Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Assigning more that 1 public IP to the WAN Interface.

    Scheduled Pinned Locked Moved NAT
    10 Posts 2 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eyepodder
      last edited by

      I am trying to setup a small office that has email. The email server is NOT in a DMZ. I am using the embedded pfsense current version. I am having a hard time getting NATTING work.

      WAN IP 6x.xx.xx.145

      LAN 192.168.1.0/24

      The mail server will have it's own PUBLIC IP address 6x.xx.xx.149 which will be NATTED to a 192.168.1.78

      I tried point forwarding but I am stick to using the WAN interface's IP address to send/receive mail from instead of the 6x.xx.xx.149

      Is it possible to assign more that one Public IP Address to the wan? Or is there anyway to get this to work and what RULES will I need.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        Firewall, Virtual IPs.
        Add the additional IPs. Then use them in your NAT rules. If you need the outgoing to match (eg- a mail server), use AON under NAT, Outbound.

        1 Reply Last reply Reply Quote 0
        • E
          eyepodder
          last edited by

          I have the Public Virtual IP created. And on NAT/Outbound I have

          WAN    192.168.1.78/32  *  *  *  6x.xx.xx.149  *  NO

          Should it be WAN or LAN. I tried both but there was not difference.

          When I hit the 6x.xx.xx.149 it comes up with the Pfsense web interface login and not the mail server.

          1 Reply Last reply Reply Quote 0
          • E
            eyepodder
            last edited by

            And my WAN rule is

            TCP  *  *  6x.xx.xx.149  25 (SMTP)  *      MAIL

            1 Reply Last reply Reply Quote 0
            • dotdashD
              dotdash
              last edited by

              @eyepodder:

              I have the Public Virtual IP created. And on NAT/Outbound I have

              WAN    192.168.1.78/32  *  *  *  6x.xx.xx.149  *  NO

              Should it be WAN or LAN. I tried both but there was not difference.

              When I hit the 6x.xx.xx.149 it comes up with the Pfsense web interface login and not the mail server.

              WAN is correct. This is outbound NAT. This rule needs to be before the default 192.168.1.0/24 nat rule.
              I usually test this by going to one of those what's my ip? websites.
              I'm a bit puzzled by your last statement. Outbound NAT has nothing to do with the port-forward for incoming traffic. Do you have a port-forwarding rule like:
              WAN TCP 25(SMTP) 192.168.1.78 (ext.:6x.xx.xx.149) 25(SMTP) 'Incoming SMTP to mail server' ?
              And where did you test from where you got the webgui on a VIP? Either you tested from the LAN, or you have unusual rules on your WAN…

              1 Reply Last reply Reply Quote 0
              • E
                eyepodder
                last edited by

                Thanks I figured it out. Can I do 1:1 Natting vs port forwarding. I am using port forwarding now to get it work.

                1 Reply Last reply Reply Quote 0
                • dotdashD
                  dotdash
                  last edited by

                  Port-forwarding is more flexible, and better in most situations IMO. With 1-1 NAT, you don't need the outbound NAT rule or (obviously) the port-forward- you just create the appropriate firewall rules.

                  1 Reply Last reply Reply Quote 0
                  • E
                    eyepodder
                    last edited by

                    I was able to get mail to work but now everyone is going out 6x.xx.xx.149 and I only want mail to go out that IP. Everything else should go out the WAN IP. Under Firewall: NAT: Outbound I have

                    WAN    192.168.1.78/32  *  *  *  6x.xx.xx.149  *  NO

                    WAN  192.168.1.0/24 * * * * * NO

                    Shouldn't the rest of the Block of 192.x go out the router ip..

                    1 Reply Last reply Reply Quote 0
                    • E
                      eyepodder
                      last edited by

                      I tried creating a 1:1 nat and I keep getting this error when trying to create it.

                      The following input errors were detected:

                      * The WAN IP address may not be used in a 1:1 rule.

                      I deleted the port forwarding and outbound nat and well as the virtual IP. I get the same error with our without the virtual IP.

                      1 Reply Last reply Reply Quote 0
                      • dotdashD
                        dotdash
                        last edited by

                        @eyepodder:

                        I tried creating a 1:1 nat and I keep getting this error when trying to create it.

                        The following input errors were detected:

                        * The WAN IP address may not be used in a 1:1 rule.

                        I deleted the port forwarding and outbound nat and well as the virtual IP. I get the same error with our without the virtual IP.

                        Maybe it's a bit cryptic, but that error message means you can't use the WAN IP address in a 1:1 rule.
                        The 1:1 must be between a VIP and and internal host.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.