NAT 1:1 with Virtual ip + custom MAC

  • Hi,

    Im new to pfsense and i try to accomplish a particular scenario and haven't found useful information about exactly what i try to accomplish

    So i have multiple servers on a DMZ (
    All Servers are hosted on a ESXi host
    Lets say that only one server for this example so ( SERVERA )
    The WAN gateway is ( YES the gateway is out of the subnet because the provider use mac address routing )
    1 pfsense with DMZ -> ( DMZ gatweway )
      WAN -> ( WAN IP ) -> ( Gateway on WAN interface )

    So what i would do is to be able to nat to ( Public IP ) so the world see NOT

    The problem i face with the scenarios is the fact that public ips must have specific MAC address so the external gateway ( ) can route trafic on a match IP + MAC
    otherwise the traffic is not routed

    This means that i must have multiple WAN IP with the SAME gateway ( ) and with the ability the define specific MAC address for each Public IP

    So i cannot use virtual ip because there is not way to define mac address on virtual ips… or i didn't found how to do it
    i tried to add an OPT1 interface and define the external gateway to it but Pfsense refuse to use the same gateway on different interface

    and i cannot tag vlan on WANS interface because the external gateway will not be able route packets...

    OR, alternative solution

    The very BAD way to do it ( IMO )

    Would be to Disables the NATING on pfsense,
    Bridge the DMZ interface on the WAN interface( apparently this require promiscuous mode on the HOST (vswitch) to be enable )
    Define the Public IP directly on the SERVERA with the Specific MAC address

    This way, the Pfsense become a transparent Firewall / router but the fact i have to enable promiscuous on WAN vswitch of the ESXi make me nervous
    but ive experienced a very bad bandwidth throughput... im supposed to have 500 Mbps in and out but with this scenarios, the upload speed goes down to 25 Mbps for unknown reason.

    Any one have ideas how to achieve this correctly ?

    Thank you.

  • mac address binding? sounds like hetzner or some other sort of hoster ;-)

    well, there is actually a trick to make this happen.. add OPT NICs with the required MACs, configure the additonal IPs on each NIC but do not connect them to the network. traffic will be routed over em0 but ISP still sees the correct origin MAC on his switch and therfor lets the traffic flow.

  • add OPT NICs with the required MACs, configure the additional IPs on each NIC but do not connect them to the network.

    Thank you for your time…
    but im not sure to understand that...

    One NIC with MAC + Public IP but do not connect it to network ? do you mean to define NO gateway ?
    If there is no gateway define it will just take the default from  the WAN interface
    If there is no default gateway, network fail
    If i have a default gateway, it must be bind to an interface, if so the packet will inherit the MAC of the last up which is the WAN interface ( DMZ -> OPT1 -> WAN -> External GW )... am i right ?

    so im not sure to understand how to achieve that.

    Thank you.

  • Sorry was on my mobile last evening when i replied here.

    The Gateway is only configured on the WAN Interface. You want to add an OPT Interface for each additional IP and configure them as normal but with /32 mask for each IP and with no gateway set. In the VM Settings within ESXi you set the MAC addresses accordingly on each interface.  Do not use the MAC spoofing feature within pfSense, we had issues with that.

    With that setup the traffic of your additional IPs should origin from the according MACs and the switch of your ISP should be happy.  We had this setup running for about two years without any issues.

Log in to reply