How to Advertise Subnets to Upstream Routers With OPNsense and ARP

 Aug 2, 2018 ·  3min read

Technology Tutorials

If you ever wondered how to split a subnet away from a fixed upstream gateway, here’s how you can achieve this with ARP in OPNsense.


Today was the first time that I needed to split one IPv4 subnet into two and forward the second half to somewhere else—without the ability to configure the upstream gateway. It took me a while to figure out how to achieve this with an OPNsense firewall as my router. I thought I’d document this in case anyone else is looking for a solution to this, too.

Splitting stuff is hard enough, but how do you move away the part that you just split off? Image: Pablo Heimplatz

The Challenge of Transparently Splitting a Subnet 

Consider the following scenario: My ISP allocated me a /28 subnet (x.x.129.208/28). Along with it, they provided a gateway on the first IP of the subnet (x.x.129.209) and nothing else—and that was the problem.

Usually, when you are provided a subnet, it is routed to the fixed public IP of your router. This IP is not part of the subnet so you have the freedom to forward the routing of the subnet downstream over any number of hops to anywhere you need it in your infrastructure. In this case, however, the first IP was assigned to the ISP gateway—making it impossible to allocate the subnet somewhere else. My router had to be in the same subnet (i.e. x.x.129.210).

Schema of network conditions dictated by my ISP

However, what I wanted was a DMZ behind that firewall router, i.e. servers that are accessible via public IPs without NAT or Transparent Bridging. So I split the /28 subnet in two /29:

  • x.x.129.208/29
  • x.x.129.216/29

This is how it looked once configured on the firewall router and DMZ:

Schema of the networks as I wanted to route them

Notice how the firewall router has the same Internet-facing IP but with a different netmask now?

I thought that the OPNsense firewall router would be intelligent enough to advertise to the upstream ISP gateway, that the IP x.x.129.210 and all IPs x.x.129.116-.123 of the /29 DMZ subnet were all to be routed via its ISP-facing IP (x.x.129.210).

But no, it doesn’t work like this out of the box. And there was no way for me to explicitly configure the ISP gateway to route the /29 DMZ subnet to a specific IP.

The Solution: Proxy ARP 

After lots of DuckDuckGoing (If searching with Google is called Googling, then that’s what searching with DuckDuckGo must be called, right?) to no avail, I finally stumbled over the Virtual IP settings in OPNsense, specifically of type Proxy ARP.

This Proxy ARP type of virtual IP allows you to broadcast the advertisement of IPs or subnets via an interface. So I entered:

  • Mode: Proxy ARP
  • Interface: WAN
  • Address: x.x.129.216/29
Setting Proxy ARP virtual IPs in OPNsense

In other words: The OPNsense firewall router now published to the ISP gateway that (besides the IP x.x.129.210) it also was the recipient for all IP packets of the /29 DMZ subnet. In a way, ARP allows configuring upstream routers that are not part of your infrastructure.

This works like a charm. Servers in the DMZ configured with the public IPs of the second /29 subnet are now able to communicate in both directions with the Internet.


Reminder

OPNsense automatically adds the DMZ subnet to its NAT, so don’t forget to remove it manually. In this case, it was translating the public subnet x.x.129.216/29 to the public IP x.x.129.210—which of course doesn’t make any sense whatsoever. It might work in the outbound direction, but your DMZ can’t be reached from the outside, rendering the DMZ useless.

Share this article
About the Author

Michael Schmidle

Digital Strategy and Innovation Manager at the Swiss Broadcast Corporation SRG SSR. Coach, start-up consultant, and blogger. Opinionated about technology, innovation, and leadership. In love with Mexico.

 LinkedIn  Twitter  GitHub

Recommended Articles

 Apr 18, 2020 ·  6min read

Accelerate Your Website—With Your Logo

Most people who care about their website’s performance probably use a website logo created by vector graphics software. Here’s how to take advantage of vectorized logos to speed up your website. Seriously. Continue…

Technology Tutorials


 Aug 18, 2019 ·  May 14, 2020 ·  6min read

Unhide Virtual Network Adapters in Windows 10

In Windows’ latest releases, Microsoft hides virtual adapters and networks by default. In some cases though, you need them to be available just like regular adapters and networks. Continue…

Technology Tutorials


 Nov 9, 2018 ·  3min read

Enabling JumpCloud on Unsupported Linux Systems

JumpCloud officially supports Debian, yet refuses to run on Debian-based systems like Proxmox Virtual Environment and Openmediavault. Let’s fix that. Continue…

Technology Tutorials


 Jun 21, 2017 ·  4min read

Working Around the JumpCloud Curl Error 22

JumpCloud is a great tool to enable Single Sign-On for whatever devices you have. Find out how to work around curl error 22 to keep using it on Linux. Continue…

Technology Tutorials