• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Single public IP subnet on WAN

Scheduled Pinned Locked Moved Firewalling
11 Posts 3 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    WinLin
    last edited by Oct 26, 2021, 2:43 PM

    Hello,

    I found that pfSense needs to support the feature I need.
    It is described: Single public IP subnet on WAN

    As shown in this picture https://docs.netgate.com/pfsense/en/latest/_images/diagrams-multiple-public-ips-singleblock.png

    Maybe someone has instructions on how to really implement this? Because I fail.

    I have 3 network interfaces (WAN, LAN, OPT1). I create Bridge "Bridges_FW" I assign WAN and OPT1 to it. OPT1 is connected to a switch with a separate VLAN.
    I even tried to allow all firewall -> rules traffic from anywhere to everywhere on WAN, OPT1 and Bridge_FW.
    I even tried temporarily setting Firewall -> NAT-> Outbound to "Disable Outbound NAT"
    But traffic from OPT1 only reaches the WAN address and nowhere higher than the WAN on the external network. It is also not possible to access addresses connected to OPT1 from the external network.

    V W 2 Replies Last reply Oct 29, 2021, 8:46 PM Reply Quote 0
    • V
      viragomann @WinLin
      last edited by Oct 29, 2021, 8:46 PM

      @winlin said in Single public IP subnet on WAN:

      Single public IP subnet on WAN
      Single public IP subnet on WAN I create Bridge "Bridges_FW" I assign WAN and OPT1 to it. OPT1 is connected to a switch with a separate VLAN.

      Not clear what you try to achieve with this setup.
      Do you want to have the public IP in the VLAN on OPT1?
      Maybe you can explain and give some details.

      W 1 Reply Last reply Oct 29, 2021, 9:40 PM Reply Quote 0
      • W
        WinLin @viragomann
        last edited by Oct 29, 2021, 9:40 PM

        @viragomann My situation is very well reflected in the official image already mentioned above https://docs.netgate.com/pfsense/en/latest/_images/diagrams-multiple-public-ips-singleblock.png. The difference in my case between the ISP router and my pfSense is the additional ISP switch. If necessary, I will be able to draw my own chart specifically.

        I need NAT on the LAN port where the internal IP addresses are issued by pfSense DHCP. And on a network connected to OPT1 (separate switch VLAN), I would have external static IPs that are in the same range as the WAN address (mask 255.255.255.128 and are given to me by the ISP). I want to use pfSense FW to restrict traffic from the public Internet to these static IPs on OPT1 connected devices.

        V 1 Reply Last reply Oct 29, 2021, 10:27 PM Reply Quote 0
        • V
          viragomann @WinLin
          last edited by Oct 29, 2021, 10:27 PM

          @winlin said in Single public IP subnet on WAN:

          And on a network connected to OPT1 (separate switch VLAN), I would have external static IPs that are in the same range as the WAN address (mask 255.255.255.128 and are given to me by the ISP).

          So why did you write "Single public IP subnet on WAN" into the topic?

          You have an ISP router, however, you have public IPs behind it? So I'm wondering what's the reason for the local router.

          Since you have bridged WAN and OPT1 you need to configure each OPT1 device with the proper IP, mask and the WAN gateway for proper routing.

          W 1 Reply Last reply Nov 3, 2021, 10:43 PM Reply Quote 0
          • W
            WinLin @viragomann
            last edited by Nov 3, 2021, 10:43 PM

            @viragomann
            So why did you write "Single public IP subnet on WAN" into the topic?
            Because I found it so named in the official description at https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html

            You have an ISP router, however, you have public IPs behind it? So I'm wondering what's the reason for the local router.
            We do not control the ISP router. He is to the ISP. We additionally use pfSense NAT for workplaces PC because external addresses are only enough for server services. To avoid the need to purchase additional firewall equipment for the servers, we want to use the existing pfSense server.

            Since you have bridged WAN and OPT1 you need to configure each OPT1 device with the proper IP, mask and the WAN gateway for proper routing.
            Yes I know that. I put the external IP, mask and GW address given by the ISP for the device behind OPT1.

            1 Reply Last reply Reply Quote 0
            • W
              WinLin @WinLin
              last edited by Nov 3, 2021, 10:46 PM

              For clarity I attach the diagram. It shows how it is now and how I want it to be redesigned.
              2ef5e9de-7e38-428a-8748-ae708c42af28-image.png

              V 1 Reply Last reply Nov 7, 2021, 8:19 PM Reply Quote 0
              • V
                viragomann @WinLin
                last edited by Nov 7, 2021, 8:19 PM

                @winlin
                Really no idea what you could have done wrong here. The set up is quiet simple.

                Let me recap how I'd do it (apart from basically would try it with NAT instead bridge):
                Adding OPT1 interface, open the settings and enable it. No IP and gateway.
                Create a bridge Bridges_FW and add WAN and OPT1 to it.
                Go to Interfaces > Assignments, add Bridges_FW, open and enble, no IP and gateway.

                For testing :
                Connect a computer direct to OPT1, give it an IP out of the /25 WAN subnet, set the correct mask and the WAN gateway. Set a public DNS server.
                Add a firewall rule on OPT1 allowing anything going out.

                You should get connection to the internet from the OPT1 device.

                W 1 Reply Last reply Nov 8, 2021, 8:31 PM Reply Quote 0
                • W
                  WinLin @viragomann
                  last edited by Nov 8, 2021, 8:31 PM

                  @viragomann I tried this before writing here. Now I repeated it again, hoping maybe I was wrong. Unfortunately, the servers behind OPT1 do not even see the ISP GW (ping is not responsible).
                  Status -> System Logs -> Firewall does not show blocked IPv4 traffic.

                  As recommended I tried to delete the Bridge, and put an internal IP (make NAT) on OPT1. When I place the appropriate internal IPs on the servers after OPT1, everything works. So it confirms that the physical ports and network equipment are really connected and working well.

                  S 1 Reply Last reply Nov 8, 2021, 8:56 PM Reply Quote 0
                  • S
                    SteveITS Galactic Empire @WinLin
                    last edited by Nov 8, 2021, 8:56 PM

                    @winlin Not sure I understand why it isn't working either but another method might be to use 1:1 NAT if the servers can be given private IPs (in a different subnet than LAN, if you want them isolated), as it sounds like you have done while testing.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    W 1 Reply Last reply Nov 8, 2021, 10:00 PM Reply Quote 0
                    • W
                      WinLin @SteveITS
                      last edited by Nov 8, 2021, 10:00 PM

                      @steveits I was thinking 1:1 NAT, but unfortunately not all services make it appropriate. There are services that answer the "client" what its IP is and which ports it opens dynamically. In the case of 1:1 NAT, the client would receive an incorrect access IP. And some other problems. Therefore, I would not use 1:1 NAT.

                      Is anybody who has successfully working this configuration? I am currently using pfSense version 2.5.2.

                      I think there really has to be someone who uses pfSense and only use FW but not use NAT. I myself know one who nadoja pfSense as FW, but it has Multiple IP subnets from the ISP and they are routed through its WAN IP. So its configuration is not right for me.

                      S 1 Reply Last reply Nov 8, 2021, 10:54 PM Reply Quote 0
                      • S
                        SteveITS Galactic Empire @WinLin
                        last edited by Nov 8, 2021, 10:54 PM

                        @winlin Our data center doesn't have NAT but that isn't quite what you're asking for...you are looking to have the same subnet in WAN and OPT1 which would be a bridge. In our case the router's WAN IP has the LAN subnet routed to it by the data center.

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote 👍 helpful posts!

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received