Manually Edit WAN Subnet Mask



  • I am doing a new install and my ISP requires the subnet mask to be set to 255.255.255.255 (32bits) for routing purposes, otherwise the connection will not work, it's a bit of an odd setup on their end. I recall on Windows I had to edit the registry for Windows to take the subnet mask.

    These are the settings that need to be in place, and yes I am aware that I am posting my public IP's and I am OK with that.

    IP: 192.95.16.130
    Subnet Mask: 255.255.255.255
    Gateway: 142.4.208.254

    I tried going through the shell interface to manually configure the WAN adapter, but when it gets to the point of asking me how many bits for the subnet mask, it will take anything (24, 8, etc) except for 32 which is for 255.255.255.255. I tried to locate the rc.conf file but can't seem to locate it.

    The ISP provided the following information:

    /etc/rc.conf
    ifconfig_em0="inetIP.Fail.over netmask 255.255.255.255 broadcast IP.Fail.over"
    static_routes="net1 net2"
    route_net1="-net Your.Server.IP.254/32 IP.Fail.over"
    route_net2="default Your.Server.IP.254"



  • 255.255.255.255 is a /32 mask.  Are you sure that is correct?  It's usually deployed in that manner for PPPOE/ PPPOA connections.

    Your gateway is also in a different subnet from the issued IP.

    Are you sure those are the settings?  Is the static IP issued actually forwarded/ routed through a separate WAN IP instead?


  • Netgate Administrator

    @mjimlay:

    I tried to locate the rc.conf file but can't seem to locate it.

    pfSense doesn't work like that.
    At boot up all the .conf files are generated by the pfSense scripts from the config.xml file. Thus even if you did find the rc.conf file it would be overwritten the next time you rebooted or made any config change.
    As has been said /32 on WAN is odd and as you have found you can't do it via the webGUI as there are safeguards in place to stop such a bizzare config being allowed. To do this you will have to edit the config.xml file (in /conf/) directly. I'm not sure quite how to match those settings though. Be prepared for some trial and error!

    Steve



  • It's a bit of an odd setup and I've never seen an ISP have it setup like this, but I can assure you that it does work oddly enough. I have a Windows 2003 Server running with the same settings, different IP, and works but had to edit the registry to get the subnet mask to work.

    As a note, My host is running VMWare ESXi and pfSense is a VM and I have a private LAN with some VM's on it and use pfSense as the firewall/port forwarding/dhcp server for the VM's on that LAN.

    This is a link to some KB's they have:
    http://help.ovh.ie/BridgeClient



  • I just tried to edit the xml file and changed the mask from 24 to 32 and reboot the system and still not working :( Ugh.



  • It took a while to actually digest that guide..

    Seems like that guide is specifically for VMs.

    If I interpreted it correctly and assuming you bridged an interface directly to pfsense as WAN, then you actually need to set pfSense WAN as:

    WAN IP:  142.4.208.xxx (where XXX is the so-called physical machine IP)
    WAN subnet mask:  255.255.0.0 (/16)
    WAN Gateway:  142.4.208.254

    Then add an IP alias on WAN with 192.95.16.130

    NAT your pfSense LAN client(s) to the Alias IP.

    Seems like the guide is just for VM's where you actually create a virtual IP and forward the packets through the WAN IP (physical machine IP in the guide).

    In effect, your 'failover ip' is an IP that is statically routed/ forwarded through the physical machine IP subnet.



  • pfSense is running as a VM in VMWare. VMWare is assigned the public IP 142.4.208.647. If I assign 142.4.208.647 to pfSense to the WAN IP, wouldn't that cause an IP Conflict, or is that was you are suggesting using the subnet mask of 255.255.0.0 instead of 255.255.255.0?



  • @mjimlay:

    pfSense is running as a VM in VMWare. VMWare is assigned the public IP 142.4.208.647. If I assign 142.4.208.647 to pfSense to the WAN IP, wouldn't that cause an IP Conflict, or is that was you are suggesting using the subnet mask of 255.255.0.0 instead of 255.255.255.0?

    No.  That configuration only applies if you bridged (pass-through) the physical interface directly into pfSense as WAN.


  • Rebel Alliance Developer Netgate

    FYI- We already have a ticket for this.

    http://redmine.pfsense.org/issues/972



  • So I just wanted to post an update about this. I know mjimlay from another forum and am the one who recommended pfSense to him. He engaged me to help him get this setup and wow was this a PITA. Long story short, I left the "142" address on ESXi so I could maintain remote connectivity to the host and attempted to use the "192" address on pfSense as he did. I could sometimes get it to save the gateway if I added the gateway in the interface setup (but could never get it to save if I added the gateway in the gateways page). This gateway would briefly show as online then go offline, probably due to come check in the background.

    I would have preferred to have the "142" address on pfSesne WAN and use the "192s" as VIPs (which I think is their intention) but I couldn't maintain connectivity to the host doing this. I then got the bright idea to alter the subnet mask. One of the OVH docs I read mentioned I could set the gateway to /24 instead of /32 and it would still work. I figured if that works, let's see what mask I need to use to make the "142" gateway be in the same subnet as the "192" address I'm configuring. The only valid mask for that is /1 so I tried it and surprisingly it worked. The gateway stays online and hosts behind pfSense have connectivity. This may not be the correct way to have handled this but it worked.


Locked