Annotation of network range in other type VIP



  • I have added a routed network as a WAN VIP.
    When I used network annotation like:
    5.0.1.10/28 and assign that VIP for outbound NAT, the network address (5.0.1.10) is used as the outbound public ip- I assume this is wrong because the network address is not a usable IP?

    So I changed the VIP to 5.0.1.11/28 (which is actually the first usable IP of the network range) and now that IP appears as the outbound address when I use it for outbound NAT.

    Is that second option the correct way to do it?


  • Rebel Alliance Developer Netgate

    If the network is routed to you and used ONLY for NAT, then there is no "network address" and all IP addresses of the subnet are usable.

    If you have mixed use of that network (assigned to an interface, some NAT, IP alias or CARP VIPs, etc) then you need to be more careful with how the IP addresses in the block are used. If you want to use a "pool" for outbound NAT in that case, you are better off making an alias of the IP addresses that are not in use which can be utilized for NAT.



  • Oh right, well that is the case here - the network is routed to the WAN IP of my pfsense machine and I have allocated the full network as a "other" type VIP on the WAN port and am using it purely for NAT - 1 address for outbound and the other addresses for inbound.

    I need to read up more on routing and so on as I still don't fully understand it all!



  • A /28 has 16 total IPs in it.

    Your network addresses would fall on .0 and .16
    Broadcasts would be on .15 and .31

    50.0.1.10/28 is a usable address.


Log in to reply