Unable to route second public IP

tgl · Feb 22, 2025, 8:45 PM

@cubits Sure, there is nothing stopping you from associating more than one WAN IP address with a single port. What to do exactly depends on what you want those addresses to do on the inside.

In my case, I have the WAN interface's main address set up (on the Interfaces menu) as the external address that internal traffic should go out on by default. I have a couple of secondary addresses that are mapped to specific internal machines using 1:1 NAT rules that are attached to that same interface. I also have some VLANs that are mapped to other secondary addresses using Outbound NAT rules. The important thing here is that you attach the NAT rule to the WAN interface, and its external address is then recognized as one of the valid addresses on that port.

I'm pretty much a noob with pfSense, and I'm sure others here can tell you a lot more about how to do this. But nope, you do not need that switch.

stephenw10 · Feb 23, 2025, 4:55 AM

Are those IPs in the same subnet? Is one routed via the other if not?

How did you configure the VIP when it didn't work?

You might need a second MAC address to make it work from the ISP if that's how they have it configured. If so you could try adding a bridge interface on the WAN and setting a different MAC address on it.

cubits · Feb 23, 2025, 4:55 AM

@stephenw10 I will try this. so this is limited to only one secondary IP, what if there is more such IPs, how can I have aditional IPs or Bridges. I tried this andd it says only once a physical interface can be part of a bridge.

login-to-view

cubits · Feb 23, 2025, 5:25 AM

@stephenw10 although they are on the same subnet, it does not look like one is routed through another. virtual ip wasnt simply working

tgl · Feb 23, 2025, 5:29 AM

@cubits One other question: are the WAN IP addresses statically assigned to you, or do you have to pull them via DHCP? I can believe that you might need two separate MAC addresses (thus two ports) to get two addresses from a DHCP server. But the other side of that coin is that I don't see what value there is in multiple IP addresses if they aren't static.

cubits · Feb 23, 2025, 5:43 AM

@tgl IPs are statically assigned with a default gateway at xxx.xxx.xxx.1

tgl · Feb 23, 2025, 5:47 AM

@cubits said in Unable to route second public IP:

@tgl IPs are statically assigned with a default gateway at xxx.xxx.xxx.1

Then you have the same situation as me, and you should be able to make it work with NAT mappings for the alternate addresses like I suggested.

cubits · Feb 23, 2025, 5:50 AM

@tgl so that means I can only assign the address to another nic, and not make the secondary address as though it appears as a wan interface in pfsense menus

tgl · Feb 23, 2025, 5:54 AM

@cubits said in Unable to route second public IP:

@tgl so that means I can only assign the address to another nic, and not make the secondary address as though it appears as a wan interface in pfsense menus

I don't think you read what I said. I have multiple WAN IP addresses, and they are all coming in on one port/one interface. You just have to do the configuration correctly. No, you can't (AFAIK) make a separate "interface" for each address. But you can attach multiple addresses to one interface using NAT rules.

cubits · Feb 23, 2025, 5:56 AM

@tgl thanks, it makes more sense to me now. do you have any sample that I can use, with some screenshots in the web ui, much thanks!

tgl · Feb 23, 2025, 6:45 AM

@cubits Sure, let's see if I know how to do that on this forum ...

Here's my 1:1 NAT assignments for two machines that are mail servers exposed to the outside internet:

login-to-view

Here's my Outbound-NAT assignments for two VLANs whose purposes should be self-evident:

login-to-view

The VLANs were set up according to the directions in the pfSense documentation (actually, all of this is in the documentation, once you find it). I do not remember why there are special rules for port 500 --- I think I copied that from a documentation example. For the purposes of these NAT rules, it doesn't much matter that those are VLANs, only that there's an identifiable range of local addresses that are to share the WAN address.

In addition to the four WAN addresses you can see being mapped here, I own xxx.xxx.xxx.242, which is set up as the assigned WAN address for PORT1WAN in the Interfaces menu. That carries traffic from all local machines that aren't either the two mail servers or the stuff on the VLANs.

Don't forget to add suitable firewall rules to block any connections you don't want. The firewall rules are applied after NAT mapping, so write them in terms of the internal addresses not the WAN addresses.

SteveITS · Feb 23, 2025, 7:56 AM

@tgl said in Unable to route second public IP:

(actually, all of this is in the documentation, once you find it).

;)
port 500: https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#static-port

stephenw10 · Feb 23, 2025, 2:25 PM

If they are statically assigned and in the same subnet then you should just be able to use virtual IPs.

How did you test it?

Adding a bridge is only required if you need multiple MAC addresses. Usually you would not. You can only add one though. Your screenshot implies you either already have WAN in a bridge or you tried to add it to more than one.