How to configure VIPs for a public subnet on WAN interface? [SOLVED]

  • I get a public subnet from my ISP which looks as follows:

    Useable IP adresses: x.x.x.250 to x.x.x.254
    Gateway: x.x.x.249

    As far as I understand, the useable IP adresses get routed to the gateway address (routed subnet).

    Before I switched to pfSense, my Zyxel DSL modem managed the PPPoE connection, and therefor was the gateway (which got the x.x.x.249 address automatically), with a Vigor firewall-router connected to the Zyxel (I gave it the IP x.x.x.250, with x.x.x.251 to x.x.x.254 configured as virtual WAN IPs).

    Now that I switched to pfSense 1.2-BETA-1, I configured the Zyxel DSL modem to be just a bridge, letting the pfSense machine handle the PPPoE connection, which results in the pfSense machine getting the gateway-adress (x.x.x.249) automatically assigned to the WAN interface automatically.

    ATM I am stuck at setting up the VIPs, because I don't know which type (Proxy ARP, CARP or Other) to choose, and if I have to setup each useable IP address (x.x.x.250 to x.x.x.254) separately, or if I can (or have to) setup the whole subnet at once (with Proxy ARP and IP-Adress(es) Type: Network).

    It somehow seems logical to me, to setup the whole subnet with VIP type Proxy ARP, but when reading through this forum, I have seen several problem reports with the Proxy ARP setting, and the suggestion to use CARP instead).

    If I can/should configure the whole subnet with VIP type Proxy ARP, what exactly do I have to enter in the field IP address / netmask (I assume

    Someone with the knowledge please give me a hint.

  • FWIW, I've done similar setups with Proxy ARP, adding each VIP individually (doesn't take that long on a /29) and it works great.

  • This matter seems to be far more complicated than initially thought.

    The former setup looked like this:

    Internet <–> [WAN] Zyxel [LAN] <–> [WAN] Vigor [LAN] <–> LAN-Switch

    The Zyxel (a xDSL modem-router named Prestige 660H) was handling the PPPoE connection itself, configured for routing, and got the gateway-address x.x.x.249/32 (!) assigned automatically to the WAN interface, whereas the LAN interface was given the same IP-address but with the correct netmask (x.x.x.249/29). The Vigor (a firewall-router with correct name Draytek Vigor 2900) was configured with x.x.x.250/29 for the WAN interface, and x.x.x.251 to x.x.x.254 as virtual WAN-IP-addresses.

    The new setup looks like this:

    Internet <–> [WAN] Zyxel [LAN] <–> [WAN] pfSense [LAN] <–> LAN-Switch

    The Zyxel is now configured for brigding, so that the pfSense machine can handle the PPPoE connection, which is exactly what I wanted (because I always had some very strange problems, with the Zyxel constantly rebooting for an hour or so at a certain time of the day, which I believed could have been a hacker attack, without ever getting any proof for this). So the Zyxel only does the ATM & bridge handling, I gave it a private IP on the LAN interface (which it seems to use on the WAN interface as well for some unknown reason), so that I can configure it, when connecting my laptop directly. The pfSense machine establishes the PPPoE connection and gets the gateway-address x.x.x.249/32 (!) automatically on the WAN interface (it reports this in Status -> Interfaces -> WAN Interface (rl0), but ifconfig shows, that rl0 has got no IP-address at all, but ng0 as the virtual PPPoE interface was configured with it).

    So far, everything went well, but the problem is, it seems not be possible to use the available public IP-adresses x.x.x.250 to x.x.x.254 as Virtual IP-adresses.

    My first try was to configure a VIP as type CARP, but it always only gave me this error message:

    The following input errors were detected:

    * Sorry, we could not locate an interface with a matching subnet for x.x.x.250/29. Please add an ip in this subnet on a real interface.

    It was the same error message, when I tried it with x.x.x.250/32.

    I've then manually set the netmask for the virtual PPPoE interface ng0 to /29 with ifconfig, Status -> Interfaces -> WAN Interface (rl0) showed x.x.x.249/29, which kind of looked right, but I still got the same error message, when trying to setup a CARP VIP (either way with trying to set it up as x.x.x.250/29 and x.x.x.250/32).

    At this point, I had the feeling, that something has to be wrong, because if the WAN interface (on the Status -> Interfaces page shown as rl0, but with ifconfig shown as ng0) is set correctly to x.x.x.249/29, why should the error message tell me "Sorry, we could not locate an interface with a matching subnet for x.x.x.250/29. Please add an ip in this subnet on a real interface."? ???

    Just to be sure, I even tried to give the real rl0 the gateway-address x.x.x.249/29 as well, but because rl0 does not seem to play a role at all in a PPPoE setup, it had no effect.

    I then played around a little more with trying to setup the VIPs as type "Other" and "Proxy ARP", configuring outbound NAT to use one of these VIPs, resulting in the selected VIP to show up on this browser-identification-page, I configured a rule to let ICMP pass, but only got timeouts, when using CentralOps to ping my VIPs.

    There are several unsure issues for me, concerning the type of VIP to choose from, which netmask to set for a VIP (if it is even selectable), and how to correctly check, if the VIPs can be reached from the internet (if the pfSense machine has x.x.x.249 on the WAN interface, and x.x.x.250 to x.x.x.254 as VIPs, is it supposed to answer on a ping an all these IP addresses by itself?).

    I am totally lost at the moment, this all more and more looks like a deep & dark forest to me, netmask vs. on WAN and VIP, Proxy ARP / CARP / Other for VIP setup, and how to check if everything is working as supposed to (I assume it all comes down to the fact, that all VIPs have to be pingable, but does pfSense respond to a ping itself, or should I have a machine on the LAN reacting to a ping?).

    I really need assistance from someone with the right knowlege. Any hint is highly appreciated.

  • @dotdash:

    FWIW, I've done similar setups with Proxy ARP, adding each VIP individually (doesn't take that long on a /29) and it works great.

    You added Proxy ARP VIPs as single IPs (netmask /32) and it worked??? So what am I doing wrong here? I must have totally lost my mind figuring out what's going on here. Did I already stumble over the right solution without seeing it??? Please explain with a little more details.

  • I may have missed something in your very verbose post, but this shouldn't be a super-complicated setup. I had a few networks setup as you are describing, but switched the routers public (like your first setup) due to some issues with PPPoE and multi-wan. Anyway-

    1. The WAN, when setup for PPPoE will pull a subnet mask of /32. This is just cosmetic, don't mess with it. It should still work fine. It's just how PPPoE works.
    2. You should be able to add individual VIPs in your /29 as Proxy-ARP /32s.
    3. The VIPs will NOT be pingable unless you have a 1-1 NAT to a pingable machine and are allowing ICMP. You cannot ping them with port-forwards.
    4. I haven't tried to use something other than /32 for a proxy arp, so I can't answer that one. I just pick 'single address'

  • dotdash, you saved the day!  :)

    So it has been working all along, I just did not properly perform the ping test, when I had the VIPs set up with type Proxy ARP.

    Thank you very much, your 4 steps showed the way to success.

    BTW I had conversations with a lot of ppl today in various ways, and they all just told me, that this setup can not work properly, and that my best chances are to return to the former setup with the DSL modem handling the PPPoE connection. Now I can proof them wrong! :)