You are on page 1of 11


Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

Alain Spineux
May the sources be w ith you


Setup a pfSense 2.0 firewall when default gateway is on a different subnet

Submitted by aspineux on Fri, 08/26/2011 - 06:09

I have written a better article, using the firewall in transparent mode here .
This article has been updated for pfSense 2.0. The original article about pfSense 1.2.X has moved here.
News: It looks like the OVH gateway works like an universal ARP proxy or Captive portal. I means my OVH gateway replies to any ARP
request. This means that for any given a.b.c.d/32 failover IP, I can setup a host or virtual host using a mask /24 (instead of /32) and my
gateway a.b.c.X where X can be anything not in ( 0, 255 or d ) and it will works. And It works, at least on the Kimsufi I have tested it. And
it works even for IPs in a.b.c.0/24. I think this is how OVH setup some (maybe all) of their routers to be able to support migration of
failover IP or block without too much headache. What is fun is to traceroute some IPs in a.b.c.* and see how they are not directly attached
to the WAN but are behind some routers.
OVH don't say anything about this setup and then this feature is funny but cannot be used on a production server.
Be careful if you use a wrong setup and generate a lot of unexpected ARP requests, OVH can warn you to quickly fix the problem or even
disable your network link.
If you buy a VMware server and an IP block from OVH you will be surprised because the default gateway don't match the IP block. Even if
this setup is unusual, it is valid and give full satisfaction if you know how to configure your firewall and hosts.
There are some advantages to use this technique for the provider/WEB hoster: this make the router configuration a lot simpler (no need to
setup an IP address for each underlying IP block, they can merge routes for adjacent IP blocks together) and the most important, this save
one IP address in the block.
Windows host accepts this unusual configuration and just work, thanks Bill for this great job

Linux host requires a little trick.

[root@fc6-pmx ~]# route add default gw
SIOCADDRT: Network is unreachable

Linux refuses to add the route because it don't know how to reach the gateway itself. Add the appropriate route for the gateway, before the
default route, solves the problem.



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

[root@fc6-pmx ~]# route add -host dev eth0

[root@fc6-pmx ~]# route add default gw

This works !
[root@fc6-pmx ~]# route -n
Kernel IP routing table


Flags Metric Ref UH U



Use Iface
0 eth0
0 eth0
0 eth0

To configure a firewall, depending of the firewall, you will have to be imaginative !

Differences with the 1.2.X config

The main ideas are the same as in the previous article , but the trick used to connect the gateway is different and finally a lot simpler. I
recommend this setup !

Here is the schema I used to test this configuration.

All IPs are from the Address Allocation for Private Internets but it is for testing ! Use the addresses you get from your provider or WEB
hoster. For real, only the and can be in a private network. is the default gateway given by my provider. is the IP block given by my provider. I assign it to my DMZ. is a for a virtual LAN, to put machines that help to configure and manage the FW and servers in the DMZ.

The gateway trick

Instead of creating an ARP entry using a command line at startup, I force a route to the gateway by using the route command twice. The
trick is the identical to the one used for the Linux in the previous article. It is not possible to create such routes using the Web interface then
once more the shellcmd module come to rescue to setup the route at startup.
To create a route up to, on an interface having no IP in this range, I use the commands:
route add -net -iface em0
route add default

The first line tell the firewall that IP address is on the side of the em0 interface (em0 is my WAN interface), the second one
use this address as the default gateway.
This time, their is no need to found the MAC address of the gateway like in the first article. But some operations like: disable the em0



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

interface or setup a default gateway; can break the trick and would require to reload the route manually or reboot the firewall.
To remove the route you can use:
route del default
route del -net -iface em0

Y ou can create the default route as soon has you have access to the firewall, using ssh, the console or by using the Command prompt in the
Diagnostics menu of the Web interface. To be sure the routes are there, click the Routes option in the Diagnostic menu. An look for the two

Be careful Y ou have to remove any default route before to run these two commands !
This will not give you access to the Internet forthwith, you need some more settings.

The WAN interface

I don't want to waste an IP address, I choose a completely unrelated address, and don't setup any gateway because the job is
already done by the 2 commands above.

