• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cannot assign hosts Static IPs - DHCP works

Scheduled Pinned Locked Moved General pfSense Questions
13 Posts 4 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fritzintn
    last edited by Dec 16, 2013, 5:52 PM

    Howdy,

    I have a fresh install of pfSense in the following layout:

    [Internet]->[Cisco 3550]-> [pfSense w/ static IP]-> [lots of switches]-> hosts

    I'm able to access the Internet, gateway, and other LAN hosts when hosts are assigned static IPs.

    If I choose a 'static IP' for a host - or place a another router downstream using another subnet (and thus non-matching LAN gateway) - I'm unable to access the gateway or other LAN devices.

    I've turned off NAT and attempted a number of other 'fixes' - but I'm now resorting to the forums for help.

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Dec 16, 2013, 5:55 PM

      " (and thus non-matching LAN gateway) "

      Why would LAN interfaces have gateways??

      if you have downstream networks from your lan interface then you need to create a route to these networks, and yes a gateway for that route.  But you do not apply that route to the lan interface itself.

      You say you turned of nat?  Is the IP pfsense uses to connect to your cisco a rfc1918 address or public?  If wan is rfc1918 on pfsense then I would agree no reason for nat downstream, etc.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • F
        fritzintn
        last edited by Dec 16, 2013, 6:14 PM Dec 16, 2013, 6:11 PM

        @johnpoz:

        " (and thus non-matching LAN gateway) "

        Why would LAN interfaces have gateways??

        Poor choice of words, my bad.  There is no gateway under 'Interfaces->LAN'.

        To clarify, my WAN IP is '64.129.88.11' using a gateway of '64.129.88.1'
        the LAN interface is '192.168.2.1' which is used by DHCP'd hosts as the gateway.  That's what I meant by 'lan gateway'.

        if I were to add another router off the switch (say 192.168.3.1/24 subnet) ….this needs it's own route?

        if you have downstream networks from your lan interface then you need to create a route to these networks, and yes a gateway for that route.  But you do not apply that route to the lan interface itself.

        Ok, currently I have the route mentioned above of:
        Interface: LAN | Gateway 192.168.2.1 | Monitor IP 192.168.2.1

        You say you turned of nat?  Is the IP pfsense uses to connect to your cisco a rfc1918 address or public?  If wan is rfc1918 on pfsense then I would agree no reason for nat downstream, etc.

        It's public (64.129.88.11) and I'm attempting to use other public addresses as hosts.

        Thanks for your help, once I get this working I'll try to answer other noob questions as penance… :)

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Dec 16, 2013, 6:33 PM

          @fritzintn:

          if I were to add another router off the switch (say 192.168.3.1/24 subnet) ….this needs it's own route?

          Umm. Yes.

          You would need to create a gateway for the device reachable by pfSense on the 192.168.2.0/24 network (netmask assumed since not specified) and create a route for 192.168.3.0/24 that sends traffic destined for that network to that gateway.

          IP Networking 101:  If a router is asked to forward a packet that is destined for an IP address that is not on a connected interface, the routing table is consulted.  If a match isn't found in the routing table the packet is sent to the default gateway if one exists.  (technically, the routing table contains information about connected interfaces too, but it's all added automatically so the admin doesn't have to worry about it.)

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • F
            fritzintn
            last edited by Dec 16, 2013, 6:49 PM

            @Derelict:

            Umm. Yes.

            Again, poor wording - I deserve that :).  I meant to imply that the setting needed to be changed within 'Routes' not elsewhere.

            I added under 'System -> Routing -> Routes':

            192.168.3.1/32 |  WANGW - 64.129.88.1  | WAN

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Dec 16, 2013, 7:31 PM Dec 16, 2013, 7:20 PM

              "192.168.3.1/32    |  WANGW - 64.129.88.1  |  WAN

              How would your WAN GW be the route to get to other rfc1918 networks?

              "It's public (64.129.88.11) and I'm attempting to use other public addresses as hosts."

              How are you going to use other public IPs behind your pfsense that is doing NAT?  Or even if NAT is off - not sure how your going to connect to the internet via a pubic interface with private IPs - and how are you going to use other public IPs downstream if pfsense sees this network on its wan?

              Unless we are just not connecting here - not only are you new to pfsense, but just basic networking concepts?

