Public IPs on lan
I have 2 subnets from ISP and one WAN connections.
I want the servers on the lan can accpet the public IPs direct.
The subnet 1:
IPs - 184.108.40.206-62
subnet - 255.255.255.240
The subnet 2:
the wan IP is 220.127.116.11
the lan IP is 18.104.22.168.
I tried with NAT and etc and i can't setup this work…
Please help, Thank you!
JKnott last edited by
First off, if you have public addresses, you don't use NAT. NAT was created to get around the IPv4 address shortage, by allowing multiple devices to share one address. Since you have a subnet, you don't need NAT. Also, if you have subnet 1 available, why is the WAN address within it. Do you actually want 2 IPv4 subnets on the same LAN, without benefit of VLANs etc.?
First, thank you for your response.
I really want to use VLANs but currently does not work for me without VLANs at all ..
Once I turn off the NAT I have no access to the world and vice versa.
What can you advise me about the WAN IP address?
I also want to separate addresses in VLANS and even create virtual subnet.
For example - 22.214.171.124-190 become
Your ISP should not be putting the 126.96.36.199/27 network as a secondary on the same interface.
They should be routing 188.8.131.52/27 to you on an address on 184.108.40.206/28.
If they do that everything will work fine.
This Not the subnets of my ISP.
The subnet of my ISP is above in the first post.
When i disable NAT and created VIP for the public ip i can ping from outside but i do not have internet from internal.
What i missing here?
Right I was just correcting it.
They should not be adding the /27 as a secondary network on the WAN interface. They should be routing it to you instead.
If they were routing it they would not be giving you a gateway address for it.
Oh, sorry, I confused you.
I set up the IP of the WAN and the LAN.
My situation is like this.
I have 2 subnets.
The second -
They are all routed to me through one cable that reaches my WAN port.
I want to use these external addresses on the servers behind the pfsense.
I read that I need to turn off the NAT and create a VIP, that's what I did and I manage to do PING server but from the server I have no internet out.
What else do I need to do?
Would appreciate help.
This is the difference:
From the ISP's perspective:
ip address 220.127.116.11 255.255.255.240
ip address 18.104.22.168 255.255.255.224 secondary
ip address 22.214.171.124 255.255.255.240
ip route 126.96.36.199 255.255.255.224 188.8.131.52
If they are routing it you do not need to assign VIPs or anything. You just address the inside interface properly and disable NAT.
If you do not have ANY VIPS from the second network on your WAN interface and you packet capture and do something like ping an address on the secondary network from the outside you will see one of two things:
The ISP does an ARP request for the address - this means they have configured you the Not good way.
The ICMP echo request will arrive on the WAN interface with the address on the secondary network as the destination address and your router's WAN MAC address as the destination MAC address. This means it is routed to you and you can proceed.
Ok, I can do ping to second subnet.
I can do ping to 165 (The server).
But i can't do ping or else from the server…
Is it related to ISP?
You are not providing enough information.
I have no idea what the 165 server is. Please be complete and specific.
See the pictures
Right. Delete the Virtual IP and do the test I described above. Pinging the VIP address from the outside is pinging the VIP address, not the inside server at all.
If they ARP for it, you will have nothing but problems.
If they send the traffic to your WAN MAC address addressed to the .165 address it can be made to work.
Okay I understand.
Thank you so much for help!
SammyWoo last edited by
To expose specific internal servers to the outside, people either place them in the DMZ, or use port forwarding. Turning off NAT is just a foreign concept… NAT is your firewall, you want to bypass the firewall and expose your internal to the outside world? Plus unless you purchased an IP for EACH of your clients, the NAT is there so that you can have more clients than purchased static WAN IP.
if this is what u want anyway, never mind, I am no help.