Routing /24 public subnet to smaller subnets

Shiftenterprises · May 13, 2015, 2:02 AM

Hello,

I have a /24 in a data center and my gateway is .1 of the ip range ( this was assigned to me by upstream ) lets say the block was 1.1.1.0/24 with 1.1.1.1 as gateway.
my pfsense has a public ip of 1.1.1.2/24

Now here is what i need to do.

I need to be able to make smaller subnets for clients for example customer needs a /29 and they need the public ips
my questions:
How can i go about setting this up in pfsense?
what gateway will the client use?
How can i make sure that pfsense is JUST routing and not doing ANY firewall features.

Derelict · May 13, 2015, 8:07 AM

You should talk to your datacenter. They should assign you a /30 or /29 and route the /24 to an address on it. That way you can break it up any way you want, on any interfaces you want.

Shiftenterprises · May 13, 2015, 10:35 AM

What are the benefits of doing so?

Im not sure i understand why this is necessary.

Suppose they did actually route me a /30

How would i setup what im asking?

Derelict · May 13, 2015, 3:09 PM

They give you 10.10.10.0/30
Their interface: 10.10.0.1
Your WAN: 10.10.10.2

They route 100.100.100.0/24 to 10.10.10.2

Notice addresses for 100.100.100.0/24 are not assigned to any interfaces. You can subnet it all you want:

OPT1 100.100.100.1/29
DHCP 100.100.100.2 - 100.100.100.6
WAN rules: pass IPv4 any any OPT1 net
OPT1 rules: pass IPv4 any OPT1 net any
Disable NAT for that network

That's just one example. You can still use some of the addresses as VIPs on pfSense if you like (set aside another subnet to take those from.)

You also want to take care to block unwanted access from WAN to the pfSense OPT1 address (webconfig), etc, but your clients would have wide-open access on public IPs. There's still a firewall in place but it passes everything, does not do NAT, and just appears as another hop.

Shiftenterprises · May 13, 2015, 9:08 PM

Maybe i should be a little more clear sorry, i dont know the correct was to say what i need.

I have requested a /30 from datacenter.

they will static route the /24 to /30

100.100.100.0 /24

I need : vlan 2 for customer 2 is assigned a /29 which is 8 usable ips if im not mistaken.

so customer would get 100.100.100.150/29 150-158 ( right )?
customer would have .150 as GW? ( pfsense)?

im just trying to figure out how i would setup this stuff, no DHCP will be involved, and it would be on the LAN interface the only ethernet port left.

Derelict · May 13, 2015, 9:27 PM

A /29 is 6 usable - 1 taken by the pfSense interface.

100.100.100.150/29 is not on a subnet boundary for a /29. 100.100.100.144 is

Assign an interface to VLAN tag 2

Edit the interface, set the IP address of the interface to 100.100.100.145/29

Customer will use 100.100.100.145 as their default gateway.

They will have 100.100.100.146 - 100.100.100.150 available

100.100.100.151 is the broadcast address for the subnet.

Shiftenterprises · May 13, 2015, 9:58 PM

You have been such a great help!

I am sorry to ask another question…

But... how do you know what the boundary would be?
is there some type of scale or something? I am pretty new to this type of networking.

what if i had 100.100.100.3-10 being usable this is real case here special customer needs 3-10.

Derelict · May 13, 2015, 10:24 PM

google subnetting. You'll need to know this.

heper · May 13, 2015, 10:37 PM

http://www.subnet-calculator.com/cidr.php

Shiftenterprises · May 13, 2015, 10:44 PM

I have, but when i try to use a subnet calculator

for example http://www.subnet-calculator.com/subnet.php?net_class=C this site

I just dont understand how i keep going after the first one

100.100.100.0/24 is assigned to me
i need to make the first subnet of
100.100.100.1/29

IP Address: 100.100.100.1
Netmask: 255.255.255.240
CIDR Notation: /28
Network Address: 100.100.100.0
Usable Host Range: 100.100.100.1 - 100.100.100.14
Broadcast Address: 100.100.100.15
Total number of hosts: 16
Number of usable hosts: 14

when i create the next interface i just use .16 next correct? and then make a cidr from that IP?