              Ok we have this

              [Internet]->[Cisco 3550]-> [pfSense w/ static IP]-> [lots of switches]-> hosts

              which I assume is this

              [Internet]->[Cisco 3550]-> 64.129.88.11[pfSense w/ static IP]192.168.2.1-> [lots of switches]-> hosts

              so if that 64 network is actual public internet and not some internal network where your doing your own routing - it is impossible for you to use 192.168.x.x addresses and route through the public internet.  So pfsense needs to do nat and change those 192.168.x.x addresses to pfsense public IP of 64.129.88.11

              If we assume a /24 on pfsense lan network 192.168.2 as mask.  And you have some 192.168.3 network connected somewhere on the lan side of pfsense.  Then pfsense needs a ROUTE that points to a 192.168.2.? address that knows how to get to 192.168.3.0/?  be it your switches are layer 3 or some other routers?

              So pfsense sees 192.168 addresses on its lan – you can not just connect a 64.219.88 address on the lan somewhere and expect this to work from the internet or to even talk to 192.168.2.1 (pfsense)  And even if you routed it from your lan to pfsense lan - pfsense has a 64.219.88 network directly connected to it.. So why would it route out its lan interface?

              So either we are not on the same page of what your trying to accomplish - or we have a disconnect on your understanding of NAT and basic network segments and routing?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • F
                fritzintn
                last edited by Dec 16, 2013, 8:18 PM Dec 16, 2013, 8:04 PM

                Foremost, thanks for the help.  I'll throw some btc at the pfsense account later tonight.

                While not advised, the link below had suggested such a thing was possible (public and private IPs on the LAN interface):
                https://doc.pfsense.org/index.php/Can_I_have_public_and_private_IPs_on_my_LAN_interface%3F
                and http://serverfault.com/questions/269195/how-do-i-assign-a-public-ip-to-a-machine-behind-a-pfsense-box-using-11-nat

                So I was hunting for whatever black magic allows for such a thing to work.

                @johnpoz:

                "192.168.3.1/32    |  WANGW - 64.129.88.1  |  WAN

                How would your WAN GW be the route to get to other rfc1918 networks?

                My thought process was that the host (192.168.3.100, lets say) would query the gateway (192.168.3.1) which would be mapped by pfSense to the 64.129.88.1.  This i obviously wrong, but the gist of what I was hoping for.

                Again, just grasping at straws based on the recommendation of the earlier poster to add a route.

                which I assume is this

                [Internet]->[Cisco 3550]-> 64.129.88.11[pfSense w/ static IP]192.168.2.1-> [lots of switches]-> hosts

                That's correct.

                So could I use another NIC as say LAN2 and place all my external IP hosts on that interface?

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Dec 16, 2013, 8:30 PM

                  You can assign any sort of address you want to an interface, or as per that doc use "IP alias"

                  You still run into routing issues and NAT, etc.

                  Here is the thing do you own or can you use more IPs in this 64.129.88 address space?  Do you own – is this you?

                  NetRange:      64.128.0.0 - 64.129.255.255
                  OrgName:        tw telecom holdings, inc.
                  OrgId:          TWTC
                  Address:        10475 Park Meadows Drive
                  City:          Littleton
                  StateProv:      CO

                  If lets say for example you wanted to use 64.129.88.12.. How you would normally do it in your sort of setup that I believe I am understanding correctly is you would put that on your WAN interface as a VIP (ip alias)  And then you could either use a 1:1 NAT to some private IP -- say 192.168.2.12, or you could just do port forwarding for the ports you wanted 192.168.2.12 to be the server for when someone tried to access 64.129.88.12

                  Why do you want to use 64.129.88 addresses?  And have they been assigned to you from your ISP or do you own them, etc.?

                  Since you mention that .1 is your gateway, the smallest network mask that I could see where you have .11 would be /28 since if it was /29 your .11 address would be on different subnet that a .1

                  Some understanding of who gave you the 64.129.88 address an what its mask might be and how you know to put .11 on your pfsense WAN might help us understand your network more and help you accomplish what it is your trying to accomplish.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • F
                    fritzintn
                    last edited by Dec 16, 2013, 9:10 PM

                    @johnpoz:

                    Here is the thing do you own or can you use more IPs in this 64.129.88 address space?  Do you own – is this you?

                    NetRange:      64.128.0.0 - 64.129.255.255
                    OrgName:        tw telecom holdings, inc.

