Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN gateway different than WAN subnet

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmcentire
      last edited by

      I apologize ahead of time if this has been answered already here, but for the life of me I can't find the answer. Here is the setup – IPs have been changed to non-real addresses. We have a new ISP and I'm trying to configure pfSense to accommodate the setup.

      WAN Gateway: 255.130.200.153
      Customer Link IP: 255.130.200.154 (/30 subnet)
      Customer Usable IP block: 255.130.50.1 - 255.130.50.126 (/25 network)

      Currently, I have pfSense set up so that the WAN gateway is 255.130.200.153 and the pfSense WAN IP is 255.130.200.154

      Then I manually added CARP addresses for the 255.130.50.1/25 IP block by editing the XML config file.

      So at this point, services work (I can configure a NAT routing from one of the 255.130.50.x IPs to a private IP on the 'OPT1' network) and I can hit web pages and query DNS. The firewall appears to be working as expected.

      However, here's the catch: When I do a basic PING into the firewall, I get a TTL Expired in Transit for all packets. I can ping the gateway and "Customer Link IP" without any issues. When I tracert to one of the secondary IPs it goes through the internet into the ISP router on premises, but then bounces back and forth between the gateway and the pfSense IP and finally gives up.

      I followed the instructions in the pdf called "Multiple Subnets on One Interface" but then the pings into the secondary block just timeout. Keep in mind I have the ICMP service allowed for all networks.

      Any thoughts or tips on this would be great.

      Funny enough, all the services (other than PING) seem to work as expected, and I can even use it as it is and move all our services to it, but the ping issues concern me -- wondering if they point to a bigger problem that will come back to bite me.

      Thank you,

      Dennis

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        @dmcentire:

        Then I manually added CARP addresses for the 255.130.50.1/25 IP block by editing the XML config file.

        Don't do that. There are reasons the GUI has the input validation it does. Those IPs aren't going to be properly added, and may kernel panic the system though I don't think that happens with current base OS versions.

        How to handle that scenario depends on how the ISP is assigning those IPs. Ideally they should be routing the /25 to your WAN IP, then you don't need or want virtual IPs unless you're assigning the subnet to an internal interface or VLAN.

        1 Reply Last reply Reply Quote 0
        • D
          dmcentire
          last edited by

          Quick update for anyone who cares…

          Comcast (our new ISP) gives us the two subnets and only does it that way. We have to handle the routing on our end. I added a 4th NIC to the pfSense box and put it on a switch with the other WAN link.

          Everything works now as expected, pings work, and the rules/nat policies work as well.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.