Unable to route second public IP
-
Hello team,
I am looking for a solution to an existing problem that is solved using additional hardware.
My situation is like this. My ISP provides two IP addresses on the same fiber connection and PFSENSE works fine if I place a switch after the ISP's ethernet out and bifurcate to two separate NICs on the PFSENSE. See the current setup below:
Is there a way to avoid the additional 8 PORT SWITCH and be able to get both IPs internally to PFSENSE if I connect the Ethernet Out from Fiber CPE directly to the PFSENSE.
I have already tried virtual ip but couldnt get it working.
Any help is much appreciated.
-
@cubits Sure, there is nothing stopping you from associating more than one WAN IP address with a single port. What to do exactly depends on what you want those addresses to do on the inside.
In my case, I have the WAN interface's main address set up (on the Interfaces menu) as the external address that internal traffic should go out on by default. I have a couple of secondary addresses that are mapped to specific internal machines using 1:1 NAT rules that are attached to that same interface. I also have some VLANs that are mapped to other secondary addresses using Outbound NAT rules. The important thing here is that you attach the NAT rule to the WAN interface, and its external address is then recognized as one of the valid addresses on that port.
I'm pretty much a noob with pfSense, and I'm sure others here can tell you a lot more about how to do this. But nope, you do not need that switch.
-
Are those IPs in the same subnet? Is one routed via the other if not?
How did you configure the VIP when it didn't work?
You might need a second MAC address to make it work from the ISP if that's how they have it configured. If so you could try adding a bridge interface on the WAN and setting a different MAC address on it.
-
@stephenw10 I will try this. so this is limited to only one secondary IP, what if there is more such IPs, how can I have aditional IPs or Bridges. I tried this andd it says only once a physical interface can be part of a bridge.
-
@stephenw10 although they are on the same subnet, it does not look like one is routed through another. virtual ip wasnt simply working
-
@cubits One other question: are the WAN IP addresses statically assigned to you, or do you have to pull them via DHCP? I can believe that you might need two separate MAC addresses (thus two ports) to get two addresses from a DHCP server. But the other side of that coin is that I don't see what value there is in multiple IP addresses if they aren't static.
-
@tgl IPs are statically assigned with a default gateway at xxx.xxx.xxx.1
-
@cubits said in Unable to route second public IP:
@tgl IPs are statically assigned with a default gateway at xxx.xxx.xxx.1
Then you have the same situation as me, and you should be able to make it work with NAT mappings for the alternate addresses like I suggested.
-
@tgl so that means I can only assign the address to another nic, and not make the secondary address as though it appears as a wan interface in pfsense menus
-
@cubits said in Unable to route second public IP:
@tgl so that means I can only assign the address to another nic, and not make the secondary address as though it appears as a wan interface in pfsense menus
I don't think you read what I said. I have multiple WAN IP addresses, and they are all coming in on one port/one interface. You just have to do the configuration correctly. No, you can't (AFAIK) make a separate "interface" for each address. But you can attach multiple addresses to one interface using NAT rules.
-
@tgl thanks, it makes more sense to me now. do you have any sample that I can use, with some screenshots in the web ui, much thanks!
-
@cubits Sure, let's see if I know how to do that on this forum ...
Here's my 1:1 NAT assignments for two machines that are mail servers exposed to the outside internet:
Here's my Outbound-NAT assignments for two VLANs whose purposes should be self-evident:
The VLANs were set up according to the directions in the pfSense documentation (actually, all of this is in the documentation, once you find it). I do not remember why there are special rules for port 500 --- I think I copied that from a documentation example. For the purposes of these NAT rules, it doesn't much matter that those are VLANs, only that there's an identifiable range of local addresses that are to share the WAN address.
In addition to the four WAN addresses you can see being mapped here, I own xxx.xxx.xxx.242, which is set up as the assigned WAN address for PORT1WAN in the Interfaces menu. That carries traffic from all local machines that aren't either the two mail servers or the stuff on the VLANs.
Don't forget to add suitable firewall rules to block any connections you don't want. The firewall rules are applied after NAT mapping, so write them in terms of the internal addresses not the WAN addresses.
-
@tgl said in Unable to route second public IP:
(actually, all of this is in the documentation, once you find it).
;)
port 500: https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#static-port -
If they are statically assigned and in the same subnet then you should just be able to use virtual IPs.
How did you test it?
Adding a bridge is only required if you need multiple MAC addresses. Usually you would not. You can only add one though. Your screenshot implies you either already have WAN in a bridge or you tried to add it to more than one.
