Routing Multiple Public IPs and Subnets



  • Hello!

    I am looking for some assistance with a network layout I am trying to get under my belt.  I have been using pFsense for a few years in small one WAN, one - two lan networks with IPSEC tunnels.  They are phenomenal devices.  Now we are working with a larger scale client.  Here is the summary:

    Running a pf box with a 4 port PCI-E 1000mb Intel Card, and an Atom system with SSD.

    Comcast Metro Ethernet /30 IP assigned to PfSense, with a /28 block under it  (( from what comcast explained, the fiber to ethernet device is a switch and I assign the interface the /30, then either 1:1 NAT of the public IPs in the /28 under the other interfaces.  I'm not sure if that is totally clear, but when I follow it, I get internet..))

    OnBoard:
    Comcast Ethernet in PFsense WAN1.
    Verizon Ethernet in WAN2. (single public IP)

    On PCI-E card:
    LAN1 is 192.168.5.x - my servers
    LAN2 is 192.168.6.x - my admin net
    LAN3 is 192.168.20.x - my Public IP Pool Interface
    LAN4 is CARP (second Pf in rack below this one)

    SO the WAN1 has the /30 address and connects to the Comcast DMARC, then I have the 5 devices that need public IPs on the LAN3  So I have a 1:1 NAT from /28 IP to internal 20.x IP; and allow any rule for the WAN – LAN3 interface.  Sound good so far?

    All of the above LAN interfaces connect to a 48 port Cisco Gigabit switch with VLANs to separate the traffic for each subnet from being seen or broadcasting.  There is a moderate amount of traffic between 5.x and 6.x as they are end users and servers on separate networks.  There is an IPSEC tunnel out to another pfSense in Florida. That office passes a lot of SIP traffic to 5.x.  We have inbound SIP going from WAN1 to LAN3 (2x Edgemarc SIP devices); each with a public IP.  ((Just for fun there is a second Cisco switch loaded with config in the event one fails; with second pfsense LAN interfaces pre-connected as well as secondary server NICs.  We can afford to have between 5 - 10 minutes of unplanned downtime a month so if a switch goes, someone is always onsite that can swap a few cables.  ((We are 24/7 call center..))

    This seems to work; but I am not sure that this is the best method for making things work.  I am just not sure if I am missing something or if I am losing performance this way.  Just looking for any suggestions on making this system work great.  I am working on setting up the Multi-WAN as well, but we have a lot of SIP and IPSEC traffic across the devices and am not sure how well they will tolerate it.

    I also need to ensure that I can allocate bandwidth appropiatly.  I have 50MB on the Comcast and 25 on the verizon.  I need to give 2x devices 3MB each on the .20; then another 1MB to another .20.x device, and so on... this is another grey area for me (reading the PF book at this time too..)

    I am sorry if I seem lost but I have been doing IT repair and services for 6 years, and am just now starting to get heavily into networking and routing.  Still learning my way through some of this stuff! Whew! That was a lot.. thanks in advance and I hope to be able to help others with what knowledge I already have learned using PfSense!



  • Hi there! Are you still working with the above setup? I am in a similar boat regarding Comcast MetroE, with a SIP Edgemarc from Megapath currently handling the routing/traffic shaping. This past weekend we moved from Earthlink T1s to Comcast Metro Ethernet.
    Previously, we had the Edgemarc doing proxy arp to handle 5 public IPs without a problem. After the move, however, Megapath configured the SIP gateway to use the /30 p2p address on the WAN port and then create a subinterface as the default gateway for our /28 block (what Comcasts calls "Customer Useable EDI Adresses") on the LAN port.

    (10.x.x.x/24) LAN |cisco rv180| WAN (x.x.126.x/28) <–>  (x.x.126.x/28) LAN |Edgemarc| WAN (x.x.124.x/30) <--> Ciena

    The problem now lies with being able to get back into the network. The Edgemarc appears to be dropping all incoming traffic, as no ports and services are accessible from the outside. Megapath insists that everything is fine on their end, but clearly there is some configuration problem or limitation at hand. I was hoping to exchange our cisco SMB router for a pfsense unit, seeing as how I could place it in between the Ciena 3930 switch and voice gateway. This way, I do a 1:1 NAT for both the Edgemark and our servers. Also, I've been wanting to try pfsense out for some of the cool packages that are available.

    The setup you have here is how I envisioned doing mine. From what I have gathered, this seems to be a straightforward setup with VIPs and manual NAT. Hopefully I can get it working this weekend. If you or anyone else has any pointers, I would be ever grateful for the insight.  ;)



  • The best way of getting help is to start your own question… Then people can help you without your problems and the original poster's problems getting confused.



  • Yes, I definitely agree with you there. I was more or less directing my query towards the OP. Being that s/he has posted this over a month ago, and truth be told, I wasn't expecting replies anytime soon. Perhaps I will start a new thread this weekend (after dutifully searching the wiki and forums, of course) if I run into troubles that aren't perceivable or clear to me. Thanks, and take care!


Log in to reply