Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Same WAN port, multiple IPs?

    Scheduled Pinned Locked Moved NAT
    19 Posts 5 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • mudmanc4M
      mudmanc4
      last edited by

      Simplify things for yourself here.

      Just setup virtual IP's (the static ones you'll get) {IP Alias} then 1:1 NAT them to the LAN / OPT subnet, leave each internal machine set as DHCP, and assign them static reservations in PFsense via MAC address. .

      This way each port to each MAC/ IP reservation can be controlled through the ruleset. So you won't be exposing anything you do not want. Including DRAC.

      If you want to take it a step further, get an account at DNSmadeeasy. Keep the DNS on external networks only here. Even if you have just one TLD, you can use subdomains as well as RFC2136 dynamic DNS through the external DNS.

      EDIT:
      Also, turn off DHCP on the ISP router after you've gotten the static IP set. And let PFsense handle this. The IP block will all be pointing towards the modem, which can be assigned as stated above, as alias', and use the gateway they provide with the block for all static IP's

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Host your DNS somewhere else. he.net comes to mind.

        I would rather put a bunch of port forwards/rules in something like pfSense than maintain local "software" firewalls on a bunch of servers. Maybe that's just me.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A
          aaronouthier
          last edited by

          Thanks, I'll look into this. Fwiw, I didn't get the ISPs router. I have straight Ethernet coming into the house, which is convenient for hooking up my APU box.

          1 Reply Last reply Reply Quote 0
          • mudmanc4M
            mudmanc4
            last edited by

            @aaronouthier:

            Thanks, I'll look into this. Fwiw, I didn't get the ISPs router. I have straight Ethernet coming into the house, which is convenient for hooking up my APU box.

            So you have a fiber connection, even better. (I should have seen this you clearly pointed out APU)
            What is the issue with using a 1:1 NAT ?

            1 Reply Last reply Reply Quote 0
            • A
              aaronouthier
              last edited by

              I would also rather use centralized management for the firewall setup, eg. Using pfSense would be ideal. Earlier posts lead me to believe that such was not feasible.

              As for DNS, my domain registrar already provides DNS, including DynDNS. This will work fine at first, during the early stages, when there are not many Domains. It's when there are more domains being added daily, assuming I get that far, that manually matching up everything by hand will become impossible.

              Good advice, all around. Thanks everyone!

              1 Reply Last reply Reply Quote 0
              • A
                aaronouthier
                last edited by

                Ok, everyone keeps mentioning 1:1 NAT. My problem with is is, eh, I don't know what that is or how to use it. I'm gonna look that up now in the docs and/or wiki.

                1 Reply Last reply Reply Quote 0
                • mudmanc4M
                  mudmanc4
                  last edited by

                  @aaronouthier:

                  Ok, everyone keeps mentioning 1:1 NAT. My problem with is is, eh, I don't know what that is or how to use it. I'm gonna look that up now in the docs and/or wiki.

                  1:1 allows the segregation of port mapping on one interface to the specified IP. (Not the best explanation)

                  example:

                  External IP 172.184.25.2 using port 80
                  External IP 172.184.25.3 using port 80 and port 443

                  and so on.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    From the Definitive pfSense Guide (available to Gold Subscribers)

                    1:1 (pronounced one to one) NAT maps one public IPv4 address to one private IPv4 address. All traffic from that
                    private IPv4 address to the Internet will be mapped to the public IPv4 address defined in the 1:1 NAT mapping,
                    overriding your Outbound NAT configuration. All traffic initiated on the Internet destined for the specified public IPv4
                    address will be translated to the private IPv4, then evaluated by your WAN firewall ruleset. If the traffic is permitted
                    by your firewall rules to a target of the private IPv4 address, it will be passed to the internal host.

                    1 Reply Last reply Reply Quote 0
                    • A
                      aaronouthier
                      last edited by

                      That makes perfect sense! One to one, instead of one to many. Thanks Mr. KOM!

                      1 Reply Last reply Reply Quote 0
                      • A
                        aaronouthier
                        last edited by

                        Ok. So, I finally made the switch to 5 static IPs. I've setup 1:1 for the 2nd of 5 IP addresses, and configured NAT rules, etc, but the firewall log shows no traffic going to it. I suspect this is because the WAN interface only knows about 1st address. If this is the case, then how do I tell my pfSense box that it has 5 IPs on the WAN, not just 1?

                        1 Reply Last reply Reply Quote 0
                        • A
                          aaronouthier
                          last edited by

                          Oops,
                          I just reread the previous posts. I see now the solution is with Virtual IPs. Implementing that now.

                          Thanks again for everyone's help!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.