WAN IP is on different subnet than default Gateway
-
WAN IP is on different subnet than default Gateway
I have one pfSense (2.1.5-RELEASE (i386)) installed in an ISP (MEO in Portugal) where the default gateway is not on same subnet - WAN (dynamic) IP is in 85.xxx.xxx.xxx range, and default Gateway is 194.65.169.245. WAN interface name is bge0.
To be able to access Internet, I have installed package Shellcmd to run the folowing commnands on reboot:
(thanks -> http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet)- route add -net 194.65.169.245/32 -iface bge0
- route add default 194.65.169.245
… but when my WAN IP changes, I lose internet connection - to solve this problem, I created the bellow script and installed another package, Cron, to be able to manage my custom script shedule.
**#!/bin/tcsh -f
Script name - my_rewrite_routes.sh
used to rewrite routes on pfSense when default Gateway not in same subnet of WAN IP
run with Cron
2.1.5-RELEASE (i386)
built on Mon Aug 25 07:44:26 EDT 2014
FreeBSD 8.3-RELEASE-p16
created DEZ 2014
Jose Luis - jluis144@hotmail.com
set myDATE=
dateget current WAN IP
set myNEWWANIP=
ifconfig bge0 | grep "inet "
set myNEWWANIP= ( $myNEWWANIP )get last WAN IP
set myLASTWANIP=
cat /tmp/mylastwanip.txtif ( "$myNEWWANIP[2]" == "$myLASTWANIP" ) then
echo "Same IP - nothing done."
else
Update Routes
route add -net 194.65.169.245/32 -iface bge0
route add default 194.65.169.245update current IP helper file
echo "$myNEWWANIP[2]" > /tmp/mylastwanip.txt
update log file
echo "$myDATE - $myNEWWANIP[2]" >> /tmp/mylastwanip_log.txt
echo "Different IP - rewriting Routes"
endif**
–--------------------------------------------------------------------so, i'd like to:
- know if there is a better way to solve this?
- because I'm a noob respecting to scripting, could someone improve this script?
- I have placed this script in /usr/local/bin - is this correct, or is there a better place?
- any other comments...
Thanks in advance,
Jose Luis -
- route add -net 194.65.169.245/32 -iface bge0
This can be done using GUI. 1. Add a new gateway in the "System->Routing->Gateways":
Interface: WAN
Name: Name
Gateway: leave blank
Default Gateway: no
Disable Gateway Monitoring: yes2. Add static route in the "System->Routing->Routes":
Destination network: 194.65.169.245/32
Gateway: Name -
Hello,
Thanks for your answer.I have tried your approach with a slight difference - I have marked the Default Gateway box (I assumed that should be one Default Gateway).
With the Default Gateway box marked, when my WAN IP changes, everyone loses Internet connection, even a reboot does not restore connection.
Because this is a production machine, I'm not able to easily test your approach, but when I can, I will post the results.
Anyway, my solution is working, but because my scripting skills are not the best, I know that the script could be improved…
Jose Luis
-
Sorry, I meant that "route add -net 194.65.169.245/32 -iface bge0" can be done via GUI. After steps 1, 2 you still need to add default gateway using script (route add default 194.65.169.245).
-
Well,
someone have rewrited the script (my brother …), so a better and cleaner version will be:
**–--------------------------------------------------------------------
#!/bin/shScript name - my_rewrite_routes.sh
DEZ 2014 - Jose Luis - jluis144@hotmail.com
used to rewrite routes on pfSense when default Gateway not in same subnet of WAN IP
run with Cron
2.1.5-RELEASE (i386)
built on Mon Aug 25 07:44:26 EDT 2014
FreeBSD 8.3-RELEASE-p16
myDATE=
dateGet current WAN IP
myNEWWANIP=
/sbin/ifconfig bge0 | grep "inet " | awk '{print $2}'Get last WAN IP
read myLASTWANIP < /tmp/.mylastwanip.txt
echo "myNEWWANIP : $myNEWWANIP"
echo "myLASTWANIP : $myLASTWANIP"if [ "$myNEWWANIP" != "$myLASTWANIP" ]
thenUpdate Routes
#route add -net 194.65.169.245/32 -iface bge0
#route add default 194.65.169.245Update current IP helper file / Update log file
echo "$myNEWWANIP" > /tmp/.mylastwanip.txt
echo "$myDATE - $myNEWWANIP" >> /tmp/.mylastwanip_log.txt
fi
–--------------------------------------------------------------------** -
Hello,
I just have started installing pfSense on a provider here in Germany (Webtropia) with the same setup (it seems that way anyway):
I have an IP address for pfSense (213.XXX.XXX.40/32) but the Gateway is 193.XXX.XXX.1.Reading this (and some other) thread I have found out how to get the system to give me access to the WebGUI using the WAN IP (213.XXX.XXX.40) using the shell commands in the previous posts in this thread.
Using the WebGui, I have then configured the WAN to use 213.XXX.XXX.40 (using the /32 notation which is not possible when you only have shell access) and have given the same IP (213.XXX.XXX.40) as the gateway IP.But: nothing works (nor inbound or outbound connection) :-(
Current "solution": run "pfctl -d", then I have access from the pfSense shell outbound (I can e.g. ping google) and I can access the WebGUI from external using the WAN IP (213.XXX.XXX.40).And here comes my question:
What is the last "step" which I am missing to get the firewall let my data through?
I have already rules for the firewall so that LAN has access to "everything" and WAN Port 443 to "Firewall (itself)" but unless I disable the firewall using "pfctl -d" I have no outbound/inbound
connection :-(Hopefully somebody can help me to solve this final part :-)
Thanks a lot for your help!
Best regards,
Christian
-
Sorry for necroing an old thread, but I had this exact problem and after trying a little bit of everything without luck, I stumbled onto a solution.
System, Gateways, Edit your WAN gateway, click advanced and checkmark the "Use non-local gateway" at the bottom.
-
Ah great thanks! :)
That might come in handy in the future :D
Best regards,
Chris
-
… I can access the WebGUI from external using the WAN IP ...
Not the best of ideas. Use a VPN to tunnel into your network and access the GUI via its Lan interface there.
Having the UI open to the internet is quite dangerous. Remember to only do this via HTTPS, never with HTTP. -
Of course ;-)
But you need to access it for a short time via WAN to complete the configuration and then pfSense is only accessible via openVPN ;-)
Best regards,
Chris
-
Huh, why do you need to access it via its WAN interface for configuration?
Thats usually done via Lan. Only. -
In order not to flood this thread with unreladed information just a brief explanation:
When you order their root server, you only get one public IP. You have to quickly install ESXi using the WAN IP, then install pfSense, switch ESXi over to a local IP and then use the public IP for the basic configuration of pfSense until openVPN works correctly.
Then you can switch pfSense back to the private IP and everything is secure again :)Best regards,
Chris
-
Hi to all,
I'm facing to the same problem, WAN connexion is droped after 10min, and up after 10 other...
I try to add route or modify "Use non-local gateway" in WAN gateway advanced, but it doesn't fix the problem.
How can i fix WAN connexion ?
Best Regards.
