Use multiple WAN IP addresses on a single VLAN



  • Our ISP has given us a /25 range of IP addresses on our lease line.

    We want to be able to create several VLAN's and direcly assign each VLAN with any number of these WAN IP addresses.

    For example -

    VLAN5 needs 5 external IP addresses
    VLAN2 needs 2 IP addresses

    Each VLAN has a router connected to it, which we will enter the WAN IP addresses into the WAN settings of the router, rather than the VLAN local IP address.

    Is this possible in pfsense and how?

    Thanks


  • Netgate

    Have them assign a /29 or /30 to your interface and route the /25 to that. Then you can subnet the /25 however you want from /25 to /31.

    (Just tell them you're going to run HA/VRRP and that'll instantly justify the /29 on WAN.)



  • Is there no way of splitting up our existing range of 128 IP addresses between the VLAN's?


  • Netgate

    Not that I know of.  IP doesn't work that way.

    If it's worth doing it's worth doing right.  Call them and have them route it to you instead.


  • Banned

    @dynamicuser:

    Is there no way of splitting up our existing range of 128 IP addresses between the VLAN's?

    You'd need to bridge those VLANs to WAN. Since the hosts on the bridged VLANs would need use the same default gateway as WAN, they won't be able to talk to each other. Really, get a /30 assigned and the /25 routed to you.



  • @dynamicuser:

    Each VLAN has a router connected to it, which we will enter the WAN IP addresses into the WAN settings of the router, rather than the VLAN local IP address.

    I don't understand this part. Why would you have a router with a public IP behind your firewall? Why would you have a non-transparent firewall in front of these routers? I would just assign a private range to each vlan and allocate public VIPs as needed.



  • Ideally the pfSense box will not be doing firewall. The only need for the pfSense is to configure the vlans and limit the bandwidth per vlan.

    The private IP addresses would be fine, as long as we can assign more than 1 VIP to each VLAN, allowing the users of each VLAN to assign the VIP to a device?

    Hope this makes sense.



  • You could assign multiple public ips per vlan and use 1-1 nat mappings.


  • Netgate

    It's a shame to NAT instead of just getting a routed subnet and doing it right.



  • So if I went down the routed subnet route, how would the pfSense box be set up?

    I have only done NAT configurations before, never direct to the internet.

    Would the ISP give me a /30 for the WAN, then as many different routed subnets as I need, or a larger routed subnet that I then divide up?

    Thanks


  • Netgate

    Your ISP interface: 4.5.6.2/30
    pfSense default gateway: 4.5.6.1 (The ISP)

    Routed subnet: 5.6.7.128/25

    Reserved for pfSense VIPs 5.6.7.128/27 (5.6.7.128 - 5.6.7.159)

    OPT1 Interface: 5.6.7.161/27 (OPT1 Hosts 5.6.7.162 - 5.6.7.174)
    OPT2 Interface: 5.6.7.176/31 (OPT2 Host 5.6.7.177) (Not everything supports /31 yet.  pfSense does.)
    OPT3 Interface: 5.6.7.178/31 (OPT3 Host 5.6.7.179)
    OPT4 Interface: 5.6.7.181/30 (OPT4 Host 5.6.7.182)
    OPT5 Interface: 5.6.7.185/29 (OPT5 Hosts 5.6.7.186 - 5.6.7.190)
    OPT6 Interface: 5.6.7.193/26 (OPT6 hosts 5.6.7.194 - 5.6.7.254)

    From that I figure you get the idea. When it's routed you can break it up however you want.



  • Ok, so I have now got a routed subnet (below is what the ISP has sent - real IP's abbreviated) -

    MYCISCO.CISCO#show ip route 71.189.145.50
    Routing entry for 71.189.145.50/29
      Known via "static", distance 1, metric 0
      Redistributing via bgp 63689
      Advertised by bgp 63689
      Routing Descriptor Blocks:
      * 71.189.144.140
          Route metric is 0, traffic share count is 1

    I still have the /29 subnet on y WAN as well, which is the 71.189.144.140 block.

