Same IP on WAN and LAN?

  • I have an historically grown network with a network configuration that really sucks:

    WAN: 123.456.789.1/32 with static route to default gateway 123.456.789.4
    LAN: 123.456.789.1/24

    So the default gateway for the WAN interface lies in the LAN subnet…
    While this configuration sucks, I can't change it and need to configure pfSense to work with this configuration.

    My current attempt is this:

    // pfSense WAN configuration
    static IP: 123.456.789.1/29
    gateway:  123.456.789.4

    // pfSense LAN configuration
    static IP: 123.456.789.1/24

    • NAT is disabled

    However using this configuration I can't access the webinterface anymore. Any idea how to get this damn network configuration running with pfSense? Thanks for any hint!

  • Netgate Administrator

    You cannot have the same subnet on wan and lan in a router configuration. It won't work.
    Here you have an even worse situation where wan and lan actually have the same IP! Do you really have to have the same IP? You don't have a spare IP?

    You could set this up as a transparent firewall where WAN and LAN are bridged and are always in the same subnet.


  • Thank you stephen!
    Actually it shouldn't be a problem to set the LAN IP to 123.456.789.2 instead of 123.456.789.1. Only changing this doesn't help however.
    The transparent firewall thing sounds nice, but I have to admit I don't know how to do this. Any hint regarding pfSense?

  • One to one NAT sounds like a possible solution.

  • Netgate Administrator

    You could attempt to craft the subnet masks of each such that they aren't actaully in the same subnet. This might prove a problem for your network though.

    There are a number of guides on setting up pfSense as a transparent firewall which people seem to have varying degrees of success following.  ::)

    The document linked to here, for example, is written for a very old version but the principles are the same.



  • hmm, maybe I am understanding things wrong, but when using a transparent firewall, won't I have the problem that I am missing the routing now?
    LAN: 123.456.789.1/24 -> WAN: 123.456.789.1/32 -> next hop after WAN: 123.456.789.4/32
    Now when a packet comes in from the internet, there is a static route from the next hop after WAN to my WAN interface: route everything to 123.456.789.1/32. However when using a transparent firewall, wouldn't I need something like route IP x to IP x instead of route IP x to 123.456.789.1/32 ?

    One to one NAT sounds like a possible solution.

    Thank you, I will have a look at this later on.

  • Netgate Administrator

    If you don't have a routed subnet from whatever is upstream from your provider then you can't use a transparent configuration.
    Conversely it would be no problem for your LAN clients to send traffic since the next hop after WAN is in their subnet. You would simply set their gateway as the WAN gateway.
    What is this box replacing? You would usually only use a transparent config to insert a firewall where none previously existed.

    I find it hard to believe that your existing subnets are in fact the same. They may appear at first glance the same but most (if not all) routers would fail in that scenario.


  • it would replace a linux box filtering data by mac address and doing the routing for this crappy configuration ;-) routing is done by a static route.
    I can imagine that clients could send data to 123.456.789.4/32, but I guess as 123.456.789.4/32 probably has a static route to 123.456.789.1/32, they will never get any data back?

    and yes, while I am far away from being a network expert or even advanced network user, I unfortunately can confirm that the configuration is really that crappy. Also checked with the guys administrating the next hop after WAN. Historically grown some years ago, no idea why…

  • The mess you have there won't work with most firewalls or routers, and is just a disaster waiting to happen. I'd fix it, see if your ISP would be willing to do something different like assign you a /30 or /29 WAN-side and route you your LAN-side subnet, which would be the proper way to do things.

  • Thank you all, I meanwhile ended up trying to follow the hint to better get a new transfer network / WAN configuration.

Log in to reply