                    Yeah, we have 64.129.88.1 - 128

                    I'm wanting to put assign a dozen of these to machines (and access points) so they are accessible from outside.  NAT 1:1 would be ideal.

                    to use 64.129.88.12.. you ….would put that on your WAN interface as a VIP (ip alias)  And then you could either use a 1:1 NAT to some private IP -- say 192.168.2.12

                    Correct !!

                    Why do you want to use 64.129.88 addresses?  And have they been assigned to you from your ISP

                    64.129.88.1 is the gateway address that was given by the ISP (tw telecom) along with the DNS servers.

                    Some understanding of who gave you the 64.129.88 address

                    I just inherited a spreadsheet :).  These were assigned by the ISP (tw telecom) though.

                    what its mask might be

                    subnet mask is 255.255.255.128

                    and how you know to put .11 on your pfsense WAN

                    This was the router that was used by the previous router (now deceased).  But there is no reason it can't be another free IP in the /25 (?) range listed above.

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by Dec 16, 2013, 9:46 PM

                      Ok so you have /25 – are there other devices/routers using address space in the 64.129.88.0/25 ?  A /25 is decent size - are you using many of these public IPs?

                      Is the .1 your device?  Ie the cisco you show in your drawing?  something like this

                      internet --- publicIP (cisco) 64.129.88.1 --- 64.129.88.11 (pfsense)

                      A 3350 is a older 10/100 layer 3 switch.. Seems like odd device to be at the border?  How does your ISP connection come into your network -- so pfsense is going to be your edge/internet router?

                      I would not recommend allowing access to AP from outside your network..

                      How many devices do you have behind pfsense?  Is the mask on your 192.168.2.?/24 or something larger?  You mention this 192.168.3 -- do you have more segments behind pfsense?  you mention lots of switches.. Are they layer 3 and your doing routing internally between your other segments, or are you just one big 192.168.0.0/16 ?

                      Happy to help you out - the better I understand your network, the better I can help.  If your not going to be using pfsense as router for your other lan segments, I would prob put its lan on something other than 192.168 address space if all your space is currently that and pfsense is just going to be an edge router.

                      You end up something like this

                      internet - 64.129.88.11 (pfsense) 172.16.0.1/30 --- 172.16.0.2/30 (router or L3 switch) 192.168.0.0/16 networks

                      This makes it easier that pfsense only needs 1 route 192.168.0.0/16 talk to 172.16.0.2, when you use a segment that falls into your address space your routing you end up with more route entries ;)

                      Doing this does require manual outbound NAT entries though since network is not locally attached to pfsense.  But those are easier than multiple routes if you ask me and could be as simple as 192.168.0.0/16 as well.

                      If you want to host say a webserver or ftp or ssh or smtp, etc. these are just simple port forwards from your 64.129.88 address space either all using just the one pfsense IP or adding more to pfsense wan, etc.

                      As to access anything that is not a public service - like your AP interfaces, etc.  I would really VPN in for that sort of access.  which pfsense can handle as well.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • F
                        fritzintn
                        last edited by Dec 16, 2013, 10:17 PM Dec 16, 2013, 10:15 PM

                        @johnpoz:

                        are there other devices/routers using address space in the 64.129.88.0/25? are you using many of these public IPs?

                        About 40 or so should be in use, but since the pfSense switchover yesterday - everyone's back on DHCP :).

                        Is the .1 your device?  Ie the cisco you show in your drawing?  something like this

                        internet –- publicIP (cisco) 64.129.88.1 --- 64.129.88.11 (pfsense)

                        A 3350 is a older 10/100 layer 3 switch.. Seems like odd device to be at the border?  How does your ISP connection come into your network -- so pfsense is going to be your edge/internet router?

                        It was installed by the ISP in the telecom DMARC room and splits our fiber feed between another customer.

                        fiber cable -> breakout box -> fiber SC input on 3350 -> ethernet cable out of port 1 runs to our server room and then to pfSense's WAN interface.

                        wan[pfsense]lan0 -> dlink layer 3 switches
                                              lan1 -> switch for IP cameras
                                              lan2 -> unused but can allocate more switches
                                              lan3 -> unused but can allocate more switches

                        I would not recommend allowing access to AP from outside your network..

                        Agreed, but for now we'll use the AP's built in firewall to block things until we get a list of services and properly block them on the pfSense side.

