Public IPs on lan

  • Hey,

    I have 2 subnets from ISP and one WAN connections.
    I want the servers on the lan can accpet the public IPs direct.

    The subnet 1:
    IPs -
    subnet -

    The subnet 2:

    the wan IP is
    the lan IP is

    I tried with NAT and etc and i can't setup this work…

    Please help, Thank you!

  • First off, if you have public addresses, you don't use NAT.  NAT was created to get around the IPv4 address shortage, by allowing multiple devices to share one address.  Since you have a subnet, you don't need NAT.  Also, if you have subnet 1 available, why is the WAN address within it.  Do you actually want 2 IPv4 subnets on the same LAN, without benefit of VLANs etc.?

  • Hey,
    First, thank you for your response.
    I really want to use VLANs but currently does not work for me without VLANs at all ..
    Once I turn off the NAT I have no access to the world and vice versa.

    What can you advise me about the WAN IP address?
    I also want to separate addresses in VLANS and even create virtual subnet.
    For example - become

  • LAYER 8 Netgate

    Your ISP should not be putting the network as a secondary on the same interface.

    They should be routing to you on an address on

    If they do that everything will work fine.

  • Hey,
    This Not the subnets of my ISP.
    The subnet of my ISP is above in the first post.

    When i disable NAT and created VIP for the public ip i can ping from outside but i do not have internet from internal.
    What i missing here?

  • LAYER 8 Netgate

    Right I was just correcting it.

    They should not be adding the /27 as a secondary network on the WAN interface. They should be routing it to you instead.

    If they were routing it they would not be giving you a gateway address for it.

  • Oh, sorry, I confused you.
    I set up the IP of the WAN and the LAN.

    My situation is like this.
    I have 2 subnets.
    One -

    The second - GW SN

    They are all routed to me through one cable that reaches my WAN port.

    I want to use these external addresses on the servers behind the pfsense.
    I read that I need to turn off the NAT and create a VIP, that's what I did and I manage to do PING server but from the server I have no internet out.

    What else do I need to do?
    Would appreciate help.

  • LAYER 8 Netgate

    This is the difference:

    From the ISP's perspective:

    Not good:

    interface GigabitEthernet0/0
      ip address
      ip address secondary


    interface GigabitEthernet0/0
      ip address

    ip route

    If they are routing it you do not need to assign VIPs or anything. You just address the inside interface properly and disable NAT.

    If you do not have ANY VIPS from the second network on your WAN interface and you packet capture and do something like ping an address on the secondary network from the outside you will see one of two things:

    The ISP does an ARP request for the address - this means they have configured you the Not good way.

    The ICMP echo request will arrive on the WAN interface with the address on the secondary network as the destination address and your router's WAN MAC address as the destination MAC address. This means it is routed to you and you can proceed.

  • Ok, I can do ping to second subnet.
    I can do ping to 165 (The server).
    But i can't do ping or else from the server…
    Is it related to ISP?

  • LAYER 8 Netgate

    You are not providing enough information.

    I have no idea what the 165 server is. Please be complete and specific.

  • See the pictures

  • LAYER 8 Netgate

    Right. Delete the Virtual IP and do the test I described above.  Pinging the VIP address from the outside is pinging the VIP address, not the inside server at all.

    If they ARP for it, you will have nothing but problems.

    If they send the traffic to your WAN MAC address addressed to the .165 address it can be made to work.

  • Okay I understand.
    Thank you so much for help!

  • To expose specific internal servers to the outside, people either place them in the DMZ, or use port forwarding.  Turning off NAT is just a foreign concept… NAT is your firewall, you want to bypass the firewall and expose your internal to the outside world? Plus unless you purchased an IP for EACH of your clients, the NAT is there so that you can have more clients than purchased static WAN IP.

    if this is what u want anyway, never mind, I am no help.

Log in to reply