The DMZ interface (OPT1)

This is where the servers having a public address live. I give the address to the firewall, this will be the default gateway for servers in
the DMZ but also the public IP of the firewall on the WAN side.



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

The LAN interface

The LAN can be used if you need additional hosts that don't need to be reachable from the Internet but are required to manage the DMZ or
for any other purpose. These hosts can access the DMZ (and vice versa when required). This is where I put a virtual machine to configure
this firewall. Machines in this zone can be accessed from the Internet too, see later.

I keep the default settings of the firewall for this interface.

Setup the Proxy ARP

The subnet is on the DMZ side. To allow the firewall to reply to ARP requests for these addresses on the WAN interfaces, we
have to add a proxy ARP entry.



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

I do it for the full subnet at once, in previous article I did it address by address. This is faster but also bypass a bug or a feature in 2.0 that
forbid the use of an address already used by an interface. I'm thinking here about DMZ address It is possible to go around this by
creating the Proxy ARP before to assign the address to the DMZ interface. But using a subnet here bypass the problem !

Masquerade the source address

For now, packets leaving the firewall have address, replies will never come back ! We need to rewrite the source address for
packet leaving the firewall. I use hide NAT to give them the address. I assign this address for packet coming from the firewall, but
also to masquerade the LAN zone.

Here are the detail for the LAN, the config for the firewall is similar.

Now any packets from the firewall or hosts from the LAN will leave the firewall with address
Double check the rules for the LAN, and be sure the "Default allow LAN to any rule" permit outgoing connections :



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

Don't hesitate to be more strict, for example my second rule block port 25 to the Internet, but not to the DMZ. Here I allow all protocols
except some, but the good way when configuring a firewall is to block all traffic by default and permit only some protocols.

The gateway: trick part 2

Now the firewall and the LAN have Internet access, at least after you have setup your DNS. Y ou can now hardcode the gateway trick. Y ou
need to install the shellcmd package. The version 0.5 is for pfSense 1.0 but works well with 2.0 too. Install it from the package manager in
the System menu!

And in the Service menu, select the Shellcmd option and setup the two commands :

The DMZ zone (OPT1)

To use your DMZ you have to add filter rules to allow packets to leave the DMZ to the WAN side. Here for outgoing packets...

Here I block packets to the LAN, because the DMZ is no more than a part of the Internet itself, any access to the LAN from the DMZ
or the Internet must be carefully thought through.
.. and here incoming packets to my public WEB server (the first rule)!

Create other rules for your other servers and services inside your DMZ !
Because we are using routing we don't need any NAT rules between WAN and DMZ !
LAN has already a full access to the DMZ because of the rule "Default allow LAN to any rule" seen previously. !



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

The LAN zone

If you need to access some resources inside your LAN from Internet, you can NAT some ports from address Here I forward RDP to
my Windows host :

Double check, pfSense has created the appropriate filter rules.

That'it !

The final touch

Their is lot of other thing to say and to do, but this is not a tutorial about firewall. Anyway I was very impatient to try the new Floating tab
in the Rules screen ! I have added a rule to let DMZ hosts reply to ping request. Here it is:

Before the Floating tab, you add to duplicate some rules in each interface tab. This was making pfSense 1.2.X a bit unsuitable for
configuration with lot of interfaces and rules !

Add IP fail-over
If you need to manage IP fail-over inside this configuration, take a look at this post

Advantages of this configuration

The biggest advantage of this configuration is the use of routing instead of NAT to forward packets. The other are:
this config provide a zone for your hosts in your DMZ and your LAN with usual network settings (a gateway in the same LAN
this config is based on routing instead of NAT, this avoid problems with NAT sensible protocol like: ftp, pptp, ...
NAT drops connection if no packets are going through for too long. Routing don't and don't require any keep alive plaster!
the hosts in your DMZ use the public IP addresses, this make things simple and avoid confusion.
LAN access your DMZ using public IP addresses.
no need to define NAT rules, only the filter rules are required.
reduce the MEMORY and CPU usage of the firewall.
Hope this help !
it network





Corrine Dipas (not verified)

Fri, 08/26/2011 - 19:19
per m a lin k

Greate article
Thanks a lot for this great article
Corrine Dipas



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

Craig Duff (not verified)

