WAN gateway different than WAN subnet

  • I apologize ahead of time if this has been answered already here, but for the life of me I can't find the answer. Here is the setup – IPs have been changed to non-real addresses. We have a new ISP and I'm trying to configure pfSense to accommodate the setup.

    WAN Gateway:
    Customer Link IP: (/30 subnet)
    Customer Usable IP block: - (/25 network)

    Currently, I have pfSense set up so that the WAN gateway is and the pfSense WAN IP is

    Then I manually added CARP addresses for the IP block by editing the XML config file.

    So at this point, services work (I can configure a NAT routing from one of the 255.130.50.x IPs to a private IP on the 'OPT1' network) and I can hit web pages and query DNS. The firewall appears to be working as expected.

    However, here's the catch: When I do a basic PING into the firewall, I get a TTL Expired in Transit for all packets. I can ping the gateway and "Customer Link IP" without any issues. When I tracert to one of the secondary IPs it goes through the internet into the ISP router on premises, but then bounces back and forth between the gateway and the pfSense IP and finally gives up.

    I followed the instructions in the pdf called "Multiple Subnets on One Interface" but then the pings into the secondary block just timeout. Keep in mind I have the ICMP service allowed for all networks.

    Any thoughts or tips on this would be great.

    Funny enough, all the services (other than PING) seem to work as expected, and I can even use it as it is and move all our services to it, but the ping issues concern me -- wondering if they point to a bigger problem that will come back to bite me.

    Thank you,


  • @dmcentire:

    Then I manually added CARP addresses for the IP block by editing the XML config file.

    Don't do that. There are reasons the GUI has the input validation it does. Those IPs aren't going to be properly added, and may kernel panic the system though I don't think that happens with current base OS versions.

    How to handle that scenario depends on how the ISP is assigning those IPs. Ideally they should be routing the /25 to your WAN IP, then you don't need or want virtual IPs unless you're assigning the subnet to an internal interface or VLAN.

  • Quick update for anyone who cares…

    Comcast (our new ISP) gives us the two subnets and only does it that way. We have to handle the routing on our end. I added a 4th NIC to the pfSense box and put it on a switch with the other WAN link.

    Everything works now as expected, pings work, and the rules/nat policies work as well.

Log in to reply