Re: [pfSense] Migrating from /32 + /29 to just /29
On Fri, 2014-06-13 at 18:13 +0100, Brian Candler wrote: On 12/06/2014 23:06, Jon Gerdes wrote: My new ISP only provides a /29 from which WAN always gets the first one via PPPoE. I put the second address from the /29 onto an interface and the remaining four onto my externally facing systems. You should be able to use the same IP address for both WAN and LAN (Cisco calls this 'unnumbered': your PPP interface is using the IP address from another interface) 192.0.2.1 = WAN interface of firewall 192.0.2.1/29 = LAN interface of firewall 192.0.2.2..6 = other devices This saves the provider burning a /32 for the WAN (or even a /30 point-to-point subnet, old skool) Regards, Brian. Brian Thanks for giving me the technical term and after some Googling, several systems support unnumbered interfaces but it seems not pfSense out of the box, unless I am missing something. I can't see a way of getting WAN to come up without an address and setting LAN as in your example does not work - you get the quite reasonable error address in use. I am pretty happy with losing one address to get this working but I might submit a feature request for this unless someone can point me into how to do it. Even OpenWRT can do this: http://patchwork.openwrt.org/patch/4181/ (good description, links and code there) Cheers Jon ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Migrating from /32 + /29 to just /29
On Thu, 2014-06-12 at 22:06 +, Jon Gerdes wrote: snip PS My real motivation for this is to avoid having to go back to split horizon DNS again which would mean resurrecting BIND and a complicated views setup - the horror! Blueloop Ltd Jon Gerdes | Senior Consultant Blueloop House Ilchester Road Yeovil Somerset BA21 3AA Tel: 01460271055 Web: www.blueloop.net Jon, perhaps this is a bit OT, but doing split horizon with tinydns is a breeze compared w/ BIND (indeed, the horror). Jeff ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Migrating from /32 + /29 to just /29
On 12/06/2014 23:06, Jon Gerdes wrote: My new ISP only provides a /29 from which WAN always gets the first one via PPPoE. I put the second address from the /29 onto an interface and the remaining four onto my externally facing systems. You should be able to use the same IP address for both WAN and LAN (Cisco calls this 'unnumbered': your PPP interface is using the IP address from another interface) 192.0.2.1 = WAN interface of firewall 192.0.2.1/29 = LAN interface of firewall 192.0.2.2..6 = other devices This saves the provider burning a /32 for the WAN (or even a /30 point-to-point subnet, old skool) Regards, Brian. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Migrating from /32 + /29 to just /29
I have recently decided to change ISP. The old one provides a /32 for WAN via PPPoE and a routed /29 block of 8 (6 usable) from which I put the first one on an interface and the remaining 5 on systems so they get an externally routeable IP but with pfSense protection. This is pretty much how IPv4 was supposed to be before NAT was invented. My new ISP only provides a /29 from which WAN always gets the first one via PPPoE. I put the second address from the /29 onto an interface and the remaining four onto my externally facing systems. I moved a web server over to the new scheme and it works fine, internally, externally and over an IPSEC VPN so it all looks good. As far as I can tell, the only downside is I lose another address to act as the gateway. Can anyone spot any flaws with this method or is it a general practice? Cheers Jon PS My real motivation for this is to avoid having to go back to split horizon DNS again which would mean resurrecting BIND and a complicated views setup - the horror! Blueloop Ltd Jon Gerdes | Senior Consultant Blueloop House Ilchester Road Yeovil Somerset BA21 3AA Tel: 01460271055 Web: www.blueloop.net Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA Registered England Wales - 3981322 CONFIDENTIAL INFORMATION This e-mail and any files attached with it are confidential and for the sole use of the intended recipient(s). If you are not the intended recipient(s) you are prohibited from using, copying or distributing this or any information contained in it and should immediately notify the sender and delete the message from your system. Internet communications are not secure and Blueloop Limited is not responsible for unauthorised use by third parties nor for alteration or corruption in transmission. Furthermore, while Blueloop Limited have taken reasonable precautions to minimise the risk of software viruses, it cannot accept liability for any damage which you may suffer as a result of such viruses, and we therefore recommend you carry out your own virus checks on receipt of any e-mail. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Migrating from /32 + /29 to just /29
