup.

    Created a WAN interface, assigned the IP address of 10.40.40.1 (completely random) and one of ovhs virtual mac addresses which all my IPs in the /28 range are set to.
    Added a shellcmd to set a static arp entry for 10.40.40.254 to the mac address of OVHs gateway and to set 10.40.40.254 as the default gateway.
    Doing this via the gui and just setting the static arp entry via shellcmd led to a "proxy entry exists for non 802 device" message when setting the static arp entry.

    Created a DMZ interface with my /28 range and added a VIP on the WAN interface for this to accept any ARP requests.

    Left the LAN interface alone.

    Added NAT rules to rewrite the source address of all packets to have the first IP in the /28 range i.e. the IP address the DMZ interface gets.

    Hope this helps somebody else…


Locked