Assigning more that 1 public IP to the WAN Interface.



  • I am trying to setup a small office that has email. The email server is NOT in a DMZ. I am using the embedded pfsense current version. I am having a hard time getting NATTING work.

    WAN IP 6x.xx.xx.145

    LAN 192.168.1.0/24

    The mail server will have it's own PUBLIC IP address 6x.xx.xx.149 which will be NATTED to a 192.168.1.78

    I tried point forwarding but I am stick to using the WAN interface's IP address to send/receive mail from instead of the 6x.xx.xx.149

    Is it possible to assign more that one Public IP Address to the wan? Or is there anyway to get this to work and what RULES will I need.



  • Firewall, Virtual IPs.
    Add the additional IPs. Then use them in your NAT rules. If you need the outgoing to match (eg- a mail server), use AON under NAT, Outbound.



  • I have the Public Virtual IP created. And on NAT/Outbound I have

    WAN    192.168.1.78/32  *  *  *  6x.xx.xx.149  *  NO

    Should it be WAN or LAN. I tried both but there was not difference.

    When I hit the 6x.xx.xx.149 it comes up with the Pfsense web interface login and not the mail server.



  • And my WAN rule is

    TCP  *  *  6x.xx.xx.149  25 (SMTP)  *      MAIL



  • @eyepodder:

    I have the Public Virtual IP created. And on NAT/Outbound I have

    WAN    192.168.1.78/32  *  *  *  6x.xx.xx.149  *  NO

    Should it be WAN or LAN. I tried both but there was not difference.

    When I hit the 6x.xx.xx.149 it comes up with the Pfsense web interface login and not the mail server.

    WAN is correct. This is outbound NAT. This rule needs to be before the default 192.168.1.0/24 nat rule.
    I usually test this by going to one of those what's my ip? websites.
    I'm a bit puzzled by your last statement. Outbound NAT has nothing to do with the port-forward for incoming traffic. Do you have a port-forwarding rule like:
    WAN TCP 25(SMTP) 192.168.1.78 (ext.:6x.xx.xx.149) 25(SMTP) 'Incoming SMTP to mail server' ?
    And where did you test from where you got the webgui on a VIP? Either you tested from the LAN, or you have unusual rules on your WAN…



  • Thanks I figured it out. Can I do 1:1 Natting vs port forwarding. I am using port forwarding now to get it work.



  • Port-forwarding is more flexible, and better in most situations IMO. With 1-1 NAT, you don't need the outbound NAT rule or (obviously) the port-forward- you just create the appropriate firewall rules.



  • I was able to get mail to work but now everyone is going out 6x.xx.xx.149 and I only want mail to go out that IP. Everything else should go out the WAN IP. Under Firewall: NAT: Outbound I have

    WAN    192.168.1.78/32  *  *  *  6x.xx.xx.149  *  NO

    WAN  192.168.1.0/24 * * * * * NO

    Shouldn't the rest of the Block of 192.x go out the router ip..



  • I tried creating a 1:1 nat and I keep getting this error when trying to create it.

    The following input errors were detected:

    * The WAN IP address may not be used in a 1:1 rule.

    I deleted the port forwarding and outbound nat and well as the virtual IP. I get the same error with our without the virtual IP.



  • @eyepodder:

    I tried creating a 1:1 nat and I keep getting this error when trying to create it.

    The following input errors were detected:

    * The WAN IP address may not be used in a 1:1 rule.

    I deleted the port forwarding and outbound nat and well as the virtual IP. I get the same error with our without the virtual IP.

    Maybe it's a bit cryptic, but that error message means you can't use the WAN IP address in a 1:1 rule.
    The 1:1 must be between a VIP and and internal host.


Log in to reply