Block of static IPs with pfSense?

I’ve got my pfSense router logged in via PPPoE to Centurylink and I have internet access. But only using the modem’s old address 70.56.42.246 from the block of static IPs. When I try to assign the other public addresses to the LAN or OPT1 connection it complains its conflicting. Here are some of the errors I’m getting as I’ve tried different IPs from the block. Any ideas?

  • IPv4 address 70.56.42.241/29 is being used by or overlaps with: WAN (70.56.42.246/32)

  • IPv4 address 70.56.42.245/29 is being used by or overlaps with: WAN (70.56.42.246/32)

  • IPv4 address 70.56.42.247/29 is being used by or overlaps with: WAN (70.56.42.246/32)

  • This IPv4 address is the broadcast address and cannot be used

  • IPv4 address 70.56.42.240/29 is being used by or overlaps with: WAN (70.56.42.246/32)

  • This IPv4 address is the network address and cannot be used

Grabbing a subnet calculator at random - http://jodies.de/ipcalc?host=70.56.42.241&mask1=29&mask2=

Shows the following:
Network: 70.56.42.240/29
Broadcast: 70.56.42.247
HostMin: 70.56.42.241
HostMax: 70.56.42.246
Hosts/Net: 6

So yes, it does indeed overlap with your WAN address of 70.56.42.246. You’ll need to revise the masks that you are using for your other hosts.

EDIT:
Typically a router is a demarcation between two networks. It would seem to me that you’d want to use private address space on the network side of your pfSense box and then forward your public addresses to only those individual servers which are publicly facing.

Thank you. That helped. It took 70.56.42.241/30. I’d lose a couple IPs but I don’t need them all. Do I need to bridge WAN to OPT1?

Depends on what you’re trying to accomplish, really. Some folks would rather rout between the two, in order to have finer control over the traffic. But if this is a simple home network, you may not deem that to be necessary.

My goal is to recreate all of the Centurylink modem’s functions within the pfSense. Specifically this Public Static Subnet feature.

Untitled

I presume that a “Public Static Subnet” is nothing more than a DMZ. This duty can be assigned to any interface in your pfSense box that you choose. You certainly wouldn’t want to bridge anything to this subnet, but rather establish strict routing and firewall rules ensuring that any public traffic reaching this subnet could not breakout into your private subnets/VLANS.

So for example, if your WAN address is 70.56.42.246, you’d need at least two more interfaces/networks. Perhaps one interface could be 192.168.1.0/24 for your private LAN and another could be 172.16.1.0/24 for your DMZ. Put your public facing servers on the DMZ and then use port forwarding to forward any traffic coming in on your public IP addresses to the correct server/VM.

I’d suggest that you have a look at some vids from both Mark Furneaux and Lawrence Systems. Here are a couple to get you started, but both of these sources have produced many good pfSense vids. The first one covers setting up multiple subnets, while the second hits on firewall rules and port forwarding.


2 Likes

Zentyal server wants the real public IP addresses for DNS hosting. I’m not sure what the modem is doing, if those public IPs are really just in the DMZ. But when I plug a computer directly into the modem with that public static subnet enabled it does pull 70.56.42.241.

Thanks for your advice! I’ve run out of time for this weekend. Will try again next weekend.

2 things to start:

  • On a /29 subnet, you can’t use the first or last IPs in a block as they are the network and broadcast addresses for the subnet.
  • a subnet mask of say, /29 indicates that the entire subnet is on that interface (or rather, the network segment that interface is plugged into). So what you need to do is add a secondary IP address on that interface (or a sub-interface - not sure how pfsense will handle that exactly) on that same /29 subnet (or a sub-interface) and then perhaps NAT that back to your LAN. Or alternatively plug your WAN interface into a switch and put the other devices in that network segment (outside the firewall). But you probably don’t want to do that, so you need to do NAT from the public IP into another interface on your firewall.

e.g., set up a DMZ VLAN on your LAN (or just use a LAN IP address) and set up 1:1 NAT between one of the public IPs you add as a secondary to your WAN interface and the inside network IP address.

I wouldn’t go bridging networks unless you know what you’re doing.

I definitely don’t know what I’m doing. I’ve been button mashing for 40 years and nobody noticed.

Cool! Thanks for the advice. Will try next weekend.