Routing /24 public subnet to smaller subnets



  • Hello,

    I have a /24 in a data center and my gateway is .1 of the ip range ( this was assigned to me by upstream ) lets say the block was 1.1.1.0/24 with 1.1.1.1 as gateway.
    my pfsense has a public ip of 1.1.1.2/24

    Now here is what i need to do.

    I need to be able to make smaller subnets for clients for example customer needs a /29 and they need the public ips
    my questions:
    How can i go about setting this up in pfsense?
    what gateway will the client use?
    How can i make sure that pfsense is JUST routing and not doing ANY firewall features.


  • Netgate

    You should talk to your datacenter.  They should assign you a /30 or /29 and route the /24 to an address on it.  That way you can break it up any way you want, on any interfaces you want.



  • What are the benefits of doing so?

    Im not sure i understand why this is necessary.

    Suppose they did actually route me a /30

    How would i setup what im asking?


  • Netgate

    They give you 10.10.10.0/30
    Their interface: 10.10.0.1
    Your WAN: 10.10.10.2

    They route 100.100.100.0/24 to 10.10.10.2

    Notice addresses for 100.100.100.0/24 are not assigned to any interfaces.  You can subnet it all you want:

    OPT1 100.100.100.1/29
    DHCP 100.100.100.2 - 100.100.100.6
    WAN rules: pass IPv4 any any OPT1 net
    OPT1 rules: pass IPv4 any OPT1 net any
    Disable NAT for that network

    That's just one example.  You can still use some of the addresses as VIPs on pfSense if you like (set aside another subnet to take those from.)

    You also want to take care to block unwanted access from WAN to the pfSense OPT1 address (webconfig), etc, but your clients would have wide-open access on public IPs.  There's still a firewall in place but it passes everything, does not do NAT, and just appears as another hop.



  • Maybe i should be a little more clear sorry, i dont know the correct was to say what i need.

    I have requested a /30 from datacenter.

    they will static route the /24 to /30

    100.100.100.0 /24

    I need : vlan 2 for customer 2 is assigned a /29 which is 8 usable ips if im not mistaken.

    so customer would get 100.100.100.150/29  150-158 ( right )?
    customer would have .150 as GW? ( pfsense)?

    im just trying to figure out how i would setup this stuff, no DHCP will be involved, and it would be on the LAN interface the only ethernet port left.


  • Netgate

    A /29 is 6 usable - 1 taken by the pfSense interface.

    100.100.100.150/29 is not on a subnet boundary for a /29.  100.100.100.144 is

    Assign an interface to VLAN tag 2

    Edit the interface, set the IP address of the interface to 100.100.100.145/29

    Customer will use 100.100.100.145 as their default gateway.

    They will have 100.100.100.146 - 100.100.100.150 available

    100.100.100.151 is the broadcast address for the subnet.



  • You have been such a great help!

    I am sorry to ask another question…

    But... how do you know what the boundary  would be?
    is there some type of scale or something? I am pretty new to this type of networking.

    what if i had 100.100.100.3-10 being usable this is real case here special customer needs 3-10.


  • Netgate

    google subnetting.  You'll need to know this.





  • I have, but when i try to use a subnet calculator

    for example http://www.subnet-calculator.com/subnet.php?net_class=C this site

    I just dont understand how i keep going after the first one

    100.100.100.0/24 is assigned to me
    i need to make the first subnet of
    100.100.100.1/29

    IP Address: 100.100.100.1
    Netmask: 255.255.255.240
    CIDR Notation: /28
    Network Address: 100.100.100.0
    Usable Host Range: 100.100.100.1 - 100.100.100.14
    Broadcast Address: 100.100.100.15
    Total number of hosts: 16
    Number of usable hosts: 14

    when i create the next interface i just use .16 next correct? and then make a cidr from that IP?



  • doesn't matter what you pick, you don't have to think about it …. that calculator will correct it anyways.

    btw you say you need a /29 yet your calculator is set to a /28 (thats double the address')



  • subnetID-100.100.100.0/29 = iprange: 100.100.100.1-100.100.100.6

    subnetID-100.100.100.8/29 = iprange: 100.100.100.9-100.100.100.14

    subnetID-100.100.100.16/29 = iprange: 100.100.100.17-100.100.100.22

    …...


  • Netgate

    Yes.  You are going to need to understand subnetting to do this job.

    It's not complicated but it's also easy to screw it up.

    Network address
    Some number of host addresses
    Broadcast address
    Network address
    Some number of host addresses
    Broadcast address



  • Okay so i am trying to create a lab test before i put this into production.

    Here is what i have done so far.
    I have 1 pfsense router with 2 NIC's ( same setup as my production )
    1wan 1lan
    wan has static address 10.0.0.49/24 ( was the next ip i had open on my lab router )
    lan has default pfsense 192.168.1.1

    i have disabled packet filtering
    enabled bypass firewall rules for traffic on the same interface.
    –---------
    i have a VM on the local "lan"
    host needs to have a 10.0.0.x address with 1 usable IP.
    so going off of how to subnet
    i would need 10.0.0.52/30
    Network Address: 10.0.0.52
    Usable Host Range: 10.0.0.53 - 10.0.0.54
    Broadcast Address: 10.0.0.55
    Netmask: 255.255.255.252

    from what everyone is saying i would need the 10.0.0.53 to be the interface IP and the .54 would be for the host.

    I understand this part, now what steps do i need to take to make this work in my lab?


  • Netgate

    @Shiftenterprises:

    Okay so i am trying to create a lab test before i put this into production.

    Here is what i have done so far.
    I have 1 pfsense router with 2 NIC's ( same setup as my production )
    1wan 1lan
    wan has static address 10.0.0.49/24 ( was the next ip i had open on my lab router )
    lan has default pfsense 192.168.1.1

    i have disabled packet filtering

    Why?

    enabled bypass firewall rules for traffic on the same interface.

    Why?

    –---------
    i have a VM on the local "lan"
    host needs to have a 10.0.0.x address with 1 usable IP.
    so going off of how to subnet
    i would need 10.0.0.52/30
    Network Address: 10.0.0.52
    Usable Host Range: 10.0.0.53 - 10.0.0.54
    Broadcast Address: 10.0.0.55
    Netmask: 255.255.255.252

    from what everyone is saying i would need the 10.0.0.53 to be the interface IP and the .54 would be for the host.

    I understand this part, now what steps do i need to take to make this work in my lab?

    No.  The routed subnet needs to be OUTSIDE of the interface subnet.

    What part of "you will need to understand subnetting to do this job" is unclear?



  • I dont PF sense to do any firewall or SPI/DPI is it only for routing the subnets and creating vlans for privacy.

    What settings do i need to enable/disable for that to work?



  • What settings do i need to enable/disable for that to work?

    nothing.
    you need a /30 on your WAN
    and you can then just add your routed subnet spread out over your other vlans, trunked on your LAN interface



  • Okay. I understand.

    I just wish i could get this to work in the lab before i just pull my uplink and start doing this 100% ( not that i think you are wrong )

    Do you know of a way to do this in a lab?

    i have a lab router on a 100/20 connection dhcp is enabled and the router ip is 10.0.0.1 2-254 is dhcp.


  • Netgate

    Yes.  Assign a /30 to the WAN, route a /24 to it, and dole out smaller subnets from a /24 on your various LAN interfaces/VLANs/whatever.