This matter seems to be far more complicated than initially thought.
The former setup looked like this:Internet <--> [WAN] Zyxel [LAN] <--> [WAN] Vigor [LAN] <--> LAN-Switch
The Zyxel (a xDSL modem-router named Prestige 660H) was handling the PPPoE connection itself, configured for routing, and got the gateway-address x.x.x.249/32 (!)
assigned automatically to the WAN interface, whereas the LAN interface was given the same IP-address but with the correct netmask (x.x.x.249/29). The Vigor (a firewall-router with correct name Draytek Vigor 2900) was configured with x.x.x.250/29 for the WAN interface, and x.x.x.251 to x.x.x.254 as virtual WAN-IP-addresses.
The new setup looks like this:Internet <--> [WAN] Zyxel [LAN] <--> [WAN] pfSense [LAN] <--> LAN-Switch
The Zyxel is now configured for brigding, so that the pfSense machine can handle the PPPoE connection, which is exactly what I wanted (because I always had some very strange problems, with the Zyxel constantly rebooting for an hour or so at a certain time of the day, which I believed could have been a hacker attack, without ever getting any proof for this). So the Zyxel only does the ATM & bridge handling, I gave it a private IP on the LAN interface (which it seems to use on the WAN interface as well for some unknown reason), so that I can configure it, when connecting my laptop directly. The pfSense machine establishes the PPPoE connection and gets the gateway-address x.x.x.249/32 (!)
automatically on the WAN interface (it reports this in Status -> Interfaces -> WAN Interface (rl0), but ifconfig shows, that rl0 has got no IP-address at all, but ng0 as the virtual PPPoE interface was configured with it).
So far, everything went well, but the problem is, it seems not be possible to use the available public IP-adresses x.x.x.250 to x.x.x.254 as Virtual IP-adresses.
My first try was to configure a VIP as type CARP, but it always only gave me this error message:
The following input errors were detected:
* Sorry, we could not locate an interface with a matching subnet for x.x.x.250/29. Please add an ip in this subnet on a real interface.
It was the same error message, when I tried it with x.x.x.250/32.
I've then manually set the netmask for the virtual PPPoE interface ng0 to /29 with ifconfig, Status -> Interfaces -> WAN Interface (rl0) showed x.x.x.249/29, which kind of looked right, but I still got the same error message, when trying to setup a CARP VIP (either way with trying to set it up as x.x.x.250/29 and x.x.x.250/32).
At this point, I had the feeling, that something has to be wrong, because if the WAN interface (on the Status -> Interfaces page shown as rl0, but with ifconfig shown as ng0) is set correctly to x.x.x.249/29, why should the error message tell me "Sorry, we could not locate an interface with a matching subnet for x.x.x.250/29. Please add an ip in this subnet on a real interface."?
Just to be sure, I even tried to give the real rl0 the gateway-address x.x.x.249/29 as well, but because rl0 does not seem to play a role at all in a PPPoE setup, it had no effect.
I then played around a little more with trying to setup the VIPs as type "Other" and "Proxy ARP", configuring outbound NAT to use one of these VIPs, resulting in the selected VIP to show up on this
browser-identification-page, I configured a rule to let ICMP pass, but only got timeouts, when using CentralOps
to ping my VIPs.
There are several unsure issues for me, concerning the type of VIP to choose from, which netmask to set for a VIP (if it is even selectable), and how to correctly check, if the VIPs can be reached from the internet (if the pfSense machine has x.x.x.249 on the WAN interface, and x.x.x.250 to x.x.x.254 as VIPs, is it supposed to answer on a ping an all these IP addresses by itself?).
I am totally lost at the moment, this all more and more looks like a deep & dark forest to me, netmask 255.255.255.255 vs. 255.255.255.248 on WAN and VIP, Proxy ARP / CARP / Other for VIP setup, and how to check if everything is working as supposed to (I assume it all comes down to the fact, that all VIPs have to be pingable, but does pfSense respond to a ping itself, or should I have a machine on the LAN reacting to a ping?).
I really need assistance from someone with the right knowlege. Any hint is highly appreciated.