Public IP on server interface

  • Hi everyone,
    I'm just trying to figure out how I would go about disabling NAT for a number of public IPs I have and running these actual addresses on the actual interface cards of my servers. At the moment I am using virtual IPs but these are less than ideal. For example I have a /28 subnet, the first address should be the WAN interface of pfsense and the rest should be able to be configured on the NICs of a number of servers I have that are on the LAN interface (I can setup VLANs if need be).


  • why are you not using 1:1 NAT ? (Firewall -> NAT -> 1:1)

    just map the external IP 1:1 to the internal server ip ?

  • So with 1:1 nat am I able to configure the interface card on my server to use the public IP? or should i have both the external and internal IP on the one interface?

  • The easiest thing to do is to follow trendchiller's advice, add VIPs for your additional publics, and use 1-1 NAT.
    If you need to have public IPs on the servers, you would need to create a DMZ interface for your servers and bridge that interface with the WAN.

  • why not use 1:1 NAT with private IPs at the servers and public on pfsense and NAT them 1:1 to the servers and for outgoing NAT use AON (advanced outbound nat) and give every server its own ip or use different gateways on pfsense for outgoing traffic from the servers ?
    dmz is also ok, bit i do not understand the need to have the public IPs on the server NICs…

  • I have had this setup before, but I was not using pfsense at the time. But since I was using pf on openBSD it should be close. There was no need other than all the server IPs would have had to change and there where a lot of servers. What we setup was a bridging firewall. Some call it an IP-less firewall. Either way you are going to be filtering packets as they cross the kernel.

    As I understand it pfSense can do this. I have not tested this, but I hear it works well. I bet there is even a doc on how to do this. We had a 24 bit subnet and all machine (even the users :-O through dhcp). If you are going to have a setup where some are NATed and some servers that are not NATed then perhaps you need firewalls with 3 interfaces. 1 LAN, 1 WAN, and on bridged interface with the WAN and all server on that. Then you can filter using rules based on interface.

Log in to reply