    I have set OPT1 as static IP 71.189.145.51/29. When I connect a laptop up to the VLAN and give it IP 71.189.145.53, 255.255.255.248 and gateway 71.189.145.51 I get no internet connection.

    Any ideas?


  • Netgate

    Dude.  Do some basic troubleshooting.  Can you ping the next hop?  The hop after that? Can you resolve names?

    If you're going to run this network you're going to have to know more than "I get no internet."  You're certainly going to have to communicate more details than "I get no internet."

    That said, have you added firewall rules to your OPT1 and turned off NAT?



  • Using the entire pfSense as a traffic shaper and then behind the pfSense using routers doing NAT indicates
    to us that you are acting it selfs as an ISP, could this be?

    • You could or should be really using the pfSense as a so called transparent firewall, without
      no problems, but then please using instead of bridging ports so called LAN Ports with a bypass
      function, then it will be done in hardware and not so unstable, but with the same effect.

    • Setting up VLANs in only one company, it would marching, but between many different
      companies please have view toward the inter VLAN or so called VLAN hopping problem!

    Perhaps a greater or bigger router with many, many ports should be a solution for you?
    Something at the level of a LANNER FW-889x device with many ports and/or the capability
    to insert also HDD/SSD drives inside and setting up Windows Hyper-V and then a pfSense
    inside of a VM, would be better and sufficient likes seeting up VLANs to the customers router
    or firewalls.


  • Netgate

    And if this is just open, public "WAN" space that will never be firewalled from each other, there's always a layer 3 switch.

    But pfSense will work, too.



  • Short story is we want to change our current WISP setup. We currently use Virtual IP's, but we want to be able to provide a subnet/range of WAN IP addresses to each VLAN. This means splitting down our routed /29 IP address allocation across our VLAN's. We don't want to have any control over port forwarding, just simply limit each VLAN's bandwidth allocation.

    EG: (not accurate ranges I know…)

    VLAN 1 - 52.232.45.8/26
    VLAN 2 - 52.232.45.56/30

    I am going to be doing some testing tomorrow evening. I will post an update then.


  • Netgate

    Well you're not going to be able to split a /29 into a /26 regardless.

    Be specific.

    What is your WAN subnet, your interface address, and your default gateway?

    What exact routes are in your router?

    What exact routes are being routed to you and what address(es) are they routed to?

    What exact address and subnet did you put on OPT1?

    If you don't want to post your exact addresses, make something else up but keep it consistent and don't change the last octet or the netmasks.  Posting things like "not accurate ranges, I know" doesn't help anyone help you and will just confuse matters.



  • Ok here goes…

    Our ISP has provided us with an interface address of 61.179.145.40/29

    Our gateway address is 61.179.145.41

    We have given our pfSense box an IP of 61.179.145.42

    We have a routed subnet of 61.179.144.128/25. This has 128 addresses. They have routed this to our pfSense gateway address.

    We require setting up the following -

    OPT1 - Address of 61.179.144.129/29
    OPT2 - Address of 61.179.144.137/29
    OPT3 - Address of 61.179.144.145/30

    This list will go on, with each interface having a different IP count.


  • Netgate

    @dynamicuser:

    Ok here goes…

    Our ISP has provided us with an interface address of 61.179.145.40/29

    Our gateway address is 61.179.145.41

    We have given our pfSense box an IP of 61.179.145.42

    We have a routed subnet of 61.179.144.128/25. This has 128 addresses. They have routed this to our pfSense gateway address.

    We require setting up the following -

    OPT1 - Address of 61.179.144.128/29
    OPT2 - Address of 61.179.144.136/29
    OPT3 - Address of 61.179.144.144/30

    This list will go on, with each interface having a different IP count.

    OPT1 - Address of 61.179.144.129/29
    OPT2 - Address of 61.179.144.137/29
    OPT3 - Address of 61.179.144.145/30

    Basic IP subnetting:
    First address is the network address - unusable
    Then a number of host addresses - usable
    The last address is the broadcast address - unusable.



  • Of course, edited to reflect this.

    So if I create the interfaces with the IP's and subnets stated above, disable NAT and set up firewall rules it should work OK?

    Thanks


  • Netgate

    Should be fine.