Settng Up PfSesne with multiple static IPs
-
i'm not sure to be right but your specific workstation that needs a direct pass through IP ADRESS will usually be because you'r hosting some application on them that needs to be "outside" the network. But the right way of doing this should not be by keeping those machine inside the network and port fowarding them to the workstation ?
Also, i never had to use multiple ip adress supplied as a block from the same ISP but i would give it a try using vlan assigned on the wan nic and to give a static ip to thoses interfaces. after what, i would suppost it will be a nating job that would turn arout the "outbound" tab in the NAT.
I don't know if it's possible to map let's say two port from two different "WAN" interfaces to let's say the same host on the "LAN" interface. i'm sure it could be possible but never had to play with that yet.
Does it could make sense?
Zikmen
-
Thanks for trying, but I do not understand any of that. My one question is whether each of the computers should ube using 99.99.99.1 or 99.99.99.2 as the gateway.
-
You cannot have the same IP address range inside (LAN) and outside (WAN). You can either port forward from your WAN to an internal IP address or if you're running the same services on different public addresses then you can do 1:1 NAT. 1:1 NAT means that you forward a specific WAN IP address to a specific LAN IP address. To be able to configure 1:1 NAT you must FIRST tell pfSense about the additional IP addresses on the WAN. Go to Firewall–------Virtual IPs to configure these additional addresses. You must do this FIRST so you can forward the specific IPs to the specific internal LAN IPs. It would be a good idea to set the internal machines with static addresses as well to avoid issues if they change. In either case your LAN computers will be using the LAN IP address as the gateway which by default is 192.168.1.1
NAT
(WAN) ------- (LAN) 192.168.1.1 -------------Port Forward (80, 21) -------------------------->LAN PC (192.168.1.100)
Port Forward (25, 143)------------------------->LAN PC (192.168.1.101)1:1 NAT
(WAN)---------99.99.99.2----1:1 NAT-------------> 192.168.1.100 (In this scenario ALL ports will be forwarded to the target machine. It would be like this machine was directly exposed to the internet)
(WAN)---------99.99.99.3----1:1 NAT-------------> 192.168.1.101You can also NAT from a specific WAN IP address by selecting that IP from the Destination option when you create your mapping. Again, this can only be done AFTER you create your virtual IPs.
-
What information, exactly, was given to you by your ISP. Obfuscate the high octets if you must but use real numbers for anything longer than the subnet mask. What did they tell you was the subnet? What did they tell you was the gateway, etc?
-
Pfsense has been working for years for me without NAT translation. It is in some sort of bridge mode. I do not have any internal LAN IPs. The GUI says the LAN is "Bridge with WAN." I do not have any virtual IPs.
My ISP says (not real numbers, except the subnet mask):
gateway = 50.252.22.1
subnet = 255.255.255.240
block of ips = 50.252.22.2 to 50.252.22.23 -
If your "bridging" then the gateway would be your ISP..
-
WAN Address: 50.252.22.2
WAN Netmask: 255.255.255.240
Gateway: 50.252.22.1Create Virtual IPs (Firewall > Virtual IPs) for .3 through .23. You can use those virtual IPs for outbound NAT, port forwards, and 1:1.
-
"The GUI says the LAN is "Bridge with WAN." I do not have any virtual IPs."
Not sure why "wan" would have IP on it then - The bridge should have the IP in your range so you can access it.. I personally would never set it up this way.. But sure it can works - just confused why your asking in the first place if its currently setup and working?
-
Then, yes. Create a bridge including the interface connected to the WAN device and the other. Assign no IPs to the bridge members, assign pfSense WAN to BRIDGE0 and put the above config on WAN. Then you can assign the other IPs (with the same netmask and gateway) to any other nodes on the bridge (or use them as VIPs.
-
This document might help you with your filtering bridge setup:
Transparent Firewall/Filtering BridgeFound with the search function of this forum.