Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    /27 subnet, routing hosts and pppoe server

    Scheduled Pinned Locked Moved General pfSense Questions
    20 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcrook
      last edited by

      Hey, I have done my homework, I have one static ip coming in which my /27 subnet is routed too.

      I have four network cards so let's get started.

      Nic one, is wan
      Nic two is my servers
      Nic three and four are on a lagg for the lan.

      To route public ips from my subnet, would I bridge nic one and two, set my default gateway as the pfsense box?
      For a few clients that require a internet ip, I am using pppoe.

      Can I setup my public ips to be given out on the pppoe server, disable Nat for the pppoe server and it should be routed fine or am I missing any steps here?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Why the hell would you bridge NIC1 and 2?

        Just assign the /27 to an interface (you'll use one address for pfSense), turn off NAT, and pass the desired traffic in WAN.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          mcrook
          last edited by

          Okay, that's what I thought. What about issuing public ips on the lan via pppoe? Just setup the pppoe server with public ips, and disable Nat?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I think you will be happier if you split the /27 into two /28s.  One for the servers and one for the PPPoE.  It should work giving them out but you'll run into problems if PPPoE ever needs to talk to the servers.  Or get another routed subnet for PPPoE.  Or you might be able to work around it somehow with NAT if it ever comes up.

            I've never configured the pfSense PPPoE so this is just a guess based on routing fundamentals.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M
              mcrook
              last edited by

              If I split the subnet like you suggested, both subnets should be able to talk to one another via pfsense (pfsense would be the gateway).

              I don't think pppoe would have an issue. Btw this was my original plan.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Based on the firewall rules on the interfaces, yes.  And all your routing will be sane.

                I'm probably going to set up PPPoE on my lab stack this weekend.  Interesting idea to use it to give public IP addresses to inside hosts.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M
                  mcrook
                  last edited by

                  Thank you so much. I was originally going to do it this way.

                  Question, when you split a subnet, does it have to be equal?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    No, but you have to put it on subnet boundaries.  You could, for instance, split this /27 like this:

                    192.168.0.0/27 (192.168.0.1 - 192.168.0.30)

                    192.168.0.0/28 (192.168.0.1 - 192.168.0.15)
                    192.168.0.16/29 (192.168.0.17 - 192.168.0.22)
                    192.168.0.24/30 (192.168.0.25 - 192.168.0.26)
                    192.168.0.28/30 (192.168.0.29 - 192.168.0.30)

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • M
                      mcrook
                      last edited by

                      I would be interested in your findings of the pppoe server from your lab this weekend. I have not deployed this setup, would be of great help if I knew of any problems that arise. Thanks!

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Not sure if I'm going to get to it.  Getting late.  Soon though.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • M
                          mcrook
                          last edited by

                          Did you ever get around to trying it?

                          1 Reply Last reply Reply Quote 0
                          • M
                            mcrook
                            last edited by

                            @Derelict:

                            I think you will be happier if you split the /27 into two /28s.  One for the servers and one for the PPPoE.  It should work giving them out but you'll run into problems if PPPoE ever needs to talk to the servers.  Or get another routed subnet for PPPoE.  Or you might be able to work around it somehow with NAT if it ever comes up.

                            I've never configured the pfSense PPPoE so this is just a guess based on routing fundamentals.

                            I know its been a while, but everything has worked as planned but the issue as you as said with PPPoE clients not be able to talk to servers. Anyone with ideas to help make this work?

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              What exactly did you do?

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • M
                                mcrook
                                last edited by

                                Split the subnet as you suggested, one for the servers, one for pppoe.
                                However, I am trying to overcome the issue you said I would run into where pppoe clients are not able to talk to the servers. If you read back a bit it should refresh your memory :)

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Please provide precise details about what you've done. Like IP address and subnet mask of the interfaces in play and the PPPoE config.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mcrook
                                    last edited by

                                    @Derelict:

                                    I think you will be happier if you split the /27 into two /28s.  One for the servers and one for the PPPoE.  It should work giving them out but you'll run into problems if PPPoE ever needs to talk to the servers.  Or get another routed subnet for PPPoE.  Or you might be able to work around it somehow with NAT if it ever comes up.

                                    I've never configured the pfSense PPPoE so this is just a guess based on routing fundamentals.

                                    I just ended up using the whole subnet.

                                    76.10.188.2 is the pfsense box which the subnet is assigned t0
                                    76.10.190.224 /27

                                    I assigned the interface "servers" 76.10.190.224 /26
                                    and the servers use IPS

                                    76.10.190.253 -|    gateway
                                    76.10.190.252 -|  76.10.190.224
                                    76.10.190.251 -| subnet /26

                                    The pppoe server is setup as follows

                                    interface = lan
                                    subnet mask = 32
                                    number of users = 9
                                    server address = 76.10.19.254
                                    remote address range = 76.10.190.225

                                    now just so we are clear, everything works, I can reach the servers from the internet, from the lan, etc. I just can't talk to the "servers" interface as from the pppoe server (clients).

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      Right. Because the servers think the PPPoE IP addresses are on their connected subnet so they will never send traffic to the router to be routed to the PPPoE clients.

                                      If you split the subnet into two, the PPPoE client addresses will be OUTSIDE the server subnet so traffic will be sent to the router to be routed to them.

                                      I guess don't understand the resistance to subnetting this properly. If you want 9 addresses, a /29 is only one short.

                                      And I show a /26 as starting at .192, not .224. Is it a /26 or a /27?

                                      ETA: You might be able to get it to work by putting Proxy ARP VIPs for the PPPoE addresses on the server interface if for some reason you don't want to change it. pfSense will probably not like having the same IP address in two places but with Proxy ARP it might allow it. I'd have to try it. Not how I would do it.

                                      EATA: Another problem is confusion. For instance your PPPoE addresses fall inside SERVERS net.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        mcrook
                                        last edited by

                                        Its really a /27, That's so I could use the whole /27 subnet, I cheated and said it was a /26 on the "servers" interface. PPPoE I don't think it really matters as its a VPN connection.

                                        But maybe I will make the "servers" subnet smaller and that way the ips being assigned to pppoe clients will be outside the "servers" subnet?

                                        Thanks man, this has been driving me nuts, everything works perfect except communication between pppoe and the "servers" interface.

                                        Here is some helpful info I can provide.

                                        Once connection has been made via pppoe, internet works, but I can not ping, connect, anything with the servers on the "servers" interface. however, I am able to ping 76.10.190.224, if you remember, that's the ip address for the network card in the pfsense box that serves the servers on the "servers" interface (76.10.190.224)

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          But you can't use the whole /27 because 9 addresses are for the PPPoE.

                                          Regarding who can contact what, it sounds like it's functioning pretty much as expected.

                                          Now I'm not sure what "I cheated and said it was a /26 on the "servers" interface" means. It's either a /27 or it isn't. There really is no way to cheat.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            mcrook
                                            last edited by

                                            @Derelict:

                                            But you can't use the whole /27 because 9 addresses are for the PPPoE.

                                            Regarding who can contact what, it sounds like it's functioning pretty much as expected.

                                            Now I'm not sure what "I cheated and said it was a /26 on the "servers" interface" means. It's either a /27 or it isn't. There really is no way to cheat.

                                            76.10.190.224 /27

                                            I was meaning by using my whole /27 subnet, everytime you split the subnet, you lose 4 hosts do you not? two ips for each subnet?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.