Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible to have ISP Static IP's set to int, and have local IP's for devices?

    Firewalling
    2
    3
    350
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kntnt
      last edited by

      I have a SG-4860.
      The sites current setup:
      4 separate networks, each has own Static IP, Lan1/lan2/lan3/lan4
      on a 4 port ISP Modem -> 4 separate Cisco residential Routers (double NAT) 5 static IP assignments from ISP
      pfsense needs to have a separate Static IP from networks, however it can share with Lan4
      Lan1 and lan2 needs to forward ports to certain machines, with static IP's. This I can do.
      Lan3 has to pass PCI compliance, so a static IP, seperate from Primary with no open ports is needed. This, i find difficult. Basically every computer on this switch needs to show as from one specific Static IP assigned to the interface.
      Is it possible to assign a static IP from ISP to LAN3 interface, plug a switch in, and have pfsense handout local IP's through DHCP?
      It sounds like it has to have a router behind it?
      I hope that makes sense.
      I would like to avoid double NAT, but is that what needs to happen?

      1 Reply Last reply Reply Quote 0
      • Y
        yyaghi
        last edited by

        Hi,

        I actually have that accomplished. So, from what I understand…you have 4 internal networks and Multiple WAN IPs. What you want is for the clients connected to a switch on one of the LANs to leave from a specific Public IP. That is possible.

        So, first thing you need is to setup virtual IPs. One for every Public IP. In the description, give it a meaningful name.
        Once that is done, go to Firewall -> NAT -> Outbound NAT.

        I personally have "Hybrid Outbound NAT" selected. Select that and hit save. Now, what you need to do is scroll down to the mappings on that same page and add the new rule.
        For Interface: WAN
        For Source - Select the type "Network" and then the Source IP (IP of LAN with the subnet /24 if you're using the whole subnet)
        Destination: Any

        Then in the translation select the Address (which is the Public IP you want the traffic to leave from) and then hit save!

        Make sure to apply the settings and check the public IP from any of the clients on that switch and it should show that!

        1 Reply Last reply Reply Quote 0
        • Y
          yyaghi
          last edited by

          Oh, and I forgot to mention…you need to move that rule above the regular rules so that is used instead of the others. What I did was moved it right below the other rules that are for other networks to send traffic out. you want to make sure it's above the rule that allows that 1 interface to just leave through the primary IP. Just drag and drop.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.