• I have 5 static ips. I need to have 1 device utilize that IP in and out. What is the best way to do this? 1:1 nat? Just go in and set that 1:1 nat and done?

    IE my.out.side.ip routes to (my device internal ip)


    This is for a VOIP phone system that is supposed to be on the edge of the network. (Trying not to put it on the edge obviously). I need the voip phone system to be as little nat'd firewalled as possible. It needs to be able to go out that public ip, and everything come in that public ip.

  • There are multiple ways depending on what you're doing.  1-to-1 NAT will work, but if I'm not mistaken, now that IP is bound to that server and can't be used by anything else.  The fact that you only have 5 IP's to begin with, the thought of binding 20% of your static block to one device seems very aggressive to me.

    Personally, I would do this:

    • Assuming 1 static is already assigned to your WAN interface, bind the other 4 IP's to your WAN interface via IP Alias

    • Change your Outbound NAT mode to Hybrid and add an Advance Outbound NAT entry for

    • Inbound traffic would then be controlled via port forwarding

    • Outound traffic would then be translated per the outbound NAT mapping

    This would be the most efficient use of your static block.

  • I might not have asked the initial question correctly.

    I have to get the pbx to use one of the public ip addresses and there has to be no interference from the pfsense unit at all (but I don't want to physically put it in front of the pfsense). I need to make it as transparent as possible though.

    Is there a way I can set up one of the extra interfaces on the pfsense to make this work?

    Maybe enable the interface, leave it with a none configuration, add it to a bridge interface, and set the pbx to the public address? Not quite sure how to do that either though.

    Is it even possible to bridge 1 public ip out of a 5 public ip subnet?

    Is it possible to make the one bridged interface transparent?

  • In normal there are three common ways to solve this out.

    • PBX like Asterisk inside of the DMZ (APU2C4, Raspberry PI,….)
    • STUN Server outside in the Internet or on the ISP side
    • SIP-ALG inside of the Router or Firewall (likes the SIP-Proxy package for pfSense)

    Asterisk VoIP
    Siproxd package
    VOIP configuration
    PBX VoIP NAT How-to

    Here are some other peoples speaking about they get it right done!
    Overview on configuring pfSense Firewall/NAT for VOIP SIP phones?