/27 subnet, routing hosts and pppoe server


  • Hey, I have done my homework, I have one static ip coming in which my /27 subnet is routed too.

    I have four network cards so let's get started.

    Nic one, is wan
    Nic two is my servers
    Nic three and four are on a lagg for the lan.

    To route public ips from my subnet, would I bridge nic one and two, set my default gateway as the pfsense box?
    For a few clients that require a internet ip, I am using pppoe.

    Can I setup my public ips to be given out on the pppoe server, disable Nat for the pppoe server and it should be routed fine or am I missing any steps here?

    Thanks!

  • LAYER 8 Netgate

    Why the hell would you bridge NIC1 and 2?

    Just assign the /27 to an interface (you'll use one address for pfSense), turn off NAT, and pass the desired traffic in WAN.


  • Okay, that's what I thought. What about issuing public ips on the lan via pppoe? Just setup the pppoe server with public ips, and disable Nat?

  • LAYER 8 Netgate

    I think you will be happier if you split the /27 into two /28s.  One for the servers and one for the PPPoE.  It should work giving them out but you'll run into problems if PPPoE ever needs to talk to the servers.  Or get another routed subnet for PPPoE.  Or you might be able to work around it somehow with NAT if it ever comes up.

    I've never configured the pfSense PPPoE so this is just a guess based on routing fundamentals.


  • If I split the subnet like you suggested, both subnets should be able to talk to one another via pfsense (pfsense would be the gateway).

    I don't think pppoe would have an issue. Btw this was my original plan.

  • LAYER 8 Netgate

    Based on the firewall rules on the interfaces, yes.  And all your routing will be sane.

    I'm probably going to set up PPPoE on my lab stack this weekend.  Interesting idea to use it to give public IP addresses to inside hosts.


  • Thank you so much. I was originally going to do it this way.

    Question, when you split a subnet, does it have to be equal?

  • LAYER 8 Netgate

    No, but you have to put it on subnet boundaries.  You could, for instance, split this /27 like this:

    192.168.0.0/27 (192.168.0.1 - 192.168.0.30)

    192.168.0.0/28 (192.168.0.1 - 192.168.0.15)
    192.168.0.16/29 (192.168.0.17 - 192.168.0.22)
    192.168.0.24/30 (192.168.0.25 - 192.168.0.26)
    192.168.0.28/30 (192.168.0.29 - 192.168.0.30)


  • I would be interested in your findings of the pppoe server from your lab this weekend. I have not deployed this setup, would be of great help if I knew of any problems that arise. Thanks!

  • LAYER 8 Netgate

    Not sure if I'm going to get to it.  Getting late.  Soon though.


  • Did you ever get around to trying it?


  • @Derelict:

    I think you will be happier if you split the /27 into two /28s.  One for the servers and one for the PPPoE.  It should work giving them out but you'll run into problems if PPPoE ever needs to talk to the servers.  Or get another routed subnet for PPPoE.  Or you might be able to work around it somehow with NAT if it ever comes up.

    I've never configured the pfSense PPPoE so this is just a guess based on routing fundamentals.

    I know its been a while, but everything has worked as planned but the issue as you as said with PPPoE clients not be able to talk to servers. Anyone with ideas to help make this work?

  • LAYER 8 Netgate

    What exactly did you do?


  • Split the subnet as you suggested, one for the servers, one for pppoe.
    However, I am trying to overcome the issue you said I would run into where pppoe clients are not able to talk to the servers. If you read back a bit it should refresh your memory :)

  • LAYER 8 Netgate

    Please provide precise details about what you've done. Like IP address and subnet mask of the interfaces in play and the PPPoE config.


  • @Derelict:

    I think you will be happier if you split the /27 into two /28s.  One for the servers and one for the PPPoE.  It should work giving them out but you'll run into problems if PPPoE ever needs to talk to the servers.  Or get another routed subnet for PPPoE.  Or you might be able to work around it somehow with NAT if it ever comes up.

    I've never configured the pfSense PPPoE so this is just a guess based on routing fundamentals.

    I just ended up using the whole subnet.

    76.10.188.2 is the pfsense box which the subnet is assigned t0
    76.10.190.224 /27

    I assigned the interface "servers" 76.10.190.224 /26
    and the servers use IPS

    76.10.190.253 -|    gateway
    76.10.190.252 -|  76.10.190.224
    76.10.190.251 -| subnet /26

    The pppoe server is setup as follows

    interface = lan
    subnet mask = 32
    number of users = 9
    server address = 76.10.19.254
    remote address range = 76.10.190.225

    now just so we are clear, everything works, I can reach the servers from the internet, from the lan, etc. I just can't talk to the "servers" interface as from the pppoe server (clients).

  • LAYER 8 Netgate

    Right. Because the servers think the PPPoE IP addresses are on their connected subnet so they will never send traffic to the router to be routed to the PPPoE clients.

    If you split the subnet into two, the PPPoE client addresses will be OUTSIDE the server subnet so traffic will be sent to the router to be routed to them.

    I guess don't understand the resistance to subnetting this properly. If you want 9 addresses, a /29 is only one short.

    And I show a /26 as starting at .192, not .224. Is it a /26 or a /27?

    ETA: You might be able to get it to work by putting Proxy ARP VIPs for the PPPoE addresses on the server interface if for some reason you don't want to change it. pfSense will probably not like having the same IP address in two places but with Proxy ARP it might allow it. I'd have to try it. Not how I would do it.

    EATA: Another problem is confusion. For instance your PPPoE addresses fall inside SERVERS net.


  • Its really a /27, That's so I could use the whole /27 subnet, I cheated and said it was a /26 on the "servers" interface. PPPoE I don't think it really matters as its a VPN connection.

    But maybe I will make the "servers" subnet smaller and that way the ips being assigned to pppoe clients will be outside the "servers" subnet?

    Thanks man, this has been driving me nuts, everything works perfect except communication between pppoe and the "servers" interface.

    Here is some helpful info I can provide.

    Once connection has been made via pppoe, internet works, but I can not ping, connect, anything with the servers on the "servers" interface. however, I am able to ping 76.10.190.224, if you remember, that's the ip address for the network card in the pfsense box that serves the servers on the "servers" interface (76.10.190.224)

  • LAYER 8 Netgate

    But you can't use the whole /27 because 9 addresses are for the PPPoE.

    Regarding who can contact what, it sounds like it's functioning pretty much as expected.

    Now I'm not sure what "I cheated and said it was a /26 on the "servers" interface" means. It's either a /27 or it isn't. There really is no way to cheat.


  • @Derelict:

    But you can't use the whole /27 because 9 addresses are for the PPPoE.

    Regarding who can contact what, it sounds like it's functioning pretty much as expected.

    Now I'm not sure what "I cheated and said it was a /26 on the "servers" interface" means. It's either a /27 or it isn't. There really is no way to cheat.

    76.10.190.224 /27

    I was meaning by using my whole /27 subnet, everytime you split the subnet, you lose 4 hosts do you not? two ips for each subnet?