I understand you get an IP in the range of 103.22.30.x/y via DHCP from AT&T. AT&T will have their side configured with a route of “34.33.48.20/29 -> 103.22.30.x”. This will be on whichever device has your default gateway IP. Likewise, the rest of the internet will know that to reach 34.33.48.20/29 they will route to AT&T, and then to this router which is your default gateway.
By definition and decades of expectations which you cannot do anything about, the default gateway must be an IP in the same subnet (when a device is going to send out a packet, it uses the subnet mask to compare its IP to the destination IP - if they match, the IP is local and can be sent directly, if not then it sends the packet to the default gateway). In the case of your 103.22.30.x it is probably 103.22.30.1, but that doesn’t matter much for this case. The servers and the lab router which are going to use the public IP addresses 34.33.48.22 - .24 need something inside that subnet to be their default gateway. Since 34.33.48.20 and 34.33.48.26 aren’t available, that means it either needs to be 34.33.48.21 or 34.33.48.25. It doesn’t matter which one is used as the default gateway for this subnet, you just have to program it properly into each device.
You need to bridge ix2 and ix3 because that’s the only way for more than one interface on the router to have the same subnet. The router will behave very erratically if it thinks the same subnet is available on more than one interface, if the interfaces each actually have a subset of the total hosts. Bridging them together is basically the same as using a separate switch to split a single port. If you think bridging decreases security in some way, remember that these devices are going to have PUBLIC IP addresses, so they need to be properly secured anyway.
For the purposes of the EAP Proxy, you don’t have a “static IP address”. You are doing the proxy purely to get the initial IP address set up. Your static block is being routed to your DHCP IP after it is authenticated. And by the way, for general outbound internet traffic, using that DHCP IP is fine and probably a lot less of a hassle.
There is a concept of routing to IP addresses which are not in your subnet but are accessible via a known interface, called “/32 routing”. This is not applicable to your case, as it requires both ends to be configured similarly. I am completely certain that they AT&T side is not, and will not be, changed to this setup.
Thank you very much, if im not using the EAP PROXY and instead using this i assume your instructions will work as well. And you just explaed how my static IP block works, thank you very much i was very confused.
Problem is that on AT&Ts side they just route anything that goes to my static block to my “street IP” they give me via dhcp. but @brwainer explaed it very well. Your ISP might do the same and thats why your setup didnt work.
and how do i set 34.33.48.21 or 34.33.48.25. As my gateway for the static IPs? and would you mind if i quoted you in the read.me for the pfatt github page?
Your PFSense router needs to have one of those IP addresses (34.33.48.21 or 34.33.48.25) assigned to either the bridge of ix2 and ix3, or the interface to which you decide to connect a separate switch for the servers and lab router to plug into. Whichever IP you choose, that is what you should program into the servers and lab router as their default gateway IP.
I don’t see why any changes need to be made to the pfatt github readme. Nothing is different about your connection compared to what they are writing about. The fact that you have a static IP block being routed to your DHCP IP has no bearing on pfatt / EAP Proxy.
Adding static IPs is no big deal… There is nothing unique or special about having a /29 block routed to you. I don’t agree that it needs to be part of the documentation about an AT&T specific procedure since it is industry standard and documented in any instructions on routing.
I’m not sure if this is going to help but here’s how I got my internal router working with Pfsense. On my Pfsense box I had one WAN with multiple External IP addresses and two LANs on different network segments. LAN2 was connected via a switch to a router, not another NAT device, a real router. So the way this works is that in both cases of the Pfsense box and the Router box, they both only “know” about what network segments they are connected to. For instance, My LAN2 was a class C network segment with the address space of 10.10.20.0/24. LAN2 had the IP address of 10.10.20.1 and the router interface that was connected via switch had the IP address of 10.10.20.2. Now on the internal router I had other Class C network segments setup on different interfaces such as 10.10.24.0/24. So the router knew about the internal 10.10.24.0/24 network but Pfsense did not. It only knew about the 10.10.20.0/24 network segment. This is where “Gateways” come alive So externally on the Pfsense box I had a default route (Gateway) setup so that any address that the Pfsense box received would be passed on to the Gateway device. Usually this looks like a destination IP equals 0.0.0.0/0 and then the Gateway IP address is associated with this catch all address. On the Pfsense box this is just referred to as the “default” gateway. But you can add other gateways for internal networks. This is a two step process, navigate to “System” / “Routing” / “Gateways” and add a new Gateway. Mine was configured like this: Name-Route01, Default-(nothing here), Interface-LAN2, Gateway-10.10.20.2 (the IP address of the internal Router), Monitor IP-10.10.20.2. Then step two you need to add static route so that Pfsense knows where to send traffic to the other side of the internal router (10.10.24.0/24). Click on Static Routes and for this setup I have the following: Network-10.10.24.0/24, Gateway-Route01-10.10.20.2, Interface-LAN2, Description-I left this blank. That’s it now Pfsense knows about the internal network segment and can be used to setup destination nats.
