ISP only provides /30 Network - Can't get IP Alias to work as expected



  • I am sure I am missing something very obvious, but my head is hurting from banging it against the wall for extended periods of time.

    I am unable to get my VIP's working using PFSense 2.1.3.

    Here is what does work: (IP's are not real, but networks are basically the same)
    Gateway IP:  123.123.123.0/24
    VIP #1:        123.123.123.10/32
    VIP #2:        123.123.123.20/32
    VIP #3:        123.123.123.30/32

    However, the following does not work:
    Gateway IP:  100.100.100.100/30
    VIP #1:        123.123.123.10/32
    VIP #2:        123.123.123.20/32
    VIP #3:        123.123.123.30/32

    Basically, when the VIP's (IP Alias) are outside of the gateway network - I can't get the VIP's to work as desired.

    The following is listed as rules for IP Alias in version 2.0 or later:
    ….
    Can be in a different subnet than the real interface IP.
    ....
    Subnet mask should match the interface IP, or be /32. Matching the interface subnet is advised. For IPs in different subnets at least one IP alias VIP must have the correct mask for the new subnet.
    ....

    My ISP will only give me a connection using a /30 network outside of my /24 network I own.  So I have to be able to configure my PFSense firewall with a /30 gateway and VIP's within my /24 network.

    It seems like this should be possible since the instructions say my IP Alias "Can be in a different subnet than the real interface IP..."

    It says the "..Subnet mask should match the Interface IP, or be /32.  Matching the interface subnet is advised..."  I can't match the subnet mask since my ISP forces me to connect using a /30 network, but I am using an IP Alias with a /32 mask - so I think I am in line with the instructions.

    I don't understand the statement "...For IPs in different subnets at least one IP alias VIP must have the correct mask for the new subnet..."  What is this telling me?  Is it saying that if I have a Gateway IP of 100.100.100.100/30 - I need to have at least one IP alias VIP with a /30 mask?

    So - do I need to configure something like this?

    Gateway IP:  100.100.100.100/30
    VIP #1:        123.123.123.10/30
    VIP #2:        (I can't use 123.123.123.20 because that IP can't be configured with a /30 mask - so do I use 123.123.123.20/32?)
    VIP #3:        123.123.123.30/30
    Note:  My ISP would be routing my 123.123.123.0/24 network to me via the Gateway IP of 100.100.100.100/30

    I have tried similar configurations as above with no success and it doesn't seem to make sense to me - so I am seeking some guidance/advice to tell me if I'm on the right track or completely out in left field.

    Any assistance/thoughts would be greatly appreciated.

    Thanks



  • My ISP will only give me a connection using a /30 network outside of my /24 network I own.  So I have to be able to configure my PFSense firewall with a /30 gateway and VIP's within my /24 network.

    Maybe you got that wrong?
    It would make no sense. Maybe your ISP wants you to route all your outgoing traffic just over one gateway that is part of a /30 subnet. That would work.

    So set the default gateway to 100.100.100.100/30 and assign your WAN interface the other IP in this subnet with /30 mask.
    Add all other network as IP Alias with their real /24 mask.

    I don't understand the statement "…For IPs in different subnets at least one IP alias VIP must have the correct mask for the new subnet..."  What is this telling me?

    In your example, you have 4 different subnets on a unique interface. That one your gateway is part of (/30) and VIP#1-3 (/24). You also may add each single IP from your /24 subnet as VIP in pfSense with /32 mask, but one time for each subnet you have to set the correct mask, so that pfSense knows the real network structure.

    Is it saying that if I have a Gateway IP of 100.100.100.100/30 - I need to have at least one IP alias VIP with a /30 mask?

    This can be the real interface IP as I suggested above, or a VIP, but the mask you have set for the gateway and the IP must match.



  • Viragomann - I appreciate your quick response.  "…Add all other network as IP Alias with their real /24 mask..." did the trick.  I was trying to add them with a /32 mask which was not working.  Again - Thanks.