Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple subnet routing questions

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      crshman
      last edited by

      Hey All!

      I just moved into a new colo setup and the provider only gives out IPs in /29 blocks. I currently have 3 /29 blocks with them and I wanted to know what the easiest way to go about routing them would be with minimal IP loss.

      I currently have 2 pf's setup as an HA pair, the "primary" IP on my account is setup as a CARP VIP address on the WAN side for both pf's and they each have their own dedicated IPs in that subnet. I have requested that my colo provider route the other two /29's to the primary (CARP VIP) address on my account.

      Now, my question comes with routing the other 2 subnets…..what is the best way to go about routing those two /29 blocks to networks behind my pf minimizing IP loss on the pf boxes (I want to keep as many IPs as I can free for the servers behind the pf's)

      I've been doing a lot of reading on the subject (admittedly i'm a routing noob) and there seem to be two solutions to the routing:

      1. I can use NAT for the addresses then just map ports to the hosts behind the pf
      2. I can fully route the subnets through the pf using the pf as a gateway/router for everything behind it.

      I'm particularly interested in option 2, however using my CARP setup I "burn" 3 IPs in each subnet (one for each pf and another for the VIP). In my reading I saw that an option might be to use a 10.x.x.x address on each physical DMZ interface (not LAN as I'll be natting one of the IPs over there) and use one of the public IPs on the VIP as the gateway for each of the subnets....if I understand this correctly it essentially only burns one IP per subnet.

      Is such a thing possible? Are there better ways to go about doing what I want?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        I would think you could use any larger subnet. CARP addresses must be part of the subnet of the real interface. So you could use at /28 cidr and use the addresses not assigned to you as your interface addresses and the VIP as the first one that is. It is an interesting idea to use private IPs as the real interface addresses, but I didn't think that was possible in the current versions of pfSense.
        Are your /29 blocks consecutive?

        1 Reply Last reply Reply Quote 0
        • C
          crshman
          last edited by

          Hey podilarius!

          Unfortunately my /29's are not consecutive…..they're all over the place actually.  :-[

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.