Assign static IP to pfSense Firewall for VPN

  • I have some (/29) static IPs from my ISP. I want to assign one of those IPs to the pfSense firewall for IPSEC VPN use. The VPN is reached through vpn.mydomain.tld (for example). DNS records are already set up. The problem is, Status -> IPSEC -> Overview gives the 'Local IP' as the DHCP address from my ISP. Now, the computers I use behind the firewall, I need them to be recognized on the Internet as being from the DHCP address from the ISP, while the firewall itself uses the static IP that vpn.mydomain.tld points to. Which settings do I need to change? Is this something that calls for a port forwarding setting?


  • To answer my own question, I had to create a Virtual IP (IP Alias) with the single static IP address that the DNS record points to. Then, under VPN -> IPsec -> Mobile Clients -> Edit Phase 1, under 'Interface' the Virtual IP created is given as an option.

    I also changed the way the pfSense firewall/router obtains its IP address. The WAN interface now has a static private IP address ( which is seen by my ISP's gateway device, along with the Virtual IP. (The gateway device is, of course, set properly so that traffic to pfSense isn't filtered or blocked).

    So now my IPsec VPN works with one of the static IPs, and traffic from the computers behind pfSense is seen as coming from the DHCP address assigned by my ISP, as I need it to.

Log in to reply