Public IP on server interface
I'm just trying to figure out how I would go about disabling NAT for a number of public IPs I have and running these actual addresses on the actual interface cards of my servers. At the moment I am using virtual IPs but these are less than ideal. For example I have a /28 subnet, the first address should be the WAN interface of pfsense and the rest should be able to be configured on the NICs of a number of servers I have that are on the LAN interface (I can setup VLANs if need be).
why are you not using 1:1 NAT ? (Firewall -> NAT -> 1:1)
just map the external IP 1:1 to the internal server ip ?
So with 1:1 nat am I able to configure the interface card on my server to use the public IP? or should i have both the external and internal IP on the one interface?
dotdash last edited by
The easiest thing to do is to follow trendchiller's advice, add VIPs for your additional publics, and use 1-1 NAT.
If you need to have public IPs on the servers, you would need to create a DMZ interface for your servers and bridge that interface with the WAN.
why not use 1:1 NAT with private IPs at the servers and public on pfsense and NAT them 1:1 to the servers and for outgoing NAT use AON (advanced outbound nat) and give every server its own ip or use different gateways on pfsense for outgoing traffic from the servers ?
dmz is also ok, bit i do not understand the need to have the public IPs on the server NICs…
I have had this setup before, but I was not using pfsense at the time. But since I was using pf on openBSD it should be close. There was no need other than all the server IPs would have had to change and there where a lot of servers. What we setup was a bridging firewall. Some call it an IP-less firewall. Either way you are going to be filtering packets as they cross the kernel.
As I understand it pfSense can do this. I have not tested this, but I hear it works well. I bet there is even a doc on how to do this. We had a 24 bit subnet and all machine (even the users :-O through dhcp). If you are going to have a setup where some are NATed and some servers that are not NATed then perhaps you need firewalls with 3 interfaces. 1 LAN, 1 WAN, and on bridged interface with the WAN and all server on that. Then you can filter using rules based on interface.