Wed, 11/09/2011 - 16:11

I dont understand this document

per m a lin k

Sorry the document is good and it makes sense in some areas, howev er i dont own an IP block instead i hav e a
Kimsufi serv er and only allowed to hav e 4 Public IPS. One is for the ESXI box . I would want to do it, is hav e 3
WANS with the MACS assigned to me and a LAN for the serv ers to get out on. Y our method for 1 .2.3 about
doing an arp- s for the real gateway of the serv er worked, but now in this v ersion it doesnt seem to work. Can
y ou help me out? Not sure what i am doing wrong.

Using "failover IPs" instead of one IP block

The purpose of this article is to make the network setup of the V M hosts in the DMZ easy , with a gateway on the same
network like usual. This is at the cost of a v ery difficult setup of the firewall.

Thu, 11/10/2011 23:33
per m a lin k

Y ou are speaking about 4 public IPs for y our OV H Kimsufi. These are probably failover IPs, and these hav e a
different purpose ! IP block allows to hav e multiple host on the same sub-network. failover IPs allows to assign one
IP to one of y our ex isting host and later to assign it to another (for ex ample if the first become unav ailable). These
IPs are not in any subnet and then, not on the sam e subnet, then y ou cannot put these in the same DMZ. Y ou ev en
don't hav e such DMZ !
Any way I understand y our urge to assign these IPs to y our V M.
What y ou could try :
- follows this article, but
- y ou don't hav e any subnet then don't create a DMZ and don't setup y our OPT1 interface.
- in Setup the Proxy ARP use 1 /32 instead (my 1 is one of y our public IP)
- put all y our V Ms in y our LAN and assign them addresses in 1 92.1 68.1 .0/24
- use article about fail-over IPs (link at the end of the article) to map y our other public IPs to V Ms in y our LAN (use
1 on1 ).
I hav e not tested this setup ...
If it works, please report to help others.

Craig Duff (not verified)

Fri, 11/11/2011 - 16:58

This document

per m a lin k

Thank y ou for y our reply . Howev er i dont think this method is right. Correct me if im wrong, but i
believ e the ip addresses they assign are per serv er, y ou can only hav e a max ium of 4 and they are all
authenicate on the OV H network if the sy stem sees the correct MAC address coming from the v irtual
NIC of the V M ie pfsense WAN interface. Y our menthod last time arp - s 1 7 00:00:00 (real
MAC of the phsical gateway ) worked really well with v ersion pfsense 1 .2.3 now it doesnt seem to work
at all with 2.0. And if i wanted multi WANs or IPs to work, i had to create another Opt1 network called
"wan2" and giv e it the MAC OV H giv e me to do the same method, and then use a NAT functionality to
port forward traffic from different IPs. Any further adv ice? Sorry to be a pain, just i feel at a stopping
point, cant quite work this one out.

OVH setup can change

OV H prov ides new serv ices and new features all the time. I hav e written an article that matched my needs to
use OV H features and the lack of OV H documentation at one moment.

Sun, 11/13/2011 04:17

If y ou are speaking about MAC addresses prov ided by OV H then y ou hav e bridge in mind and this is not the
subject of this article, ev en if some idea can be useful for other use.

per m a lin k

It look like y ou hav e to take a leaf on another article/sample for y our need.



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

Lot of thing have changed, I

Lot of thing hav e changed, I'm writing a new document right now. It is still under construction at
http://magiksy 2/1 2/pfsense-bridge-gateway -v mware-ov h-ip...
Try it, and comment it.

Thu, 12/27/2012 19:48


per m a lin k

Craig Duff (not verified)

Sat, 12/31/2011 - 18:26


per m a lin k

I just wanted to say i was wrong in what i put, this document is v ery , v ery useful! The problem i had was with
Kimsufi/OV H. They hadnt activ ated my Failov er IPs so the method i followed in this document wasnt working.
But it is now when they fix ed the problem. I didnt purchase a block of IPs because i didnt need them, i just
added 3 more failov er IPs to my serv er which is ample and is the max y our allowed. I followed this document
and changed it slightly to accommodate the IPs i appied for. I am happy to write a document for people to
follow on this forum if need be if people are confused. But let me know.

