Single WAN connection with two public IP subnets / ranges (version 2.0.3)

DallasITGuy · Aug 26, 2013, 2:48 AM

Hello all,

I have a client who's been assigned two /29 subnets (with different gateway IPs) which come in on a single WAN connection. I can configure the WAN port to use either range but I'm not certain how to use (NAT, 1:1, etc.) the IP addresses of both subnets simultaneously.

If I have to I can throw a 4 port switch in front of the pfSense box and configure the WAN port to use one subnet and the OPT1 port to use the other but that's adding another failure point so I'd prefer not to resolve the situation that way.

How might I configure pfSense to accommodate the two subnets just using the WAN port?

kejianshi · Aug 26, 2013, 3:04 AM

Do you get your IPs by bridging to their network?

DallasITGuy · Aug 26, 2013, 3:56 AM

@kejianshi:

Do you get your IPs by bridging to their network?

No. Public subnets on the WAN, private (10.x.x.x) on the LAN.

kejianshi · Aug 26, 2013, 4:00 AM

Its actually nice that he has two gateways. Does this modem do VLANs?

DallasITGuy · Aug 26, 2013, 4:08 AM

@kejianshi:

Its actually nice that he has two gateways. Does this modem do VLANs?

No modem involved. This is at a colocation facility, they provide the Ethernet connection to a cabinet the client has leased. Most of the servers in the cabinet don't have or need public IP addresses.

In the past the client had a Cisco firewall that was troublesome and slow. I replaced it with a pfSense unit (Netgate FW-7541) that has far better performance and stability especially with regards to the site to site VPN I set up between this unit and the one I installed at the client's office where the developers work.

kejianshi · Aug 26, 2013, 4:26 AM

"If I have to I can throw a 4 port switch in front of the pfSense box and configure the WAN port to use one subnet and the OPT1 port to use the other but that's adding another failure point so I'd prefer not to resolve the situation that way."

I like that plan.

Never had this problem. Maybe someone else has better plan.

Closest I ever had is needing multiple IPs assigned per MAC with a modem from single port to single WAN. Putting pfsense in ESXi and then creating multiple virtual WAN NICs solved that problem.

kejianshi · Aug 26, 2013, 4:46 AM

Normally, people would connect to the network, usually by bridging to it and then they would set up virtual IPs and use 1:1 NAT but I'm not sure this will apply with your setup.

kathampy · Aug 27, 2013, 5:55 AM

Setup the first subnet normally on the WAN interface. For the second subnet, manually add a gateway under System > Routing > Gateways on the WAN interface. Then you can simply add virtual IP addresses of type "IP Alias" from the second subnet on WAN interface.

After that create Manual Outbound NAT rules for that Virtual IP address if you want to NAT clients behind that address. You can also do 1:1 NAT against the virtual IP addresses.

You'll need to create/modify firewall rules to use the second gateway wherever necessary.

kejianshi · Aug 27, 2013, 9:13 AM

Ahhhh - That makes sense.

DallasITGuy · Aug 27, 2013, 11:58 PM

@KurianOfBorg:

Setup the first subnet normally on the WAN interface. For the second subnet, manually add a gateway under System > Routing > Gateways on the WAN interface. Then you can simply add virtual IP addresses of type "IP Alias" from the second subnet on WAN interface.

After that create Manual Outbound NAT rules for that Virtual IP address if you want to NAT clients behind that address. You can also do 1:1 NAT against the virtual IP addresses.

You'll need to create/modify firewall rules to use the second gateway wherever necessary.

Thanks! I will try this approach over the coming weekend.

mzuc · Sep 12, 2013, 9:43 AM

Hi, I'm in the very same situation as DallasITGuy.

Adding a second gateway to WAN via the pfSense web gui doesn't work because "The gateway address xx.xx.xx.xx does not lie within the chosen interface's subnet."

How can I solve?
Thanks

kathampy · Sep 12, 2013, 9:51 AM

I don't have access to my box to check right now, but I think only some particular kinds of Virtual IP addresses can be used for routing. Try something other than IP Alias.

mzuc · Sep 12, 2013, 10:04 AM

@KurianOfBorg:

I don't have access to my box to check right now, but I think only some particular kinds of Virtual IP addresses can be used for routing. Try something other than IP Alias.

I tried Proxy ARP and Other but it doesn't work.
Let me give you some details about my setup:

pfSense has 2 NICs: LAN (10.0.0.1/24) and WAN (46.x.x.1/26). 46.x.x.gw is my Default Gateway. Additional public ips from 46.x.x.x/26 are configured as "IP ALIAS" and then used for 1:1 NAT.
Today my ISP gave me another /26 public ip subnet (47.x.x.0/26) which gets routed to my WAN interface by their routers, but they also give me a second gateway (47.x.x.gw/26).

How should I add ips from the second public subnet while keeping one single WAN interface? Should I continue using the first gateway (46.x.x.gw)?

Thanks

kathampy · Sep 12, 2013, 10:23 AM

You cannot use the first gateway for the second public subnet. If you are unable to add virtual IP address from different subnets and add a different gateway, then you only option is to create a second WAN interface.

kathampy · Sep 12, 2013, 10:30 AM

I just did a test and I am able to successfully add a new virtual IP address of type IP alias and gateway in a new subnet different from the interface IP address and gateway.

mzuc · Sep 12, 2013, 8:42 PM

@KurianOfBorg:

I just did a test and I am able to successfully add a new virtual IP address of type IP alias and gateway in a new subnet different from the interface IP address and gateway.

Hi,
I managed to add new VIPs from a different WAN subnet without even adding a new gateway.

After turning pfSense config upside down so many times, I realized to have mistyped an entry in the routing table, that's why my VMs were not responding. Now it's all up and running. :-[

Thanks