Public IP for IP-based Virtual Hosting on DMZ

  • I have installed a carp fail over setup which is working fine involving WAN (1 public IP subnet), LAN, SYNC, and 2 DMZs. On the DMZs, I have multiple web servers running IP-based virtual hosting. I have an additional public IP subnet of 64 addresses routed to my WAN address. The servers have a private address and several public alias addresses.

    I have been reading about VIPs and 1:1 and am unsure (and have been unsuccessful in testing) whether I can accomplish what I need to accomplish which is to have a packet from the secondary public range arrive at the WAN port and be routed through to the DMZ server retaining the public address.

    x.x.149.65 pkt <–> /x.x.137.1 WAN <pfsense> DMZ/ <--> /x.x.149.65 web host/

    I have tried multiple combinations of VIP, static routes, and 1:1 and so far have been unsuccessful.

    Thank-you in advance.</pfsense>

  • This is not possible. I wanted to do this for ages. :-) Someone please correct me, i wish i'm mistaken.
    I'm still using Linux and proxy arp for my server pool with WAN addresses.

  • I'm not sure if i understand you correctly:

    A public /26 subnet gets routed to your WAN.
    You have a public IP on your servers.

    And what exactly do you want to do?
    Move the public IP's to the pfSense and have private IP's on the Servers? (This is possible)
    But… what for?

    Could you draw a diagram of what you have where (including IP's) and what should go where?

  • CARPDEV is what is really needed for this, but it's still not working well. Depending on your setup, you may be able to use Other VIPs. See this thread:,7039.0.html
    You could also try adding alias IP's and then adding CARP IPs.

Log in to reply