WAN IP is on different subnet than default Gateway



  • WAN IP is on different subnet than default Gateway

    I have one pfSense (2.1.5-RELEASE (i386)) installed in an ISP (MEO in Portugal) where the default gateway is not on same subnet - WAN (dynamic) IP is in 85.xxx.xxx.xxx range, and default Gateway is 194.65.169.245. WAN interface name is bge0.

    To be able to access Internet, I have installed package Shellcmd to run the folowing commnands on reboot:
    (thanks -> http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet)

    • route add -net 194.65.169.245/32 -iface bge0
    • route add default 194.65.169.245

    … but when my WAN IP changes, I lose internet connection - to solve this problem, I created the bellow script and installed another package, Cron, to be able to manage my custom script shedule.


    **#!/bin/tcsh -f

    Script name - my_rewrite_routes.sh

    used to rewrite routes on pfSense when default Gateway not in same subnet of WAN IP

    run with Cron

    2.1.5-RELEASE (i386)

    built on Mon Aug 25 07:44:26 EDT 2014

    FreeBSD 8.3-RELEASE-p16

    created DEZ 2014

    Jose Luis - jluis144@hotmail.com

    set myDATE=date

    get current WAN IP

    set myNEWWANIP=ifconfig bge0 | grep "inet "
    set myNEWWANIP= ( $myNEWWANIP )

    get last WAN IP

    set myLASTWANIP=cat /tmp/mylastwanip.txt

    if ( "$myNEWWANIP[2]" == "$myLASTWANIP" ) then

    echo "Same IP - nothing done."

    else

    Update Routes

    route add -net 194.65.169.245/32 -iface bge0
    route add default 194.65.169.245

    update current IP helper file

    echo "$myNEWWANIP[2]" > /tmp/mylastwanip.txt

    update log file

    echo "$myDATE - $myNEWWANIP[2]" >> /tmp/mylastwanip_log.txt

    echo "Different IP - rewriting Routes"

    endif**
    –--------------------------------------------------------------------

    so, i'd like to:

    • know if there is a better way to solve this?
    • because I'm a noob respecting to scripting, could someone improve this script?
    • I have placed this script in /usr/local/bin - is this correct, or is there a better place?
    • any other comments...

    Thanks in advance,
    Jose Luis



  • @thept:

    • route add -net 194.65.169.245/32 -iface bge0

    This can be done using GUI. 1. Add a new gateway in the "System->Routing->Gateways":

    Interface: WAN
    Name: Name
    Gateway: leave blank
    Default Gateway: no
    Disable Gateway Monitoring: yes

    2. Add static route in the "System->Routing->Routes":

    Destination network: 194.65.169.245/32
    Gateway: Name



  • Hello,
    Thanks for your answer.

    I have tried your approach with a slight difference - I have marked the Default Gateway box (I assumed that should be one Default Gateway).

    With the Default Gateway box marked, when my WAN IP changes, everyone loses Internet connection, even a reboot does not restore connection.

    Because this is a production machine, I'm not able to easily test your approach, but when I can, I will post the results.

    Anyway, my solution is working, but because my scripting skills are not the best, I know that the script could be improved…

    Jose Luis



  • Sorry, I meant that "route add -net 194.65.169.245/32 -iface bge0" can be done via GUI. After steps 1, 2 you still need to add default gateway using script (route add default 194.65.169.245).



  • Well,

    someone have rewrited the script (my brother …), so a better and cleaner version will be:

    **–--------------------------------------------------------------------
    #!/bin/sh

    Script name - my_rewrite_routes.sh

    DEZ 2014 - Jose Luis - jluis144@hotmail.com

    used to rewrite routes on pfSense when default Gateway not in same subnet of WAN IP

    run with Cron

    2.1.5-RELEASE (i386)

    built on Mon Aug 25 07:44:26 EDT 2014

    FreeBSD 8.3-RELEASE-p16

    myDATE=date

    Get current WAN IP

    myNEWWANIP=/sbin/ifconfig bge0 | grep "inet " | awk '{print $2}'

    Get last WAN IP

    read myLASTWANIP < /tmp/.mylastwanip.txt

    echo "myNEWWANIP : $myNEWWANIP"
    echo "myLASTWANIP : $myLASTWANIP"

    if [ "$myNEWWANIP" != "$myLASTWANIP" ]
    then

    Update Routes

    #route add -net 194.65.169.245/32 -iface bge0
    #route add default 194.65.169.245

    Update current IP helper file / Update log file

    echo "$myNEWWANIP" > /tmp/.mylastwanip.txt
    echo "$myDATE - $myNEWWANIP" >> /tmp/.mylastwanip_log.txt
    fi
    –--------------------------------------------------------------------**



  • Hello,

    I just have started installing pfSense on a provider here in Germany (Webtropia) with the same setup (it seems that way anyway):
    I have an IP address for pfSense (213.XXX.XXX.40/32) but the Gateway is 193.XXX.XXX.1.

    Reading this (and some other) thread I have found out how to get the system to give me access to the WebGUI using the WAN IP (213.XXX.XXX.40) using the shell commands in the previous posts in this thread.
    Using the WebGui, I have then configured the WAN to use 213.XXX.XXX.40 (using the /32 notation which is not possible when you only have shell access) and have given the same IP (213.XXX.XXX.40) as the gateway IP.

    But: nothing works (nor inbound or outbound connection) :-(
    Current "solution": run "pfctl -d", then I have access from the pfSense shell outbound (I can e.g. ping google) and I can access the WebGUI from external using the WAN IP (213.XXX.XXX.40).

    And here comes my question:
    What is the last "step" which I am missing to get the firewall let my data through?
    I have already rules for the firewall so that LAN has access to "everything" and WAN Port 443 to "Firewall (itself)" but unless I disable the firewall using "pfctl -d" I have no outbound/inbound
    connection :-(

    Hopefully somebody can help me to solve this final part :-)

    Thanks a lot for your help!

    Best regards,

    Christian



  • Sorry for necroing an old thread, but I had this exact problem and after trying a little bit of everything without luck, I stumbled onto a solution.

    System, Gateways, Edit your WAN gateway, click advanced and checkmark the "Use non-local gateway" at the bottom.



  • Ah great thanks! :)

    That might come in handy in the future  :D

    Best regards,

    Chris



  • @CryoGenID:

    … I can access the WebGUI from external using the WAN IP ...

    Not the best of ideas. Use a VPN to tunnel into your network and access the GUI via its Lan interface there.
    Having the UI open to the internet is quite dangerous. Remember to only do this via HTTPS, never with HTTP.



  • Of course ;-)

    But you need to access it for a short time via WAN to complete the configuration and then pfSense is only accessible via openVPN ;-)

    Best regards,

    Chris



  • Huh, why do you need to access it via its WAN interface for configuration?
    Thats usually done via Lan. Only.



  • In order not to flood this thread with unreladed information just a brief explanation:
    When you order their root server, you only get one public IP. You have to quickly install ESXi using the WAN IP, then install pfSense, switch ESXi over to a local IP and then use the public IP for the basic configuration of pfSense until openVPN works correctly.
    Then you can switch pfSense back to the private IP and everything is secure again :)

    Best regards,

    Chris