                        How many devices do you have behind pfsense?

                        We have 4x 24 port D-Link DGS1210 switches about half full.

                        These feed to offices where small linksys routers provide wifi and such.  It's these small routers/ap's that we'd like to have external IPs as each few ports correspond to a physical leased officespace.

                        Is the mask on your 192.168.2.?/24 or something larger?

                        Yeah, 192.168.2.1-255 to supply the 4 24port switches mentioned above.

                        You mention this 192.168.3 – do you have more segments behind pfsense?

                        This 192.168.3.* will be used as a DMZ of sorts (for IP cameras and other stuff that should be off the main network).  Our pfSense box has 5 NICs in total should these need their own interface.

                        you mention lots of switches.. Are they layer 3 and your doing routing internally between your other segments, or are you just one big 192.168.0.0/16 ?

                        They are D-Link DGS-1210-24s and support Layer3.  They are just acting as dumb switches for the time being, but we'd like to use some advanced features in the future.  Ideally VLAN'ing or subnetting per port as these run to leased offices for other folks.  We just provide an WAN connection.

                        Happy to help you out - the better I understand your network, the better I can help.

                        Again, many thanks.

                        If your not going to be using pfsense as router for your other lan segments, I would prob put its lan on something other than 192.168 address space if all your space is currently that and pfsense is just going to be an edge router.

                        You end up something like this

                        internet - 64.129.88.11 (pfsense) 172.16.0.1/30 –- 172.16.0.2/30 (router or L3 switch) 192.168.0.0/16 networks

                        This makes it easier that pfsense only needs 1 route 192.168.0.0/16 talk to 172.16.0.2, when you use a segment that falls into your address space your routing you end up with more route entries ;)

                        Doing this does require manual outbound NAT entries though since network is not locally attached to pfsense.  But those are easier than multiple routes if you ask me and could be as simple as 192.168.0.0/16 as well.

                        If you want to host say a webserver or ftp or ssh or smtp, etc. these are just simple port forwards from your 64.129.88 address space either all using just the one pfsense IP or adding more to pfsense wan, etc.

                        As to access anything that is not a public service - like your AP interfaces, etc.  I would really VPN in for that sort of access.  which pfsense can handle as well.

                        I think static routes was what I was going for.  ie one route for DHCP'd hosts, one route for a downstream router's gateway, etc.

                        But at this point anything that gets static IPs working is welcome….

                        1 Reply Last reply Reply Quote 0
                        • M
                          mikeisfly
                          last edited by Dec 20, 2013, 11:53 AM Dec 20, 2013, 11:45 AM

                          I think I see your problem which johnpoz has correctly identified. I'm a visual person so allow me to present a diagram of what I think you have going on:

                          I have presented you with two options A or B.

                          Option A:

                          Just connect your new PfSense box to your Cisco 3550 and you would need to use NAT on that box to get your clients out on the Internet. The two networks 192.168.2.1 and 192.168.3.1 would not be able to communicate unless you set up a site to site vpn between the both.

                          Option B:

                          This is what I think you having going on, the key here is that your second pfsense box or router needs to have an IP in the address space of your pfsense (Firewall) box so that way the two can communicate. Now once you have done that you will either need to running a routing protocol between the two so they can exchange routes, I would suggest RIPv2 because it is easy to configure and it doesn't take a lot of processing power, but there are other options as well like OSPF. If you didn't want to run a routing protocol then you would have to set up static route on both routers so they know how to send traffic to each other.

                          P.S.

                          If I had to guess why the 3550 was there is would be so that you connect all your gear to it if you wanted them to have a public IP address which is nice because otherwise you would have to buy one on your own. It also gives your ISP a way to check for connectivity encase there is issue so they can determine is it something on your end or their end.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mikeisfly
                            last edited by Dec 20, 2013, 12:36 PM

                            One last thing which is very important and johnpoz mentioned it, you would need to put a default route (0.0.0.0/0) on your second pfsense box pointing back to the first pfsense box that is doing the Natting. In Cisco there is a way to distribute a default route using a dynamic routing protocol like rip or ospf, I have not looked into that much with pfsense. If there is not way to distribute the default route automatically then just add it statically and you should be good to go.

                            1 Reply Last reply Reply Quote 0
                            13 out of 13
                            • First post
                              13/13
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received