Source address is always originate from gateway when using /29 subnetting public IP for hosts behind pfsense

ccy

I subscribe a fixed IP package from ISP. They assign me a range of public IP in /29 subnet.

As example to describe my issue, I use 123.123.123.184/29 subnet.

They are 8 addresses in this subnet and their purpose:

IP Address	Usage
123.123.123.184	Subnet address
123.123.123.185	Gateway
123.123.123.186	Public IP
123.123.123.187	Public IP
123.123.123.188	Public IP
123.123.123.189	Public IP
123.123.123.190	Public IP
123.123.123.191	Subnet broadcast address

Besides the gateway 123.123.123.185, there are 5 usable public IP addresses.

The pfSense documentation do mention how to use those public IP address either by 1:1 NAT or set public IP as destination in forward rule. However, I am planning to assign these public IP to backend host directly.

The ISP does not allow me to set the public IP address as static IP address in WAN connection. Instead, it shall authenticate via PPPoE service first, and it will return the gateway IP address: 123.123.123.185 upon success authentication. Furthremore, pfSense doesn't allow us to add PPPoE interface as member in a bridge interface, so I am not able to use other public IP address in host directly.

I activate another port OPT1 in pfSense node:

1. Set IPv4 static IP address to OPT1: 192.168.50.1/24.
2. Define a virtual IP for interface OPT1 with one public IP address 123.123.123.190/29.
3. Add a PASS rule in Firewall for OPT1 interface for all traffics.
4. Add a PASS rule in Firewall for WAN interface destine to 123.123.123.184/29 network for ingress traffic.

I then configure my other host with this IP address:

IP Address: 123.123.123.186
Subnet mask: 255.255.255.248
Gateway: 123.123.123.190

This host can now send outbound and receive inbound requests in both directions. So far so good. This method sacrifice one public IP address, but I think it is better solution compare to 1:1 NAT.

However, I notice the outbround traffic from the host are originated from gateway instead of it's own public IP address. This is what I try to send an outbound request:

$ curl -s http://ipecho.net/plain
123.123.123.185

I expect the source of request should be 123.123.123.186.

If I change the static IP address setting in OPT1 to DHCP (there is no DHCP server in OPT1 network), both inbound and outbound still work as is. And I try

$ curl -s http://ipecho.net/plain
123.123.123.186

So surprise, the source of request is 123.123.123.186.

I don't understand why it work but setting DHCP for the OPT1 without DHCP server answer the requests do take longer time to boot the pfSense machine. I am sure there are many DHCP lease requests send from OPT1 frequently.

Is this a good way to use PPPoE based subnetting public address in hosts behind pfSense? And is there any way to avoid the DHCP setting in OPT1 interface?