2 subnets on same wan

stevehaley

I have read other posts but not sure I fully understand.
We have a multi wan multi LAN setup and need to add a third wan.
This wan will be connected over a wireless link to a cable modem at a remote location.
The modem is in pass through mode so the pfsense wan interface will get its ip, gateway and dns from the ISP on the far side of the modem. However we need to be able to access the modem, remote switch and the two wireless links for management purposes. The easy way would be multiple static ips from the ISP but that is unavailable and anyway the modem is hard coded to 192.168.100.1. Therefore I need to setup the wan interface so that the 192.168.100.0/24 subnet is also routed down it and then assign ips in this subnet to the other kit ie switch, ups, and two wireless links so that it can be monitored and managed.

chris4916

And so what?

I'm confused because I even don't understand if there is any problem, question or doubt  :-[

doktornotor

@stevehaley:

I have read other posts but not sure I fully understand.

Our feelings are mutual…

stevehaley

Hmm thought it was obvious. I was asking for help in exactly how to do this.
Like I said I have been through the forum and I still am unsure exactly how you go about enabling this functionality on the latest version of pfsense.
Straight ip alias doesn't appear to work as I need to alias a whole subnet.
Can someone who understands this please post a step by step guide
Thanks

chris4916

I'm not sure I understand better but I'll try some comment.

If modem provided by your ISP has hard-coded IP address (192.168.100.1), then this is as simple as deciding that for this specific subnet between pfSense and internet, range will be 192.168.100.0/24
You can assign IPs either stating or using DHCP server to any equipment connected on this subnet. I can't see where alias must be used and for which purpose.

Obviously, if all your internet accesses are from same ISP providing same modem with same hard-coded IP, there is an issue because these modems can't connect directly to pfSense (one can't have 3 different gateways with same IP.

As discussed in another thread, solution here is to introduce another router in the middle that will provide NAT.

stevehaley

Sorry obviously not making myself clear enough.
The scenario is as follows

Internet<->modem<->switch<->wireless link A ~~~~~~~~ wireless link B<->pfsense wan c

The switch also has a managed ups a remote reboot pdu attached.

Unfortunately statics are not available at present from the ISPs so pfsense wan c Interface will be set up to use DHCP

Let's say the ISp is using 70.10.10.0/24 then pfsense wan c interface will get an IP in that range.
Unfortunately we need to be able to access the management interfaces on the two wireless link boxes, the remote pdu, ups and modem. As the ISP has hard coded the modem to use 192.168.100.1 it makes sense to assign addresses from the same subnet to each of the other devices but then we need to setup pfsense so that it routes both the 70.10.10.0/24 and 192.168.1.0/24 sub nets down the wan c interface.
Reading the literature it looks like I can set up a virtual subnet on pfsense using Firewall->Aliases but what type should this be? I tried type other and can't seem to get the 192.168.1.0 subnet to route.
Exactly what rules do I setup in the above situation?
Yes I could put a router immediately behind the router but our experience is that unless this is pfsense you get problems when the link gets stressed. Upwards of 400 devices can be communicating across the link and we actually disabled router function on the adsl routers on the other two WANs and now run them in pppe mode due to problems with the adsl routers locking up when traffic got really busy. (https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall)
However this is a cable modem (Virgin smarthub) and doesn't run ppoe.

chris4916

@stevehaley:

Let's say the ISp is using 70.10.10.0/24 then pfsense wan c interface will get an IP in that range.

Obviously if for whatever reason you decide to run this "modem" in bridge mode instead of router, there is very little you can do.
Still equipment in the middle will get IP from DHCP server thus you should be able to access it (assuming you know the IP).
What is still unclear (although I do progress with the understanding) is how modem could have an IP like 192.168.100.1 and relay an IP like 70.10.10.0/24 to pfSense behind it  ???

Assuming this is really what happens, is there anything preventing you to create an additional IP like 192.168.100.100 attached to WAN c interface ?

beege

@stevehaley:

The modem is in pass through mode so the pfsense wan interface will get its ip, gateway and dns from the ISP on the far side of the modem.

@stevehaley:

The scenario is as follows

Internet<->modem<->switch<->wireless link A ~~~~~~~~ wireless link B<->pfsense wan c

I agree with chris about whats handing out what here. These two statements above dont seem right. Can you give the same senario only with IP addresses? Also include the lan subnet on the pfsense box and both external internal ips on the wireless devices if they have them. Dont have to be real but at least same subnets. I think you just need a route or two in place

modem<–-------->|          |---(UPS)
(ext ip?|int ip?)          |switch|---(PDU)
                                  |          |--------->wireless link A ~~~~~~~ wireless link B<----->pfsense wan|lan
                                                    (ext ip?|int ip?)                  (ext ip?|int ip?)          (ext ip?|int ip?)

stevehaley

Not sure how I can make it any clearer but lets eliminate some of the kit so we have and say that the external ISP IP Supplied is 78.8.8.1. Internal management wan for kit is 192.168.100.0/32

Modem –----------->Remote Wireless Transmiter------>Local Wireless receiver-------->Pfsense Wan  Side (1 0f 3 wans)------>PFSense Lan Side (Multiple Lans)
Int 192.168.100.1          192.168.100.10                          192.168.100.11              192.168.100.100
Ext ------------------------------------------------------------------------------------------->78.8.8.1

Note
we only have one external IP assigned and this is assigned to the Pfsense as rest is simply L2
ISP Supplied modem has a hard coded IP address of 192.168.100.1
We need to be able to manage the modem/and wireless boxes.
Yes I could run an additional router but this is a very busy link and realy dont want to do that unless I have to.

