Possible to have ISP Static IP's set to int, and have local IP's for devices?
kntnt last edited by
I have a SG-4860.
The sites current setup:
4 separate networks, each has own Static IP, Lan1/lan2/lan3/lan4
on a 4 port ISP Modem -> 4 separate Cisco residential Routers (double NAT) 5 static IP assignments from ISP
pfsense needs to have a separate Static IP from networks, however it can share with Lan4
Lan1 and lan2 needs to forward ports to certain machines, with static IP's. This I can do.
Lan3 has to pass PCI compliance, so a static IP, seperate from Primary with no open ports is needed. This, i find difficult. Basically every computer on this switch needs to show as from one specific Static IP assigned to the interface.
Is it possible to assign a static IP from ISP to LAN3 interface, plug a switch in, and have pfsense handout local IP's through DHCP?
It sounds like it has to have a router behind it?
I hope that makes sense.
I would like to avoid double NAT, but is that what needs to happen?
yyaghi last edited by
I actually have that accomplished. So, from what I understand…you have 4 internal networks and Multiple WAN IPs. What you want is for the clients connected to a switch on one of the LANs to leave from a specific Public IP. That is possible.
So, first thing you need is to setup virtual IPs. One for every Public IP. In the description, give it a meaningful name.
Once that is done, go to Firewall -> NAT -> Outbound NAT.
I personally have "Hybrid Outbound NAT" selected. Select that and hit save. Now, what you need to do is scroll down to the mappings on that same page and add the new rule.
For Interface: WAN
For Source - Select the type "Network" and then the Source IP (IP of LAN with the subnet /24 if you're using the whole subnet)
Then in the translation select the Address (which is the Public IP you want the traffic to leave from) and then hit save!
Make sure to apply the settings and check the public IP from any of the clients on that switch and it should show that!
yyaghi last edited by
Oh, and I forgot to mention…you need to move that rule above the regular rules so that is used instead of the others. What I did was moved it right below the other rules that are for other networks to send traffic out. you want to make sure it's above the rule that allows that 1 interface to just leave through the primary IP. Just drag and drop.