How to add a second WAN subnet to a single NIC (for dummies)
-
Can anyone point me to info on what to change on a pfSense device for a 2nd subnet on a single interface?
I get the impression this is "very basic" knowledge, and it's assumed that everyone knows exactly what to do (except for me)
My colo provider has allocated a /29 subnet to me of which I can use 3 IP addresses (for some reason they need to use the others). I've tried setting the three IP's as various forms of VIPs but that doesn't work. Ive connected a Windows laptop directly to the cable, that works.
I have a single WAN NIC as shown in the diagram. Two incoming cables from my colo provider come into a vLan capable switch, to which my pfSense device is connected.
These are the 3 addresses I can use: 185.64.95.12 - 185.64.95.14
These are the things I don't know:
Do I have to add a 2nd WAN to my existing NIC?
How do I configure routing?
What kind of VIP do I create?
-
Hmm. Did you need/want the extra circuit or did you just want more IPs? If you don't need another circuit they could just route a /29 to you and you could use all the IPs. Or assign it to another interface and use 5 of them.
Just so you know, they assign a /29 giving 6 IPs to use. This lets them use 3 for HSRP/VRRP/CARP and gives you three to do the same.
Create two VLANs on the switch. We'll say VLAN 28 (for the /28) and VLAN 29 (for the /29).
Create a switchport for VLAN 29 untagged. Plug the new /29 circuit into it.
Create a switchport untagged 28 and leave it empty. This is where you will move the old circuit when you're ready to swing traffic to the VLAN.
Create a switchport tagged with 28 and 29. Leave it empty. This is where you will move the pfSense WAN when you're ready to swing traffic to the VLANs.
Create two VLANs on the WAN interface (em0, re1, whatever it is) on pfSense: 28 & 29.
We'll leave the existing circuit alone for now. It should continue to function.
Create a new interface OPTX. assign it to "VLAN 29 on WAN interface"
Edit the interface. Rename it if desired. Set the IP address to 185.64.95.12 netmask 29.
Create a gateway for address (presumably - they should have told you what address to use as the gateway) 185.64.95.9. Do not set it as the default gateway.
Hopefully none of that freaks pfSense out. It shouldn't but I've had pretty squirrelley things happen when you start mucking around with interfaces. But it's been pretty good since 2.1.0 I think.
Now it's time to get disruptive. Log into pfsense from the LAN.
Assign your existing WAN interface to "VLAN 28 on WAN interface" and apply. This will stop all traffic.
Move the old datacenter circuit to the UNTAGGED VLAN 28 port
Move pfSense WAN to the port with TAGGED VLANs 28 and 29.
And you should be done.
You can then create VIPs for .13 and .14 on the new WAN interface.
You can do things like simply change the VLAN on the old circuit to 28 instead of patching to a new port. You could also change the switchport connected to pfSense from untagged 1 to tagged 28 + 29 instead of moving the patch. I'd do that kind of work from a serial console when mucking around with WAN unless you know you have a good management VLAN to get at it with.
