[solved] How to route a /29 subnet to a user on LAN?

Tillebeck · Feb 7, 2016, 8:35 PM

I have a pfsense with one WAN and one LAN.

A user on LAN would like his own /29 subnet of public global IP addresses and not a normal LAN IP address with 1:1 NAT

I have an extra /29 routed to the WAN IP. How can I route this to a user on LAN?

I have an ekstra interface he can have if that would help.

David_W · Feb 8, 2016, 10:21 AM

I have an extra /29 routed to the WAN IP. How can I route this to a user on LAN?

I have an ekstra interface he can have if that would help.

Configure the extra interface to a static IPv4 address in that /29 subnet, which will become the gateway address for devices on that /29. Don't forget that the highest address in the /29 is the broadcast address, which is unusable for normal purposes, and the lowest address in the /29 is the network address which really should not be used (though can often be used with care).

You then need to add an "Other" Virtual IP on the WAN address for the /29 network.

Finally, you need to configure appropriate firewall rules.

This is one way to do it - there may well be others.

johnpoz · Feb 8, 2016, 4:35 PM

if the /29 is routed to his wan IP, then he has no need to create any extra vip on his wan for that /29

But yes bring up a vlan on pfsense - put your /29 on that vlan and then on the ports on your switch that user will be using put that vlan..

That you have an actual routed /29 makes it easy..

sorskov · Feb 10, 2016, 6:35 PM

@David_W:

@Tillebeck:

I have an extra /29 routed to the WAN IP. How can I route this to a user on LAN?

I have an ekstra interface he can have if that would help.

Configure the extra interface to a static IPv4 address in that /29 subnet, which will become the gateway address for devices on that /29. Don't forget that the highest address in the /29 is the broadcast address, which is unusable for normal purposes, and the lowest address in the /29 is the network address which really should not be used (though can often be used with care).

You then need to add an "Other" Virtual IP on the WAN address for the /29 network.

Finally, you need to configure appropriate firewall rules.

This is one way to do it - there may well be others.

Hi.

Why is it needed to set an "Other" Virtual IP on the WAN address for the /29 network?

Also, shouldn't NAT Outbound be set to Manuel, and also remove the auto generated rules for the extra interface? Or all IP's in the /29 be shown as the Gateway IP set on the extra interface?

johnpoz · Feb 10, 2016, 8:26 PM

there is no reason to add a vip of the /29 is routed too you… Not sure what he is talking about.. But if the /29 is routed to you just add the network on the lan side of pfsense and your ready to go.

Tillebeck · Feb 11, 2016, 10:24 PM

Thanks. It works perfect.
I tried without adding a VIP and as Johnpoz writes, it works fine without VIP.