Server with Public IP behind pfsense



  • Hi Guys,
    i have a problem with a complected WAN setup.

    • I get a /27 Subnet from my data center ISP routed through a transit network. this is setup redundant (Active/passive with failover to the 2nd cable (if link down))
    • i use two L3-Switches and route both transit network in to a "WAN" VLAN on the Switch
      *within that WAN Network i have a Master and Slave pfsense with some CARP vIPs (WAN Interface)
    • i use Portforwarding in most case to deliver traffic to internal Server/Services these internal Servers have private Adresses eg. DMZ the Server 10.112.112.123 - no problem for Source-NAT (Portforwarding)

    BUT!! i have a special case where the Server needs a Public IP on his Interface (Application required, SIP Gateway ) i can't use Source-NAT/1:1 because the Interface IP of the Server is also transmitted within the Application-Layer.

    Is there a way to place that server behind the pfsense? i want to filter the Traffic.

    Thanks for the Help


  • Netgate

    Take part of your /27 (Like a /29, /30, or /31 if the PBX can deal with it) and put it on an inside interface. Disable Outbound NAT for those source addresses. Pass the traffic you want into WAN.

    How easy or difficult this will be depends on what you have already done with the other /27 addresses.



  • @derelict said in Server with Public IP behind pfsense:

    Take part of your /27 (Like a /29, /30, or /31 if the PBX can deal with it) and put it on an inside interface.

    Thanks for the fast replay!
    but that way it will consume Public IPs like mad. i already need 3 IPs for Pfsense-master, Pfsense-slave and CARP-IP1 (+ 2 IPs with the vRRP setup (L3-Switches)) on the WAN side of the pfsense. Yes, i can shrink the Subnet on the WAN side and create a interface eg. "PubDMZ". But i have to use another 3 IP Adresses for the CARP Setup within that Network.

    --> Is it possible to be more economical with the addresses? afaik CARP needs atleast 3 IPs.

    thanks again


  • Netgate

    Yes, that will consume at least a /29 for the inside interface which would leave 3 available host addresses. A /28 leaves 11 host addresses.

    If you want to play in this space you have to pay.

    That or 1:1 NAT.



  • @derelict said in Server with Public IP behind pfsense:

    That or 1:1 NAT.

    i don't think there is a way to publicly address a Server in a DMZ if the pfsense has a Subnet on WAN which contains that same IP of the server. - or am i wrong? (the Server needs a Public IP on the Interface)

    Yes, that will consume at least a /29 for the inside interface which would leave 3 available host addresses. A /28 leaves 11 host addresses.
    If you want to play in this space you have to pay.

    okay, that helps a lot and brings me closer to a solution.
    As far i do understand:

    • if i split my /27 into two /28
    • i can create the first /28 on the "WAN" side
    • and route the 2nd /28 with the L3-Switch over pfsense-WAN-CARP1
    • i create the 2nd /28 network called "PubDMZ" behind the pfsense

    BUT! what if i want to segment one of the network with /29? how can i configure the other interface with the size of /28 + the remaining /29 ? (75% of all IPs) is it even possible?

    thanks for the help


  • Netgate

    You said the /27 was routed to you. If that is the case you can do whatever you want with it.

    It should be routed to your WAN CARP VIP.

    If that is actually the case, here's an example:

    Routed Subnet: 198.51.100.96/27

    You use these as VIPs on WAN:
    198.51.100.96 - 198.51.100.119

    You number OPT1 like this:
    CARP: 198.51.100.121/29
    Primary: 198.51.100.122
    Secondary: 198.51.100.123
    Available for OPT1 hosts: 198.51.100.124 - 198.51.100.126

    If you want to use all of the space on inside interfaces, you have to do it on subnet boundaries. You could split it up like:

    OPT1: 198.51.100.96/28
    OPT2: 198.51.100.112/29
    WAN VIPS: 198.51.100.120 - 198.51.100.127



  • @derelict said in Server with Public IP behind pfsense:

    You said the /27 was routed to you. If that is the case you can do whatever you want with it.
    It should be routed to your WAN CARP VIP.

    yes and no, that's not the entire story. the Subnet is delivered over a private transfer network twice.
    https://www.dropbox.com/s/6bhc8bw6iye343i/wan.pdf?dl=0 <-- i made a small Visio.
    (found a small error at pfsense slave interface ip is not .11 but .114)

    is that setup possible ?

    thanks for the help


  • Netgate

    Yeah. As long as the network is routed to the CARP VIP you're good.