How to assign public IP of /29 block directly to a connected device in pfSense

  • Ultimately what I want to do is connect a second physically separate gateway, and assign its WAN port one of the public IP addresses given by our ISP.

    So I have the following setup currently and is working.

    Fibre leased line from ISP.
    Fibre comes to ISP box
    Ethernet from ISP box plugs into pfSense WAN port
    pfSense WAN port set as static IP assignment IP:, GW:
    Add one of the public IP addresses as a virtual IP address in pfSense IP:
    Create a new private network and assign it to a spare ethernet port IP:
    Connect the second gateway wan port to pfSense and assign the wan a static IP:
    In pfSense setup 1:1 NAT and outbound NAT to connect all traffic <- between->
    Setup firewall rules in pfSense to allow all traffic between WAN and LAN
    While this works and the new device talks over the public IP address, the actual gateway thinks it's public IP address is, not This make configuration of VPN serves impossible for me as the device is wrongly thinking its public IP is a private one.

    To clarify, which is my understanding, I might be wrong, the ISP gateway is on a /30 network and have given us a /29 block of IPs that are routable through From my testing the above rules out being able to connect a switch between the ISP box and pfSense WAN and just assign devices those public IPs of the /29 block.

    Is there any way I can configure the WAN port on the secondary device with the public IP address, connect it to pfSense someway and just get pfSense to route it out to

  • I'm not quite sure I followed but I think we have a similar setup in our data center.  Our WAN IP is in a /29 along with its gateway (a data center router).  A /25 is routed to our WAN IP.  pfSense's LAN IP is in the /25 (x.x.x.1) so is the gateway for the "LAN's" public IP addresses.

    If you want a second device in the "outside" /29 you need to set it up in parallel with your pfSense not behind it.  A router won't pass "WAN subnet" traffic back through into the LAN since that's not where it is supposed to go.

Log in to reply