Setup of multiple WAN IP addresses and bypass of NAT for a multi client deployment



  • Hello, I am looking for some advice on the setup of multiple WAN IP addresses and bypass of NAT for a single WAN IP to a specific network.

    We have a building which is occupied by 3 separate companies.

    Currently we have a single WAN connection with a block of 4 Public IP addresses assigned to it by the ISP.

    The WAN is PPPoE and is configured on port igb0 with a single IP of 55.55.55.201.
    The Gateway is 44.44.44.44
    The Additional 3 IPs are setup in Firewall > Virtual IPs and are configured as:
    55.55.55.202
    55.55.55.203
    55.55.55.204

    Internally, we have a LAN configured in the 10.10.10.0/24 range on the igb1 interface for CompanyA.
    We also have a VLAN (TAGGED 11) configured in the 10.10.11.0/24 range for CompanyB.
    We also have a VLAN (TAGGED 12) configured in the 10.10.12.0/24 range for CompanyC.

    Each company has their own managed switch and can only access the VLAN relevant to them.

    Outbound NAT is configured so that:
    CompanyA subnet traffic goes out via the IP 55.55.55.201
    CompanyB subnet traffic goes out via the IP 55.55.55.202
    CompanyC subnet traffic goes out via the IP 55.55.55.203

    There are a few firewall rules setup Firewall > NAT > Port Forward such as:

    Allow web traffic to CompanyA web server on IP 55.55.55.201
    Interface: WAN
    Source Address: *
    Destination Address: 55.55.55.201
    NAT IP: 10.10.10.2
    NAT Port: 80

    Allow web traffic to CompanyB web server on IP 55.55.55.202
    Interface: WAN
    Source Address: *
    Destination Address: 55.55.55.201
    NAT IP: 10.10.11.2
    NAT Port: 80

    Allow web traffic to CompanyC web server on IP 55.55.55.203
    Interface: WAN
    Source Address: *
    Destination Address: 55.55.55.201
    NAT IP: 10.10.12.2
    NAT Port: 80

    The above setup works perfectly. When CompanyB is browsing the web they are shown to external users as coming from their allocated WAN IP (55.55.55.202) etc, and the same applies to the other companies.

    Inbound rules work perfectly as well.

    There are many more rules than the 3 examples given above, however this is becoming more and more to manage as the 3 companies change their own setups and requirements.

    Ideally, what I would like is CompanyA to stay setup as they are.
    I would like to allow both CompanyB & C to have their own router/firewall rather than using ours - currently if they were to put their own router in place they would be double NAT’d and I would still need to manage the firewall rules for them on our pfsense.

    I would like to assign CompanyB the WAN IP 55.55.55.202 and have them configure their router with this IP as their WAN address. I understand they would need to use the same gateway as us (44.44.44.44)? They would then be responsible for their own firewall, traffic etc.

    The same requirement for CompanyC - allow them to be allocated the public WAN IP of 55.55.55.203 and have all traffic routed directly to their firewall/routing equipment via our connection and pfsense/equipment.

    Although this is currently a small setup, we have some other clients who are purchasing large connections into business parks where serviced offices are sub-let. They want to be able to share/sell the large/fast connections with the tenants, but don’t want to be managing each tenants firewalls themselves. We just want to be able to allocate a tenant a port on the switch, and and a WAN IP address, and let them manage their own firewall device from there.

    It would be nice if we could use pfsense as a central control for bandwidth limitation if required.

    Apologies for the long post, but hopefully this gives enough of an insight as to what we are trying to achieve. We have seen some other companies doing similar using the Sonicwall products, but are reluctant to go down that route due to the license/hardware costs and the additional training/learning of another product. Pfsense has been good to us, and many of our clients, for the past 6+years so we’d like to continue with it where possible.

    For reference, I’ve looked at multiple tutorials and forum posts from dozens of sites, but nothing has quite detailed the setup I’m trying to achieve (so perhaps I am missing something). Some posts recommend transparent bridges, and others mention virtual IPs and NAT, but I keep going round in circles.



  • You can't give CompanyB a public IP if the LAN side of your modem is not in that subnet. We do a similar thing in our building and use 1:1 NAT for sending public IP traffic to a private IP. (https://docs.netgate.com/pfsense/en/latest/book/nat/1-1-nat.html) So:

    publicIP -> 1:1 NAT to privateIPrange1 on CompanyB router -> regular NAT to privateIPrange2 on CompanyB LAN

    You could leave CompanyB's LAN on 10.10.11.x, set your router to use something else for their VLAN (their WAN IP) and let their router provide NAT.

    For our tenants we turn off the default allow LAN to any rule, create a LAN rule to allow traffic from their assigned IP, and in the advanced options of the rule set the in/out pipe settings to the desired limiter. (note on the LAN rule, In is uploading) IIRC there was a problem using limiters on the WAN side with NAT but it's been several years.



  • Hi Steve, thanks for the reply.

