Pure routing, no NAT, multiple subnets on inside



  • I am trying to route multiple public subnets. I have a /30 from my isp and a /25 that is statically routed over it. The /30 is on eth0 and the /25 is on eth1. eth1 is using the single ip on eth0 as its gateway. I want to keep the firewall up for QOS, traffic analysis, etc. so I left the firewall running but set the NAT to manual and deleted the all the maps. Everything so far works very nicely.
    My problem is adding in my 2nd block, a /24 to eth1. The block is also set to statically route over the same /30.

    Their is nothing in the gui as far as I can find to add more than one block to a give interface. I found this http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf however it references a pre 1.3 release but I'm running 2.0.1. I tried it anyways. No errors but no win. Any device pulling from the /24 on eth1 simply has no route out.

    Any help is greatly appreciated.



  • Just wondering what would happen if you added another physical interface for the /24?



  • Well, there was never a 1.3 outside of developement. 1.3 became 2.0 for many reasons. So, you can do this in the GUI. If you go to firewall / virtual IP and create a new VIP on eth1, you should be able to use that as your gateway for the machines using that IP. You will then just need to create a rule to allow that from LAN to WAN and poke holes in the WAN to LAN for specific servers/ports.



  • @gderf:

    Just wondering what would happen if you added another physical interface for the /24?

    Adding another nic would do the same thing as adding an IP alias.



  • @gderf:

    Just wondering what would happen if you added another physical interface for the /24?

    First thing I tried just for testing and it worked with minimal fuss. The issue is this is a short term solution. I will be adding many more blocks very quickly. I have 2 more /25 being assigned to me on Tuesday. Can only fit so many cards into a single server.



  • @podilarius:

    Well, there was never a 1.3 outside of developement. 1.3 became 2.0 for many reasons. So, you can do this in the GUI. If you go to firewall / virtual IP and create a new VIP on eth1, you should be able to use that as your gateway for the machines using that IP. You will then just need to create a rule to allow that from LAN to WAN and poke holes in the WAN to LAN for specific servers/ports.

    Makes sense but so far, no win. I created a /24 as a ip alias network but can't find where i can tell that block to route over the /30 like i did for the /25
    outbound NAT is set to manual. I have tried various rule combinations but it seams like it wants to translate everything. I'm looking for pure routing. Any thoughts?



  • I would not consider this a proper solution but so far it works.
    I created a VLAN for each block and then set them all to point to the same gateway (my eth0/1). I untagged those vlans on all the ports on my switch. It works but the CPU usage on the pfsense server gets hit hard when any traffic passes on the VLANs. Not sure why as my nic chipset (intel) says it natively supports Vlans.

    Not Considering this a solution at this point. :p



  • What do you mean, your ISP is supposed to be routing any subnet to your /30 address. If that is the case, pfSense will route between any subnet assigned to either side, so long as rules are present to allow the traffic. Anything assigned on the LAN VLAN or physical LAN should NOT have a gateway set. VLANs are a good way to go, but IP alias should work. I think I will verify that working with my lab system.



  • I have tested this using IP alias and it works perfectly. You probably have something misconfigured or you are misunderstanding something about how things are routing or the ISP isn't doing something correctly.

    Could you give us details about FW, Alias, NAT (outbound), and rules?


Locked