WAN IP is on different subnet than default Gateway

thept · Dec 29, 2014, 2:14 AM

I have one pfSense (2.1.5-RELEASE (i386)) installed in an ISP (MEO in Portugal) where the default gateway is not on same subnet - WAN (dynamic) IP is in 85.xxx.xxx.xxx range, and default Gateway is 194.65.169.245. WAN interface name is bge0.

To be able to access Internet, I have installed package Shellcmd to run the folowing commnands on reboot:
(thanks -> http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet)

route add -net 194.65.169.245/32 -iface bge0
route add default 194.65.169.245

… but when my WAN IP changes, I lose internet connection - to solve this problem, I created the bellow script and installed another package, Cron, to be able to manage my custom script shedule.

**#!/bin/tcsh -f

Script name - my_rewrite_routes.sh

used to rewrite routes on pfSense when default Gateway not in same subnet of WAN IP

run with Cron

2.1.5-RELEASE (i386)

built on Mon Aug 25 07:44:26 EDT 2014

FreeBSD 8.3-RELEASE-p16

created DEZ 2014

Jose Luis - jluis144@hotmail.com

set myDATE=date

get current WAN IP

set myNEWWANIP=ifconfig bge0 | grep "inet "
set myNEWWANIP= ( $myNEWWANIP )

get last WAN IP

set myLASTWANIP=cat /tmp/mylastwanip.txt

if ( "$myNEWWANIP[2]" == "$myLASTWANIP" ) then

echo "Same IP - nothing done."

else

Update Routes

route add -net 194.65.169.245/32 -iface bge0
route add default 194.65.169.245

update current IP helper file

echo "$myNEWWANIP[2]" > /tmp/mylastwanip.txt

update log file

echo "$myDATE - $myNEWWANIP[2]" >> /tmp/mylastwanip_log.txt

echo "Different IP - rewriting Routes"

endif**
–--------------------------------------------------------------------

so, i'd like to:

know if there is a better way to solve this?
because I'm a noob respecting to scripting, could someone improve this script?
I have placed this script in /usr/local/bin - is this correct, or is there a better place?
any other comments...

Thanks in advance,
Jose Luis

rubic · Dec 29, 2014, 11:36 AM

@thept:

route add -net 194.65.169.245/32 -iface bge0

This can be done using GUI. 1. Add a new gateway in the "System->Routing->Gateways":

Interface: WAN
Name: Name
Gateway: leave blank
Default Gateway: no
Disable Gateway Monitoring: yes

2. Add static route in the "System->Routing->Routes":

Destination network: 194.65.169.245/32
Gateway: Name

thept · Dec 29, 2014, 5:49 PM

Hello,
Thanks for your answer.

I have tried your approach with a slight difference - I have marked the Default Gateway box (I assumed that should be one Default Gateway).

With the Default Gateway box marked, when my WAN IP changes, everyone loses Internet connection, even a reboot does not restore connection.

Because this is a production machine, I'm not able to easily test your approach, but when I can, I will post the results.

Anyway, my solution is working, but because my scripting skills are not the best, I know that the script could be improved…

Jose Luis

rubic · Dec 31, 2014, 7:00 AM

Sorry, I meant that "route add -net 194.65.169.245/32 -iface bge0" can be done via GUI. After steps 1, 2 you still need to add default gateway using script (route add default 194.65.169.245).

thept · Jan 3, 2015, 2:53 AM

Well,

someone have rewrited the script (my brother …), so a better and cleaner version will be:

**–--------------------------------------------------------------------
#!/bin/sh

Script name - my_rewrite_routes.sh

DEZ 2014 - Jose Luis - jluis144@hotmail.com

used to rewrite routes on pfSense when default Gateway not in same subnet of WAN IP

run with Cron

2.1.5-RELEASE (i386)

built on Mon Aug 25 07:44:26 EDT 2014

FreeBSD 8.3-RELEASE-p16

myDATE=date

Get current WAN IP

myNEWWANIP=/sbin/ifconfig bge0 | grep "inet " | awk '{print $2}'

