Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can I route a public IP to a ‘downstream’ pfsense setup without it being a double NAT?

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 367 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dguy
      last edited by

      I apologize if this is posted somewhere as I couldn't find anything.

      I have a test network I’d like to setup.

      To save people time from responding; I am not looking for alternative suggestions, just a solution to this particular scenario if it’s even possible.

      I currently have one pfsense setup with a /29 block of public IP’s that I have Virtual IP’s setup for various servers, networks etc.

      I have one spare public IP I’d like to assign to another pfsense device behind the main one for testing. This pfsense test device will have NAT. Basically setup for testing VPN etc. with out worrying it will affect my main networks

      Can I route a public IP to a ‘downstream’ pfsense setup without it being a double NAT?

      Apologies for the bad diagram.network.PNG

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @dguy
        last edited by johnpoz

        @dguy yeah if those /29 are currently routed to your 1st pfsense wan IP, you can route them to some downstream router.

        Just come up with a transit network, this could be rfc1918 or you could use one of your other /29s or break it up into 2 /30s and use one of the 30s as transit.

        But those /29s have to be routed to your 1st pfsense, they can not be directly attached.. Some isp when you ask for another allocation of IPs just directly attach them to your network that is attached to them and you end up running multiple layer 3 over the same layer 2 vs being routed networks.

        Oh never mind, you have 1 /29 - no you can't really take one of those IPs and directly attach it to a downstream device be that a router or just a device. To do that you would have to create a bridge on pfs1 for that whole /l2 network. Which wouldn't be very clean.

        Can you not just move your pfs2 to the L2 network your pfs1 is attached to the wan with, use a switch.. Then you should be able to put the IPs you want out of that /29 on pfs1 and one of the IPs or more than 1 on the 2nd pfs wan IP.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        D 1 Reply Last reply Reply Quote 0
        • D
          dguy @johnpoz
          last edited by

          @johnpoz

          thanks for the reply. I didn't think it'd be clean solution.

          Yes I'm aware a switch would work, but that's my dilemma, I need the switch port that's currently in use for another purpose.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @dguy
            last edited by

            @dguy pretty sure any $20 dumb switch would solve your problem if your just short a port..

            Connect the current cable that runs to pfs1 wan to a dumb switch, also connect pfs2 wan port to this switch.. That would be a much better solution than trying to setup a bridge and then have to firewall on the bridge, etc. etc.

            I would do that vs complicating my main pfsense setup..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.