Dedicated public IP

Sensi

Metu,

Somewhere I'm going wrong!!  whatismyip is returning the same IP address (.149) for the vLan (vLan3) which I've tried to get to use .151

I've set up a 1:1 and told the NAT to be manual (but used the default manual rules) and I'm still on .149

Any help - please!!

Metu69salemi

post your manual outbound nat screenshot without public ip info

Sensi

It was auto-created when I clicked on manual (I did save it, etc).  I'm currently playing/learning before I have to do this in a real situation (in about a week).

It looks like this;

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

WAN  10.1.0.0/24 * * 500 * *
YES
Auto created rule for ISAKMP - LAN to WAN

WAN  10.1.0.0/24 * * * * *
NO
Auto created rule for LAN to WAN

WAN  127.0.0.0/8 * * * * 1024:65535
NO
Auto created rule for localhost to WAN

WAN  10.2.0.0/24 * * 500 * *
YES
Auto created rule for ISAKMP - VLAN2 to WAN

WAN  10.2.0.0/24 * * * * *
NO
Auto created rule for VLAN2 to WAN

WAN  127.0.0.0/8 * * * * 1024:65535
NO
Auto created rule for localhost to WAN

WAN  10.3.0.0/24 * * 500 * *
YES
Auto created rule for ISAKMP - VLAN3 to WAN

WAN  10.3.0.0/24 * * * * *
NO
Auto created rule for VLAN3 to WAN

WAN  127.0.0.0/8 * * * * 1024:65535
NO
Auto created rule for localhost to WAN

WAN  10.64.0.0/24 * * 500 * *
YES
Auto created rule for ISAKMP - VLAN64 to WAN

WAN  10.64.0.0/24 * * * * *
NO
Auto created rule for VLAN64 to WAN

WAN  127.0.0.0/8 * * * * 1024:65535
NO
Auto created rule for localhost to WAN

Sensi

Sorry to chase you up, but any help/advice available?

GruensFroeschli

In your outbound rule you have to specify the additional IP you want to be used when NATing to the WAN (the translation drop-down).

If you dont see any additional IPs under "Translation" then you first need to add your additional IPs under "Firewall –> Virtual IPs".

Sensi

Sorry, I'm not getting anywhere here!!

I have 4 Public IP addresses - .148, .149, .150 and .151.

I have multiple vLans on a van switch.

I want to get vLan 3 to use the .151 public address - but all of my vLans (including 3) say from whatismyip.com that they are using .149 (why not .148?).

I'm getting close to introducing the computer (running pfSense 2) to attempted flight from a window upstairs!

GruensFroeschli

• What is the IP of your WAN.

• Did you assign your additional public IP's on the WAN as virtual IPs?

• Did you create any manual outbound rules to map your internal networks to these public IPs?

Sensi

The WAN has 4 Public IP addresses - .148, .149, .150 and .151

I'd guess as things are addressing as .149 that that's the IP of the WAN?

Sensi

I've created a 1:1.
I've created a virtual IP (with the public/32).
I had a play with the auto created rules.

But it ain't working - getting very close to seeing if it can fly!!

I have the pf.conf rules that I'm trying to copy over (shame there is no direct import to convert!!)

GruensFroeschli

Your WAN can only have 1 IP.
–> What IP is configured if you go to the config page of the WAN. --> That's the IP of the WAN.
Per default all communication with/from the pfSense is done with this IP.

You can add additional IPs on the WAN interface via "Firewall --> Virtual IP".
These additional IPs are only usable by the pfSense itself if the VIP type is:

• CARP (requires that the VIP is in the same subnet as the WAN-IP)
• alias (just your standard alias).

These VIPs can be used in NAT rules.
--> Eg. outbound rules.

If you want traffic from your different VLANs to leave via their own IP you need to enable manual rule generation and crate a rules like:
Interface: WAN (interface on which traffic exits)
Source: vlan_x_subnet
Destination: any (aka internet).
Translation: VIP (set here one of the previously create VIPs).

If you have done that and it doesn't work, then please post screenshots of all the pages where you configured something.

Metu69salemi

If you're still having issues with applying this send me a pm.

Sensi

I'm thinking that the issue is with my modem/router not giving out the right IP addresses (rather than pfSense not allocating them the way I want - my guess is that it is only receiving a single one).

Does that sound feasible?

Metu69salemi

Sort of feasible:
if you have modem in routing mode, then it's feasible
-or-
you have modem at bridging mode and you have not done all the virtual ip's for the pfsense
-or-
you have every single wan ip set, but manual outbound nat rules isn't set right