Get last WAN IP

read myLASTWANIP < /tmp/.mylastwanip.txt

echo "myNEWWANIP : $myNEWWANIP"
echo "myLASTWANIP : $myLASTWANIP"

if [ "$myNEWWANIP" != "$myLASTWANIP" ]
then

Update Routes

#route add -net 194.65.169.245/32 -iface bge0
#route add default 194.65.169.245

Update current IP helper file / Update log file

echo "$myNEWWANIP" > /tmp/.mylastwanip.txt
echo "$myDATE - $myNEWWANIP" >> /tmp/.mylastwanip_log.txt
fi
–--------------------------------------------------------------------**

CryoGenID · Apr 11, 2015, 7:22 AM

Hello,

I just have started installing pfSense on a provider here in Germany (Webtropia) with the same setup (it seems that way anyway):
I have an IP address for pfSense (213.XXX.XXX.40/32) but the Gateway is 193.XXX.XXX.1.

Reading this (and some other) thread I have found out how to get the system to give me access to the WebGUI using the WAN IP (213.XXX.XXX.40) using the shell commands in the previous posts in this thread.
Using the WebGui, I have then configured the WAN to use 213.XXX.XXX.40 (using the /32 notation which is not possible when you only have shell access) and have given the same IP (213.XXX.XXX.40) as the gateway IP.

But: nothing works (nor inbound or outbound connection) :-(
Current "solution": run "pfctl -d", then I have access from the pfSense shell outbound (I can e.g. ping google) and I can access the WebGUI from external using the WAN IP (213.XXX.XXX.40).

And here comes my question:
What is the last "step" which I am missing to get the firewall let my data through?
I have already rules for the firewall so that LAN has access to "everything" and WAN Port 443 to "Firewall (itself)" but unless I disable the firewall using "pfctl -d" I have no outbound/inbound
connection :-(

Hopefully somebody can help me to solve this final part :-)

Thanks a lot for your help!

Best regards,

Christian

strandvaskeren · Aug 22, 2017, 3:15 PM

Sorry for necroing an old thread, but I had this exact problem and after trying a little bit of everything without luck, I stumbled onto a solution.

System, Gateways, Edit your WAN gateway, click advanced and checkmark the "Use non-local gateway" at the bottom.

CryoGenID · Aug 22, 2017, 6:04 PM

Ah great thanks! :)

That might come in handy in the future :D

Best regards,

Chris

jahonix · Aug 22, 2017, 8:01 PM

@CryoGenID:

… I can access the WebGUI from external using the WAN IP ...

Not the best of ideas. Use a VPN to tunnel into your network and access the GUI via its Lan interface there.
Having the UI open to the internet is quite dangerous. Remember to only do this via HTTPS, never with HTTP.

CryoGenID · Aug 22, 2017, 8:27 PM

Of course ;-)

But you need to access it for a short time via WAN to complete the configuration and then pfSense is only accessible via openVPN ;-)

Best regards,

Chris

jahonix · Aug 22, 2017, 8:47 PM

Huh, why do you need to access it via its WAN interface for configuration?
Thats usually done via Lan. Only.

CryoGenID · Aug 23, 2017, 9:07 AM

In order not to flood this thread with unreladed information just a brief explanation:
When you order their root server, you only get one public IP. You have to quickly install ESXi using the WAN IP, then install pfSense, switch ESXi over to a local IP and then use the public IP for the basic configuration of pfSense until openVPN works correctly.
Then you can switch pfSense back to the private IP and everything is secure again :)

Best regards,

Chris

Elrick75 · Jul 14, 2019, 6:51 PM

Hi to all,

I'm facing to the same problem, WAN connexion is droped after 10min, and up after 10 other...
I try to add route or modify "Use non-local gateway" in WAN gateway advanced, but it doesn't fix the problem.

How can i fix WAN connexion ?

Best Regards.