heper · May 13, 2015, 10:56 PM

doesn't matter what you pick, you don't have to think about it …. that calculator will correct it anyways.

btw you say you need a /29 yet your calculator is set to a /28 (thats double the address')

heper · May 13, 2015, 11:00 PM

subnetID-100.100.100.0/29 = iprange: 100.100.100.1-100.100.100.6

subnetID-100.100.100.8/29 = iprange: 100.100.100.9-100.100.100.14

subnetID-100.100.100.16/29 = iprange: 100.100.100.17-100.100.100.22

…...

Derelict · May 13, 2015, 11:03 PM

Yes. You are going to need to understand subnetting to do this job.

It's not complicated but it's also easy to screw it up.

Network address
Some number of host addresses
Broadcast address
Network address
Some number of host addresses
Broadcast address

Shiftenterprises · May 13, 2015, 11:20 PM

Okay so i am trying to create a lab test before i put this into production.

Here is what i have done so far.
I have 1 pfsense router with 2 NIC's ( same setup as my production )
1wan 1lan
wan has static address 10.0.0.49/24 ( was the next ip i had open on my lab router )
lan has default pfsense 192.168.1.1

i have disabled packet filtering
enabled bypass firewall rules for traffic on the same interface.
–---------
i have a VM on the local "lan"
host needs to have a 10.0.0.x address with 1 usable IP.
so going off of how to subnet
i would need 10.0.0.52/30
Network Address: 10.0.0.52
Usable Host Range: 10.0.0.53 - 10.0.0.54
Broadcast Address: 10.0.0.55
Netmask: 255.255.255.252

from what everyone is saying i would need the 10.0.0.53 to be the interface IP and the .54 would be for the host.

I understand this part, now what steps do i need to take to make this work in my lab?

Derelict · May 13, 2015, 11:35 PM

@Shiftenterprises:

Okay so i am trying to create a lab test before i put this into production.

Here is what i have done so far.
I have 1 pfsense router with 2 NIC's ( same setup as my production )
1wan 1lan
wan has static address 10.0.0.49/24 ( was the next ip i had open on my lab router )
lan has default pfsense 192.168.1.1

i have disabled packet filtering

Why?

enabled bypass firewall rules for traffic on the same interface.

Why?

–---------
i have a VM on the local "lan"
host needs to have a 10.0.0.x address with 1 usable IP.
so going off of how to subnet
i would need 10.0.0.52/30
Network Address: 10.0.0.52
Usable Host Range: 10.0.0.53 - 10.0.0.54
Broadcast Address: 10.0.0.55
Netmask: 255.255.255.252

from what everyone is saying i would need the 10.0.0.53 to be the interface IP and the .54 would be for the host.

I understand this part, now what steps do i need to take to make this work in my lab?

No. The routed subnet needs to be OUTSIDE of the interface subnet.

What part of "you will need to understand subnetting to do this job" is unclear?

Shiftenterprises · May 13, 2015, 11:47 PM

I dont PF sense to do any firewall or SPI/DPI is it only for routing the subnets and creating vlans for privacy.

What settings do i need to enable/disable for that to work?

heper · May 14, 2015, 12:21 AM

What settings do i need to enable/disable for that to work?

nothing.
you need a /30 on your WAN
and you can then just add your routed subnet spread out over your other vlans, trunked on your LAN interface

Shiftenterprises · May 14, 2015, 12:26 AM

Okay. I understand.

I just wish i could get this to work in the lab before i just pull my uplink and start doing this 100% ( not that i think you are wrong )

Do you know of a way to do this in a lab?

i have a lab router on a 100/20 connection dhcp is enabled and the router ip is 10.0.0.1 2-254 is dhcp.

Derelict · May 14, 2015, 3:54 AM

Yes. Assign a /30 to the WAN, route a /24 to it, and dole out smaller subnets from a /24 on your various LAN interfaces/VLANs/whatever.