Fairly sure I can do this by setting up the subnet 192.168.100.0/24 as a virtual Ip range (ProxyARP?) on the wan but not sure what rules I then have to set up.

chris4916

@stevehaley:

Not sure how I can make it any clearer but lets eliminate some of the kit so we have and say that the external ISP IP Supplied is 78.8.8.1. Internal management wan for kit is 192.168.100.0/32

Modem –----------->Remote Wireless Transmiter------>Local Wireless receiver-------->Pfsense Wan  Side (1 0f 3 wans)------>PFSense Lan Side (Multiple Lans)
Int 192.168.100.1          192.168.100.10                          192.168.100.11              192.168.100.100
Ext ------------------------------------------------------------------------------------------->78.8.8.1

Note
we only have one external IP assigned and this is assigned to the Pfsense as rest is simply L2
ISP Supplied modem has a hard coded IP address of 192.168.100.1
We need to be able to manage the modem/and wireless boxes.
Yes I could run an additional router but this is a very busy link and realy dont want to do that unless I have to.

Fairly sure I can do this by setting up the subnet 192.168.100.0/24 as a virtual Ip range (ProxyARP?) on the wan but not sure what rules I then have to set up.

With such strange design, what is totally unclear to me is how devices between internet and pfSense are going to react, from network viewpoint.

Yes it works if, but this is a quite big "if", such devices are able to be, simultaneously, gateway and router or end-point device.
look at your "modem". Your main statement, constraint (I don't really understand this but let's say this is a true requirement) is:

• this device is transparent. it works in bridge mode so that pfSense inherits from public IP
• this device must be managed through dedicated network.

And this even not that simple because you add in the middle another layer with similar constraints: "I need a wirelesses link made off devices in bridge mode but with their own IP from another subnet".

I don't understand neither your doubts about rules. Your external but still private network is clearly identified. What is preventing you to allow access to this network at pfSense level?

stevehaley

I am really not sure why everyone is having such difficulty in understanding this. It must be possible as I have done similar things but for some reason can't replicate here.
If we reduce it to its simplest I am trying to do this
https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall
But With a modem that is in bridge mode rather than Ppoe.

chris4916

This is clear enough but then I don't understand what prevents you to set it up and see what happens and what is, potentially, not working for you.

To me, the only way would be to configure virtual IP on the WAN side.

johnpoz

"anyway the modem is hard coded to 192.168.100.1"

If we reduce it to its simplest I am trying to do this
https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall
But With a modem that is in bridge mode rather than Ppoe.

Yeah that is a common modem IP..  I have no issues accessing that from behind pfsense.. And didn't have to do anything..

And pfsense has public on its wan…

chris4916

Sure but there is an extra difficulty with this design because of wifi link in the middle which also requires management, if I understand well  ;)

johnpoz

Modem –----------->Remote Wireless Transmiter------>Local Wireless receiver-------->Pfsense Wan  Side (1 0f 3 wans)------>PFSense Lan Side (Multiple Lans)
Int 192.168.100.1          192.168.100.10                          192.168.100.11              192.168.100.100

I don't see how this would be an issue accessing 100.1 if pfsense is on the same network..  Nothing special should have to be done here.. From the above he posted pfsense has an IP in that network..

But looks like they put in the wireless stuff as a bridge, normal 192.168.100.1 address is IP of cable modems and sure they will hand out IPs in in the 100.x network when they don't have a wan connection..  What is this modem??  make and model??  Is it doing nat, is it actually a gateway, or is it a cable modem??

stevehaley

@chris4916:

Sure but there is an extra difficulty with this design because of wifi link in the middle which also requires management, if I understand well  ;)

No the real problem is that this is a multi wan/multi lan setup.

if we simplyfy this and say that I want to create a new wan (wan3) in addition to the two existing and just want to access a modem in bridge mode with an internal management IP address of 192.168.100.1 on Wan3 then what I tried was
1. Create a new wan in DHCP mode - wan3
2. Create a new Virtual Ip type other on wan3 with address range 192.168.100.0/24
3. create a nat outbound rule on wan3
source=*
destination=network/192.168.100.0/24
translation=192.168.100.0()
4. add rule on management lan to route 197.168.100.0 to firewall rather than wan1

this would appear to be bourn out by this post but it doesnt work for me.

https://forum.pfsense.org/index.php?topic=26818.0