On 12/6/14 11:06 pm, Jon Gerdes wrote: As far as I can tell, the only downside is I lose another address to act as the gateway. Can anyone spot any flaws with this method or is it a general practice? Certainly assigning the first IP in a /29 to the PPPoE client is fairly standard practice in the UK (which I see you are). My $dayjob is an ISP and assigning the first IP to the PPPo{A|E} client is our normal config for anything from a /30 down to a /27. I put the second address from the /29 onto an interface and the remaining four onto my externally facing systems. I believe (though haven't tried it in anger with the post-2.0 pfSense versions - I recall doing it years ago with a 1.2.x version) you can use an OPT interface for your WAN (instead of the default WAN interface), then bridge LAN and OPT1, thus only 'losing' one of your IPs to the firewall rather than two. PS My real motivation for this is to avoid having to go back to split horizon DNS again which would mean resurrecting BIND and a complicated views setup - the horror! As an aside, the inbuilt DNS forwarder works quite well for this scenario - leave your BIND configuration pointing to the public IPs, but use pfSense's dnsmasq to 'override' those lookups from the local network, replacing with their RFC1918 IPs as required. (it's nice to be able to use a true /29 range if you can, but with RIPE IPv4 allocations as tight as they are these days, hang onto yours for dear life :-) ) Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Migrating from /32 + /29 to just /29
On Thu, 2014-06-12 at 23:23 +0100, Chris Bagnall wrote: On 12/6/14 11:06 pm, Jon Gerdes wrote: As far as I can tell, the only downside is I lose another address to act as the gateway. Can anyone spot any flaws with this method or is it a general practice? Certainly assigning the first IP in a /29 to the PPPoE client is fairly standard practice in the UK (which I see you are). My $dayjob is an ISP and assigning the first IP to the PPPo{A|E} client is our normal config for anything from a /30 down to a /27. Being on the receiving end of many ISPs that does seem to be standard practice apart from AAISP and TalkTalk Business (except when the wind changes direction and EFM is involved!) I put the second address from the /29 onto an interface and the remaining four onto my externally facing systems. I believe (though haven't tried it in anger with the post-2.0 pfSense versions - I recall doing it years ago with a 1.2.x version) you can use an OPT interface for your WAN (instead of the default WAN interface), then bridge LAN and OPT1, thus only 'losing' one of your IPs to the firewall rather than two. I like the sound of that - I now recall reading about that technique ages ago but had forgotten about it. I can still play before committing to the final config. (it's nice to be able to use a true /29 range if you can, but with RIPE IPv4 allocations as tight as they are these days, hang onto yours for dear life :-) ) Many ISPs are still doling them out like sweeties for a few quid one off fee. It's not sustainable. Thanks for the quick response. Cheers Jon Blueloop Ltd Jon Gerdes | Senior Consultant Blueloop House Ilchester Road Yeovil Somerset BA21 3AA Tel: 01460271055 Web: www.blueloop.net Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA Registered England Wales - 3981322 CONFIDENTIAL INFORMATION This e-mail and any files attached with it are confidential and for the sole use of the intended recipient(s). If you are not the intended recipient(s) you are prohibited from using, copying or distributing this or any information contained in it and should immediately notify the sender and delete the message from your system. Internet communications are not secure and Blueloop Limited is not responsible for unauthorised use by third parties nor for alteration or corruption in transmission. Furthermore, while Blueloop Limited have taken reasonable precautions to minimise the risk of software viruses, it cannot accept liability for any damage which you may suffer as a result of such viruses, and we therefore recommend you carry out your own virus checks on receipt of any e-mail. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list