Configuration for Non-NAT ADSL with Subnet
-
I have a pfSense system connect to an ADSL modem. I have a statically assigned subnet. I have configured the LAN interface with the assigned subnet e.g. 123.123.123.6/29. Usable addresses are .1-.6
The WAN interface is configured using PPPoE and is given the address 123.123.123.6 by the ISP.
This means that the LAN and WAN ports have the same IP. I would prefer that I set the WAN to "unnumbered", but don't seem to be able to do this.
This configuration has worked for years in multiple locations, but now I have been told that this configuration is wrong.
How should I configure pfSense in this case, without eating up another IP address?
-
One way to do this is using VIPs and NATing to a private subnet. For example:
https://forum.pfsense.org/index.php/topic,59573.0.htmlHowever I get the impression you want the real public IPs on your clients though?
You could bridge the connection if it were DHCP or static but you can't do that with PPP. (Has this changed in 2.2?)
It's also common for your ISP to assign you a dynamic IP to the WAN outside your static range. Then you can just route to the range on an internal subnet.
Steve
-
I do need to use the IPs I have been assigned. None of the ISPs I have used assign an "Extra" IP outside the range.
-
I don't understand the issue? Configure one IP as static on WAN, the rest of the usable range as virtual IPs and use those virtual IPs for whatever you need. Why on earth should WAN be a subnet of LAN?
-
That's unusual, but should work because it isn't an overlap in the case of PPPoE. The PPPoE-assigned IP is a /32, point to point connection. The remainder of the public subnet can be configured on LAN as the /29. You just won't be able to assign the PPPoE-assigned IP on LAN.
-
So if I am assigned 1.2.3.0/29 I would have the WAN as 1.2.3.6/32 and the LAN as 1.2.3.5/29, with the hosts on 1.2.3.1-1.2.3.4?
That does mean that the WAN is in the LAN subnet, even though it is a /32.
Here in the UK we always, in my experience, just get a /29 or /28 block with one address in that block set automatically by the PPPoE connection. What would be "usual"?
-
Who is your ISP? Which product are they providing?
I have seen similar setups from BT Business DSL but using a dynamic IP on the WAN. Easy to work with if you use the supplied 'Business Hub' but required some trial and error to get going with pfSense if I recall correctly.
Steve
-
This one is Zen Active. It doesn't present a problem with £50 off the shelf routers: they handle the "unnumbered" part just fine. The use only one IP up that way.
-
So reading through, for example, this: http://support.zen.co.uk/kb/Knowledgebase/Broadband-Technicolor-TG-582-Routed-IP-Setup
It looks like you use one IP for the WAN address and all the other are available for LAN side client? There is no requirement to use one address on the LAN interface. Is that correct?Steve
-
That's basically right. But obviously the hosts need an IP to reach the router on. Are you thinking of bridging the interfaces?
-
I'm just trying to understand how Zen are doing it without using up any of your allocated addresses. What do you mean by 'unnumbered'? No IP? How is anything supposed to talk to it in that case?
Steve
-
This seems more like what I'd expect: http://support.zen.co.uk/kb/Knowledgebase/Netgear-DG-834-Series-Routed-IP
The WAN address is dynamic which allows the /29 to be assigned to the LAN.Steve
-
This seems more like what I'd expect: http://support.zen.co.uk/kb/Knowledgebase/Netgear-DG-834-Series-Routed-IP
The WAN address is dynamic which allows the /29 to be assigned to the LAN.Steve
Yes, but the IP you actually receive is the last one in the /29 subnet.
The WAN link doesn't need an IP as it is Point-to-Point.
The DG834 copes with this just fine. pFsense doesn't sadly.
-
Hmm, this is interesting. So the DG834 receives an IP on it's WAN or not? Even though it's set to.
What does pfSense receive on it's WAN in that setup?It wouldn't surprise me to find that this is one of those times when FreeBSD stick strictly to the rules while Linux bends them slightly to accommodate this situation.
Steve
-
Some hours later and I see exactly what you mean by unnumbered. (Thanks Dave on the off-chance you ever read this!)
At least one other user seems to have achieved this by bridging the WAN and LAN but it was a much older version of pfSense. Also it looks like a bit of a workaround. Did you try what Chris suggested earlier?https://forum.pfsense.org/index.php?topic=8990.msg50841#msg50841
Steve
-
So if I am assigned 1.2.3.0/29 I would have the WAN as 1.2.3.6/32 and the LAN as 1.2.3.5/29, with the hosts on 1.2.3.1-1.2.3.4?
That does mean that the WAN is in the LAN subnet, even though it is a /32.
It's not equal though, with the WAN being only /32, it should be fine.
Here in the UK we always, in my experience, just get a /29 or /28 block with one address in that block set automatically by the PPPoE connection. What would be "usual"?
The typical scenario with business class DSL in the US and most other places seems to be getting an IP assigned via PPPoE, and having the static subnet routed to that dynamically-assigned PPPoE IP. Sometimes, like with my AT&T Uverse at home, the modem must do the PPPoE and then my static /29 can either be assigned LAN-side of the modem, or routed to something with a private IP on the LAN.
It'd be nice to have unnumbered support at some point, not sure offhand if that's possible in mpd and FreeBSD.
