Single WAN interface with multiple IP’s

simplerandom · Dec 20, 2019, 3:48 PM

I’ve received 3 IPs from my hosting provider that have the same GW and I initially went down the route of having PFSense use two of them for dedicated interfaces (WAN and OPT1). What I found is that no matter what I tried I could not get outgoing traffic to be identified as the OPT1 IP. Worked great for incoming traffic and being able to create different firewall rules by destination IP.

How can I accomplish what I’m trying to do? Is it with virtual IPs and a 1:1? If I go that route I’m limited to 1 IP per host/service.

Thanks in advance for any advise!

dotdash · Dec 20, 2019, 3:51 PM

Use advanced outbound nat for the outgoing traffic.

simplerandom · Dec 20, 2019, 4:04 PM

Thank you! So I’m assuming use a VIP and that will be an option for the outbound NAT?

dotdash · Dec 20, 2019, 4:10 PM

Yes. You can select the VIP as the outbound source for particular traffic.

simplerandom · Dec 20, 2019, 7:45 PM

Thank you so much—I sincerely appreciate the help! I’ll give that a shot this evening and report back.

simplerandom · Dec 21, 2019, 1:25 AM

Well apparently I'm still doing something wrong. I'll provide more details in the hope that someone can catch my error:

Add additional network card to pfsense that's assigned to the WAN portgroup (esxi) for a total of 2 nics with manual unique MAC addresses from provider.
WAN interface and LAN interface on PFSense. Internet works--firewall rules work etc.
Add virtual IP with correct matching CIDR notation using IP Alias.
change outbound NAT mode to hybrid.
add a mapping from WAN interface, LAN source range (would prefer an individual IP but not an option it appears) with 443 port and specify the VIP specified earlier.

External Traffic still identified by the other WAN address.

dotdash · Jan 4, 2020, 2:30 AM

@simplerandom said in Single WAN interface with multiple IP’s:

add a mapping from WAN interface, LAN source range (would prefer an individual IP but not an option it appears) with 443 port and specify the VIP specified earlier.

A) Use a /32 in the source to specify a host. B) Leave the port blank.

simplerandom · Jan 4, 2020, 2:30 AM

@dotdash Thanks for helping me out---I still couldn't get it to work but have found the following workaround though it probably isn't the preferred way of doing things.

When adding the additional interfaces in ESXi to the PFSense VM, they appear as OPT1 and OPT2 in PFSense even though they use the same gateway etc. I can then assign a LAN firewall rule by the internal IP to use a particular gateway interface for outgoing traffic. It works--still wish I had a better grasp on WHY I couldn't get it to work as I've read in the docs here:

https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html

Thanks again for the help--it's working well currently. I'm incredibly impressed by the seemingly limitless capabilities this platform has!

marvosa · Jan 17, 2020, 6:25 PM

@simplerandom It's not really a "workaround"... the ending result here was you adding 2 additional WAN interfaces... which automatically created gateways that can be used for policy-based routing and also a NAT entry for each interface. You basically went the physical route vs. a virtual one.

However, a more streamlined solution (IMO) could've been configured with a single WAN interface using IP Alias VIP's and additional NAT entries.