Thanks for the info

Thanks for the info



Thu, 01/05/2012 01:37

per m a lin k

Danny (not verified)

Mon, 01/23/2012 - 14:11
per m a lin k

Hello, thank you for this

Hello, thank y ou for this article..
I hav e a problem, when restart pfsense the routes tables resets and I hav e to re-insert the commands
route add -net 1 92.1 68.23.254/32 -iface em0
route add default 1 92.1 68.23.254
how to solv e?

Use the shellcmd package.

Use the shellcmd package.
Y ou can found all the details in the article.

Tue, 01/24/2012 11:43


per m a lin k

Pieter (not verified)

Tue, 05/29/2012 - 10:47
per m a lin k

Thank you for this guide, I

Thank y ou for this guide, I took some part of it.
I used "route add default -iface em0" to get the same result...

Ian Duffy (not verified)



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux

Mon, 06/04/2012 - 07:36

Ignore that last comment

per m a lin k

I hav e 3 v irtual switches configured in ESXi WAN, DMZ, LAN. Pfsense has interfaces connecting to each one
accordingly .
For the WAN interface I assigned a random IP like y ou did and added the gateway s with shellcmd, I also added
a v irtual mac address which is setup on my ov h panel for .225(the IP of my DMZ interface)
For the DMZ interface I assigned 1 and setup the prox y arp on 1
LAN is default and using 1 92.1 68.1 .1
I configured the NAT outbound rules as instructed abov e howev er I do not hav e any connection from the
firewall or lan clients, any ideas?

I would check that the route

I would check that the route added with shellcmd is still there. Reconfiguring the WAN interface kill the route and
y ou hav e to restart the router or add it by hand. Did y ou make the right conv ersion when conv erting my 1 0.0.0.*

Thu, 06/14/2012 16:58

addresses to y ou IP range ? Reread all the article one more time.

I cannot help y ou more.

per m a lin k

As y ou could guess reading my article I made the setup using try and error. Of course I hav e a good knowledge in
this stuff, and alway s find one solution for any problem. But I used the right tools for the diagnostic :
I would create a linux V M and connect 3 interfaces to the 3 v irtual switches with unrelated addresses (ore carefully
choose one, at least for LAN y ou can alway s assign a "working" address) and start a tcpdump on each interface to see
packets going through the interfaces. Last I would try to follow request and reply packed between the interfaces,
check that IPs are alway s the one ex pected when reaching/leav ing an interface and adapt the firewall setup to reach
the ex pected result.
Good luck

Charlie Came (not verified)

Fri, 09/21/2012 - 00:57
per m a lin k

ARP requests
Thanks, this is v ery hepful. Prev iously I receiv ed a complaint from OV H that I was sending ARP requests
ov er the WAN as I had my WAN interface configured as x .x .x .x /24 so I could reach the gateway .
Using the guide I configured the WAn interface to be a /32 and used y our routing and shellcmd trick to tell
pfsense where the default gateway actually was, worked a charm...
I now hav e a slightly different issue, I'v e assigned a second failov er IP to the mac address of the WAN
interface which I did through the OV H portal. I then added this second IP to the pfsense WAN interface as a
v irtual IP (ty pe: IF Alias), again as a /32. Adding it combined with a NAT rule and it works, I'm now
accepting connections and making connections on the secondary IP.
A couple of hours later, another email from OV H complaining that they are seeing ARP requests ev ery 20
minutes hitting the default gateway .
Any ideas on how to prev ent this as I believ e they will block all outbound connections on the IP until its
resolv ed.
Thanks in adv ance,

Look at all routes related to

Look at all routes related to y our wan interface, y ou must hav e only routes attached to IP hav ing a mask equal to
/32 or the default route.

Mon, 09/24/2012 10:50

But try to use tcpdump to know witch ARP is sent by y our FW, using something like this :
tcpdump -n -i em0 -p arp

per m a lin k

Also look at all r

It must be relate to one IP attached (one that is not /32) at y our WAN interface or to a route



Setup a pfSense 2.0 firewall when default gateway is on a different subnet | Alain Spineux