Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 public IPs on 1 WAN

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    9 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gladston3
      last edited by

      Hello,

      I have 2 public IP addresses (xx.xxx.xx.4 and 244) pointing to my pfSense. I want to NAT the 244 IP to a specific server but it just does not work.
      Here is what I did:

      I created a virtual IP address Type: IP Alias, Interface: WAN, Address: xx.xxx.xx.244/24 (same mask as the main ip)
      I created a 1:1 NAT Interface: WAN, External subnet IP: xx.xxx.xx.244, Internal IP: Single Host: 192.168.0.4, Destination: ANY
      Finally I created a firewall rule: Action: Pass, Interface: WAN, Source: ANY, Destination: Single Host 192.168.0.4, Destination Port Range: HTTPS

      Then I tried to reach the server from outside the network via https://xx.xxx.xx.244 but without success.

      I also tried to delete the 1:1 NAT and the firewall rule and just add a simple port forward rule with destination xx.xxx.xx.244. Unfortuantely that didn't work either.

      Did I make a mistake somewhere or should this configuration work?

      Thank you very much in advance
      cheers
      -gladston3
      pfsense1.PNG
      pfsense1.PNG_thumb
      pfsense2.PNG
      pfsense2.PNG_thumb
      pfsense3.PNG
      pfsense3.PNG_thumb
      pfsense4.PNG
      pfsense4.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        The destination in the firewall rule has to be the external address.

        1 Reply Last reply Reply Quote 0
        • G
          gladston3
          last edited by

          Makes sense. But didn't fix it unfortunately /:

          Edit: ok, I overthought it and I don't get it, why destination has to be the external IP? Shouldn't that be the final (internal) destination ip?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Yes, you're right. I think, I'm tired.  ???

            What are you're settings now? You have deleted the NAT 1:1 and the firewall rule and added a forward rule with "pass" option?

            1 Reply Last reply Reply Quote 0
            • G
              gladston3
              last edited by

              No problem I am happy about any help (:

              Yeah exactly. Didn't delete it just deactivated it. Tried all sort of combinations of these three rules but nothing worked…

              The 244 address seems to be alive though, since I can reach it if I change the WAN address to 244 from 4.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                Maybe there is something wrong with the destination host 192.168.0.4? Is it set to use the internal pfSense address as default gateway?
                Does it allow access from outside?

                Activate logging in the firewall rules and check the Status > System Logs > Firewall.

                For troubleshooting you can do a packet capture on pfSense. Diagnostic > Packet Capture. This should show exactly, what's going on.
                Do a capture on WAN interface while you try to access x.x.x.244:443 from outside, if you see the packets there do also a capture on LAN interface.

                1 Reply Last reply Reply Quote 0
                • G
                  gladston3
                  last edited by

                  I already changed the destination host to another server. Didn't help. I am also able to reach the 192.168.0.4 server through a proxy on the other IP. Problem is that this server does not work proper through the proxy so that's why I got myself the second IP.

                  I am gonna look into the logging tomorrow.

                  Probably a dumb question but is it possible that the 2 IPs are "too far away" from each other?

                  Thanks again for your help and effort.

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    No, you can assign each virtual IP to the WAN interface. Only care that it is set with it correct mask to avoid routing issues.
                    If it's a single IP you should set a /32 mask. Don't know, why you've set it to /24. But this won't be the issue here.

                    If it's in a private subnet you have to uncheck "Block private networks" in the WAN interface settings.

                    1 Reply Last reply Reply Quote 0
                    • G
                      gladston3
                      last edited by

                      Good morning and once again thank you for your effort.

                      I set /24 because I thought that it has to be the same mask as the mask of the WAN IP. I also tried /32 though…

                      What do you mean with "private subnet"? 10.0.0.0/8 172.16.0.0/12 etc.? That's not the case...

                      I hope I find the time today logging/monitoring.

                      Is it possible that other NAT rules somehow interfere?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.