    So with your first setup using 1:1 NAT, if CompanyB add their own router/firewall, would that not mean that their connections are essentially double NAT'd? I thought a double NAT may cause issues if they choose to run certain applications behind their firewall - a VoIP PBX for example.

    So the setup would be:

    • PublicIP (55.55.55.202) - Setup in Virtual IPs
    • 1:1 NAT from 55.55.55.202 to CompanyB router on LAN address 10.10.11.5
    • All CompanyB devices behind their own router
    • An Outbound rule in pfsense for any traffic outbound (from that LAN address-10.10.115) to use the NAT address 55.55.55.202
    • A firewall rule to allow any CompanyB LAN traffic out via WAN interface (including the limiters if needed)

    I'm not worried about changing the company LANs around. Ideally I wouldn't "see" any of CompanyB's devices, only their router. Every device on their network would be behind their own router/firewall.

    Could you elaborate on your other line about "setting your router to use something else for their VLAN"?
    Are you saying to create an interface on the VLAN with the WAN IP on it? How would CompanyB's router then be setup IP/Gateway wise?

    In my "simple" mind I assumed I would have been able to "separate" out one of the WAN IPs, bypass the NAT parts of pfsense, and dump that IP onto a specific interface/vlan so that the clients router could be directly connected to it. In practice, I'm quickly realising that isn't possible....



  • pfSense can't have the same subnet on both WAN and LAN or it won't know how to route. 1:1 NAT is pretty close. I've seen people warn about double NAT but we have used it in our building for many, many years without issue, using 1:1, with our Exchange and RMM servers behind a second pfSense, as well as slave DNS servers. Our clients/tenants are not doing inbound forwarding, but we've set up double NAT in the past if an ISP router can't be bridged for whatever reason, for instance with the pfSense set as a DMZ. We haven't hosted a VoIP phone system in our office but we are 3CX partners and have ours hosted in our data center.

    For 1:1 NAT there is no need to set an outbound rule (see the link I posted).

    re: "something else" I meant the WAN IP for CompanyB (and therefore the LAN IP on your pfSense, for them) needs to not be in either 55.55.55.x or 10.10.11.x subnets. Each interface of a given router needs a different subnet or it won't know where to route packets.

    The other option is to do it like our data center, where your ISP gives you a small subnet for the WAN of your router, a larger subnet for your tenants, and you give each tenant their own public IP. Like a /29 for WAN and a /25 for LAN, and your ISP routes the /25 to your router's WAN IP. That will likely cost though.



  • Okay, so as a test to try and prove proof of concept etc I have setup the following using the instructions on the previous link:

    • Added one of my public IPs as a Virtual IP Alias (55.55.55.202) with the interface set as WAN
    • I have then created a LAN interface called OPT2 on a spare port (igb2) - This interface has a Static IP configured as 10.10.15.1/24
    • I have then gone to Firewall > NAT > 1:1 and added a Mapping as follows:
      Interface: WAN
      External Subnet IP: 55.55.55.202
      Internal IP: Single Host: 10.10.15.5
      Destination: Any

    Should this be all that's needed to route ALL traffic to the device on 10.10.15.5?

    The "device" is configured with the following details on it's network card:

    • IP: 10.10.15.5
      Subnet: 255.255.255.0
      Gateway: 10.10.15.1
      DNS: 8.8.8.8

    This device is not able to access the internet unless I add following "Outbound" NAT rule:

    • Interface: WAN
      Address Family: IPv4+IPv6
      Protocol: Any
      Source: Network: 10.10.15.1/24
      Translation Address: Virtual IP (55.55.55.202)

    And add the following Firewall Rule against the interface OPT2:

    • Action: Pass
      Interface: OPT2
      Address Family: IPv4+IPv6
      Protocol: Any
      Source: Any
      Destination: Any

    Does the above sound correct?



  • Also I forgot to mention.... With the above test setup, I am unable to ping the IP 55.55.55.202 from an external network. I just get no response. Even though I can ping the device when connected internally on 10.10.15.5.
    I am also unable to access any other services externally using the WAN IP 55.55.202 such as a web server hosted on 10.10.15.5.

    I thought that once a 1:1 NAT was in place, all ports/traffic would be forwarded to the internal IP, therefore additional rules wouldn't be needed on this pfsense box to route traffic. But perhaps I am getting completely the wrong end of the stick...??



  • On ours we do have WAN rules allowing IP4+6/any traffic to the internal IPs referenced by the 1:1 NAT. (those then have their own router with their own rules) Sorry if I missed that, it may be 15 years since we set it up, and it was on m0n0wall back then not pfSense. :)

    I have not tried to do 1:1 using a different interface as we are using a private IP range on LAN and each tenant (including our 1:1) has their own IP.

    What is your Outbound NAT Mode set to?

    For the OPT2 interface if it had no rules it needs at least a rule allowing outbound traffic (from OPT2 to any). In our case we have DHCP turned off and disabled the default LAN to any rule so only whitelisted IPs (tenants) are allowed.


Log in to reply