2 public IPs on 1 WAN

  • Hello,

    I have 2 public IP addresses (xx.xxx.xx.4 and 244) pointing to my pfSense. I want to NAT the 244 IP to a specific server but it just does not work.
    Here is what I did:

    I created a virtual IP address Type: IP Alias, Interface: WAN, Address: xx.xxx.xx.244/24 (same mask as the main ip)
    I created a 1:1 NAT Interface: WAN, External subnet IP: xx.xxx.xx.244, Internal IP: Single Host:, Destination: ANY
    Finally I created a firewall rule: Action: Pass, Interface: WAN, Source: ANY, Destination: Single Host, Destination Port Range: HTTPS

    Then I tried to reach the server from outside the network via https://xx.xxx.xx.244 but without success.

    I also tried to delete the 1:1 NAT and the firewall rule and just add a simple port forward rule with destination xx.xxx.xx.244. Unfortuantely that didn't work either.

    Did I make a mistake somewhere or should this configuration work?

    Thank you very much in advance

  • The destination in the firewall rule has to be the external address.

  • Makes sense. But didn't fix it unfortunately /:

    Edit: ok, I overthought it and I don't get it, why destination has to be the external IP? Shouldn't that be the final (internal) destination ip?

  • Yes, you're right. I think, I'm tired.  ???

    What are you're settings now? You have deleted the NAT 1:1 and the firewall rule and added a forward rule with "pass" option?

  • No problem I am happy about any help (:

    Yeah exactly. Didn't delete it just deactivated it. Tried all sort of combinations of these three rules but nothing worked…

    The 244 address seems to be alive though, since I can reach it if I change the WAN address to 244 from 4.

  • Maybe there is something wrong with the destination host Is it set to use the internal pfSense address as default gateway?
    Does it allow access from outside?

    Activate logging in the firewall rules and check the Status > System Logs > Firewall.

    For troubleshooting you can do a packet capture on pfSense. Diagnostic > Packet Capture. This should show exactly, what's going on.
    Do a capture on WAN interface while you try to access x.x.x.244:443 from outside, if you see the packets there do also a capture on LAN interface.

  • I already changed the destination host to another server. Didn't help. I am also able to reach the server through a proxy on the other IP. Problem is that this server does not work proper through the proxy so that's why I got myself the second IP.

    I am gonna look into the logging tomorrow.

    Probably a dumb question but is it possible that the 2 IPs are "too far away" from each other?

    Thanks again for your help and effort.

  • No, you can assign each virtual IP to the WAN interface. Only care that it is set with it correct mask to avoid routing issues.
    If it's a single IP you should set a /32 mask. Don't know, why you've set it to /24. But this won't be the issue here.

    If it's in a private subnet you have to uncheck "Block private networks" in the WAN interface settings.

  • Good morning and once again thank you for your effort.

    I set /24 because I thought that it has to be the same mask as the mask of the WAN IP. I also tried /32 though…

    What do you mean with "private subnet"? etc.? That's not the case...

    I hope I find the time today logging/monitoring.

    Is it possible that other NAT rules somehow interfere?

Log in to reply