Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Routing /24 public subnet to smaller subnets

    Routing and Multi WAN
    3
    19
    2195
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Shiftenterprises last edited by

      Hello,

      I have a /24 in a data center and my gateway is .1 of the ip range ( this was assigned to me by upstream ) lets say the block was 1.1.1.0/24 with 1.1.1.1 as gateway.
      my pfsense has a public ip of 1.1.1.2/24

      Now here is what i need to do.

      I need to be able to make smaller subnets for clients for example customer needs a /29 and they need the public ips
      my questions:
      How can i go about setting this up in pfsense?
      what gateway will the client use?
      How can i make sure that pfsense is JUST routing and not doing ANY firewall features.

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        You should talk to your datacenter.  They should assign you a /30 or /29 and route the /24 to an address on it.  That way you can break it up any way you want, on any interfaces you want.

        1 Reply Last reply Reply Quote 0
        • S
          Shiftenterprises last edited by

          What are the benefits of doing so?

          Im not sure i understand why this is necessary.

          Suppose they did actually route me a /30

          How would i setup what im asking?

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            They give you 10.10.10.0/30
            Their interface: 10.10.0.1
            Your WAN: 10.10.10.2

            They route 100.100.100.0/24 to 10.10.10.2

            Notice addresses for 100.100.100.0/24 are not assigned to any interfaces.  You can subnet it all you want:

            OPT1 100.100.100.1/29
            DHCP 100.100.100.2 - 100.100.100.6
            WAN rules: pass IPv4 any any OPT1 net
            OPT1 rules: pass IPv4 any OPT1 net any
            Disable NAT for that network

            That's just one example.  You can still use some of the addresses as VIPs on pfSense if you like (set aside another subnet to take those from.)

            You also want to take care to block unwanted access from WAN to the pfSense OPT1 address (webconfig), etc, but your clients would have wide-open access on public IPs.  There's still a firewall in place but it passes everything, does not do NAT, and just appears as another hop.

            1 Reply Last reply Reply Quote 0
            • S
              Shiftenterprises last edited by

              Maybe i should be a little more clear sorry, i dont know the correct was to say what i need.

              I have requested a /30 from datacenter.

              they will static route the /24 to /30

              100.100.100.0 /24

              I need : vlan 2 for customer 2 is assigned a /29 which is 8 usable ips if im not mistaken.

              so customer would get 100.100.100.150/29  150-158 ( right )?
              customer would have .150 as GW? ( pfsense)?

              im just trying to figure out how i would setup this stuff, no DHCP will be involved, and it would be on the LAN interface the only ethernet port left.

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                A /29 is 6 usable - 1 taken by the pfSense interface.

                100.100.100.150/29 is not on a subnet boundary for a /29.  100.100.100.144 is

                Assign an interface to VLAN tag 2

                Edit the interface, set the IP address of the interface to 100.100.100.145/29

                Customer will use 100.100.100.145 as their default gateway.

                They will have 100.100.100.146 - 100.100.100.150 available

                100.100.100.151 is the broadcast address for the subnet.

                1 Reply Last reply Reply Quote 0
                • S
                  Shiftenterprises last edited by

                  You have been such a great help!

                  I am sorry to ask another question…

                  But... how do you know what the boundary  would be?
                  is there some type of scale or something? I am pretty new to this type of networking.

                  what if i had 100.100.100.3-10 being usable this is real case here special customer needs 3-10.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    google subnetting.  You'll need to know this.

                    1 Reply Last reply Reply Quote 0
                    • H
                      heper last edited by

                      http://www.subnet-calculator.com/cidr.php

                      1 Reply Last reply Reply Quote 0
                      • S
                        Shiftenterprises last edited by

                        I have, but when i try to use a subnet calculator

                        for example http://www.subnet-calculator.com/subnet.php?net_class=C this site

                        I just dont understand how i keep going after the first one

                        100.100.100.0/24 is assigned to me
                        i need to make the first subnet of
                        100.100.100.1/29

                        IP Address: 100.100.100.1
                        Netmask: 255.255.255.240
                        CIDR Notation: /28
                        Network Address: 100.100.100.0
                        Usable Host Range: 100.100.100.1 - 100.100.100.14
                        Broadcast Address: 100.100.100.15
                        Total number of hosts: 16
                        Number of usable hosts: 14

                        when i create the next interface i just use .16 next correct? and then make a cidr from that IP?

                        1 Reply Last reply Reply Quote 0
                        • H
                          heper last edited by

                          doesn't matter what you pick, you don't have to think about it …. that calculator will correct it anyways.

                          btw you say you need a /29 yet your calculator is set to a /28 (thats double the address')

                          1 Reply Last reply Reply Quote 0
                          • H
                            heper last edited by

                            subnetID-100.100.100.0/29 = iprange: 100.100.100.1-100.100.100.6

                            subnetID-100.100.100.8/29 = iprange: 100.100.100.9-100.100.100.14

                            subnetID-100.100.100.16/29 = iprange: 100.100.100.17-100.100.100.22

                            …...

