Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Public IP Block

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Speedy059
      last edited by

      So we have a IP block of static IPs (74.221.216.192/27) that is static routed from the ISP to us.

      ISP (/32 uplink IP) –  L3 Switch(0.0.0.0/0 routed to /32) -- pfSense

      pfSense WAN has a public IP from the L3 switch on a subnet I allocated to it. I also want to route a full 74.221.216.192/27 block to pfSense and assign it to a opt2 port (4 ethernet ports on this appliance) for servers to have public IPs.

      Question:

      1. How do I add the 74.221.216.192/27 to the op2 interface?
      2. How do I add the 74.221.216.192/27 gateway IP of 74.221.216.193 for the servers?
      3. How do I route the 74.221.216.192/27 traffic to through the WAN uplink on pfsense?
      4. Is there any firewall rules to add these dedicated IP's to the servers?
      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        @Speedy059:

        So we have a IP block of static IPs (74.221.216.192/27) that is static routed from the ISP to us.

        ISP (/32 uplink IP) –  L3 Switch(0.0.0.0/0 routed to /32) -- pfSense

        pfSense WAN has a public IP from the L3 switch on a subnet I allocated to it. I also want to route a full 74.221.216.192/27 block to pfSense and assign it to a opt2 port (4 ethernet ports on this appliance) for servers to have public IPs.

        Question:

        1. How do I add the 74.221.216.192/27 to the op2 interface?

        Interface > LAN - Static IPv4 on address 74.221.216.193 netmask /27

        1. How do I add the 74.221.216.192/27 gateway IP of 74.221.216.193 for the servers?

        Either statically or using DHCP. Nothing magical or mystical about public, routeable addresses here. They're just IP addresses.

        1. How do I route the 74.221.216.192/27 traffic to through the WAN uplink on pfsense?

        Set the default gateway on WAN to be the L3 switch

        1. Is there any firewall rules to add these dedicated IP's to the servers?

        What are you asking here?

        The main thing you want to do is disable outbound NAT for the public subnet. And you don't need port forwards but you still need firewall rules that pass the traffic you want passed.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S Offline
          Speedy059
          last edited by

          Thanks for the response Derelict! Had a couple follow up questions.

          Interface > LAN - Static IPv4 on address 74.221.216.193 netmask /27

          I already have LAN set with some internal ip ranges for normal usage. I'm assuming the same can be accomplished just by using one of the other OPT ports the appliance has, and use the same settings.?

          Either statically or using DHCP. Nothing magical or mystical about public, routeable addresses here. They're just IP addresses.

          I believe I would just use the previous step and set the OPT interface with a static ipv4.

          The WAN is already setup with the L3 switch as the gateway and using a different IP range.

          As for the NAT settings i've done this:

          Firewall / NAT / Outbound

          Set to "Manual Outbound NAT rule generation".
          - I added this rule in the Manual Outbound. Anything else I would need to do?

          Rule1.png
          Rule1.png_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Yes. Put it on an available OPTX interface.

            The point is to NOT perform NAT for those addresses, Not to add a NAT rule.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.