Oh and one last thought. With this type of addressing scheme from AT&T, I would have two WAN interfaces setup assuming that AT&T is providing you with a gateway for each network segment. I would setup Policy Based Routing with two separate IP Tables so that you can have two separate “default” Gateways for each of those WAN connections. Not sure if Pfsense can do this but I know the Edgerouter can. That is the only way to get two separate 0.0.0.0/0 default gateways setup. On the network segment that has multiple IP addresses, I would apply all of the those IP addresses to that second WAN interface (static, not DHCP). I would then setup up destination NATs for each of those external IP addresses to internal IP addresses of your choosing. Thus you can dedicated one specific external IP address and all of it’s TCP/UDP ports to a specific internal IP address even behind the router as long as Pfsense knows about that network segment. Here’s a video I did last year. I’m kind of bore but maybe you might get something out of it…
Ok, now I think I understand. I’ve never had to work with anything like this before but I’m guessing that AT&T is providing you with a single IP address 103.22.30.X and then they expect you to provide a router to then route traffic to the public network segment 34.33.48.20/29 that you provide and control. So if this is correct then why would you even want to NAT this between 103.22.30.X and 34.33.48.20/29? Just stand up a router with the WAN side assigned to 103.22.30.X and the other side ( I wouldn’t call it the LAN side since it’s still publicly routable) would be assigned 34.33.48.21. Attach a switch to this 34.33.48.20/29 interface. Attach your servers to the switch and assign them .22-.24. Attach a Router/NAT device to the same switch with it’s WAN IP address 34.33.48.25 and it’s LAN side 10.0.15.1/22. For all the devices attached to the switch (except the main router) the Gateway IP address would be 34.33.48.21. For the main router, the default Internet gateway would be the address of the AT&T router gateway. Maybe something like 103.22.30.1 or something like that, whatever they use. If the WAN IP address is assigned via DHCP and the AT&T router is expecting some sort of router to router protocol like OSPF then you’ll need to turn that on your main router so that the AT&T router knows about your routers WAN IP address and associated subnet. If you want to block traffic you would need to do it either at the individual devices like your Router/NAT box or place a firewall in transparency mode between the WAN side and the AT&T router. Of course if I’ve lost everyone at this point in time and I totally don’t understand how this is suppose to work then please ignore what I wrote. I know too late right…
Having a /29 or larger statically routed to an IP address, traditionally itself half of a /30, used to be the way static IP assignments were always done (OK, “always” meaning once CIDR was adopted). In this traditional method the customer is expected to provide a router to take the customer IP from the /30 (which AT&T has now replaced with an IP via DHCP) and to be the default gateway IP of whatever the static IP block is. The system where the ISP acts as the default gateway for your static block is much newer, and is done because now we can’t even afford the loss of having a /30 assigned to a customer. For example with Verizon FiOS when you get a static IP block, they just give you however many IPs out of a /24, with the default gateway being x.x.x.1
I find it hard, if not impossible, to give routing advice without first finding out what it is this particular ISP is doing. It would have done no good for me to tell you how my Verizon IP block works. Just like your setup and experience has almost no relation to @cashew ‘s.
So am I even close to understanding @cashew 's setup? I added another diagram to my last comment. Please keep in mind that I’m just trying to help, I do have some experience to offer if given enough information.
Yes your first diagram is correct, except there is the additional wrinkle that @cashew wants the “NAT device” and the first router to be the same device. This is easy to do if NATing to the DHCP IP, harder to do with one of the IPs from the /29.
still cant get it to work. Could we go over step by step what i need to do so i can make sure i’m not missing anything? What should my NAT rules look like?
Yeah that’s what i created to gateway for. Do i need to also create nat rules? I just really need step by step instructions. It gets really confusing, cause all the instructions you gave are not consolidated into one post. If you wouldn’t mind that is.
You only create a “Gateway” on PFSense if you want PFSense itself to use that to route something. That is not something you want to set manually since you’re going to get your default gateway for PFSense via DHCP. Where you need to define the gateway is for the devuces which are going to use those public IPs, they need to know that for general traffic they should be using the router as their default gateway.
Step by step instructions are a lot to ask for someone providing free help at their leisure. I guess you could say I do mind. I know that the pieces of info are not consolidated, but figuring out networking on your own is how learning happens. But if you’re interested in hiring a consultant you can send me a private message, or get a quote from lawrencesystems.com (I do not work for Lawrence Systems, but this is their website we’re on)