                            1 Reply Last reply Reply Quote 0
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              Yes.  You are going to need to understand subnetting to do this job.

                              It's not complicated but it's also easy to screw it up.

                              Network address
                              Some number of host addresses
                              Broadcast address
                              Network address
                              Some number of host addresses
                              Broadcast address

                              1 Reply Last reply Reply Quote 0
                              • S
                                Shiftenterprises last edited by

                                Okay so i am trying to create a lab test before i put this into production.

                                Here is what i have done so far.
                                I have 1 pfsense router with 2 NIC's ( same setup as my production )
                                1wan 1lan
                                wan has static address 10.0.0.49/24 ( was the next ip i had open on my lab router )
                                lan has default pfsense 192.168.1.1

                                i have disabled packet filtering
                                enabled bypass firewall rules for traffic on the same interface.
                                –---------
                                i have a VM on the local "lan"
                                host needs to have a 10.0.0.x address with 1 usable IP.
                                so going off of how to subnet
                                i would need 10.0.0.52/30
                                Network Address: 10.0.0.52
                                Usable Host Range: 10.0.0.53 - 10.0.0.54
                                Broadcast Address: 10.0.0.55
                                Netmask: 255.255.255.252

                                from what everyone is saying i would need the 10.0.0.53 to be the interface IP and the .54 would be for the host.

                                I understand this part, now what steps do i need to take to make this work in my lab?

                                1 Reply Last reply Reply Quote 0
                                • Derelict
                                  Derelict LAYER 8 Netgate last edited by

                                  @Shiftenterprises:

                                  Okay so i am trying to create a lab test before i put this into production.

                                  Here is what i have done so far.
                                  I have 1 pfsense router with 2 NIC's ( same setup as my production )
                                  1wan 1lan
                                  wan has static address 10.0.0.49/24 ( was the next ip i had open on my lab router )
                                  lan has default pfsense 192.168.1.1

                                  i have disabled packet filtering

                                  Why?

                                  enabled bypass firewall rules for traffic on the same interface.

                                  Why?

                                  –---------
                                  i have a VM on the local "lan"
                                  host needs to have a 10.0.0.x address with 1 usable IP.
                                  so going off of how to subnet
                                  i would need 10.0.0.52/30
                                  Network Address: 10.0.0.52
                                  Usable Host Range: 10.0.0.53 - 10.0.0.54
                                  Broadcast Address: 10.0.0.55
                                  Netmask: 255.255.255.252

                                  from what everyone is saying i would need the 10.0.0.53 to be the interface IP and the .54 would be for the host.

                                  I understand this part, now what steps do i need to take to make this work in my lab?

                                  No.  The routed subnet needs to be OUTSIDE of the interface subnet.

                                  What part of "you will need to understand subnetting to do this job" is unclear?

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Shiftenterprises last edited by

                                    I dont PF sense to do any firewall or SPI/DPI is it only for routing the subnets and creating vlans for privacy.

                                    What settings do i need to enable/disable for that to work?

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      heper last edited by

                                      What settings do i need to enable/disable for that to work?

                                      nothing.
                                      you need a /30 on your WAN
                                      and you can then just add your routed subnet spread out over your other vlans, trunked on your LAN interface

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Shiftenterprises last edited by

                                        Okay. I understand.

                                        I just wish i could get this to work in the lab before i just pull my uplink and start doing this 100% ( not that i think you are wrong )

                                        Do you know of a way to do this in a lab?

                                        i have a lab router on a 100/20 connection dhcp is enabled and the router ip is 10.0.0.1 2-254 is dhcp.

                                        1 Reply Last reply Reply Quote 0
                                        • Derelict
                                          Derelict LAYER 8 Netgate last edited by

                                          Yes.  Assign a /30 to the WAN, route a /24 to it, and dole out smaller subnets from a /24 on your various LAN interfaces/VLANs/whatever.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post

                                          Products

                                          • Platform Overview
                                          • TNSR
                                          • pfSense
                                          • Appliances

                                          Services

                                          • Training
                                          • Professional Services

                                          Support

                                          • Subscription Plans
                                          • Contact Support
                                          • Product Lifecycle
                                          • Documentation

                                          News

                                          • Media Coverage
                                          • Press
                                          • Events

                                          Resources

                                          • Blog
                                          • FAQ
                                          • Find a Partner
                                          • Resource Library
                                          • Security Information

                                          Company

                                          • About Us
                                          • Careers
                                          • Partners
                                          • Contact Us
                                          • Legal
                                          Our Mission

                                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                          Subscribe to our Newsletter

                                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                          © 2021 Rubicon Communications, LLC | Privacy Policy