Pass 5 Static WAN IPs to Internal Routers.



  • I have taken over a system, and need to replace a failing router with pfSense router with the following configuration.

    Fiber from ISP has a block of 5 WAN IPs setup on a Cisco RV042G router, that is end of life. The router passes all 5 WAN IPs to other internal routers as their WAN IPs.

    Cisco RV042G WAN IP is, let's say 44.123.138.36 on internet port
    LAN IP for this router is 44.123.138.59
    Subnet is 255.255.255.252
    Gateway is 44.123.138.35.

    In this RV042G there is 1:1 NATs set with the 5 IPs Like this:
    44.123.138.60 to 44.123.138.60 on interface port 1
    44.123.138.61 to 44.123.138.61 on interface port 2
    and so on to .63 on port 4, .64 is not used right now.

    The first internal router is setup like this.
    WAN IP 44.123.138.60 on Internet interface connected to RV042G on port 1. The LAN IP is something like this 10.0.10.1/24.
    Subnet is 255.255.255.248 with Gateway as 44.123.138.59

    The Second internal router is setup like this.
    WAN IP 44.123.138.61 and is connected to RV042G on port 2.
    LAN is 192.168.233.1/24, Subnet is 255.255.255.248, and Gateway is 44.123.138.59.

    The Third WAN IP 44.123.138.62 connects to a DMZ with mail server setup on it. Subnet 255.255.255.248, and Gateway as 44.123.138.59

    The fourth and fifth are not used at this time.

    I would like to setup a Netgate XG-7100 to replace the RV042G.
    ETH1 as my WAN port with 44.123.138.36.
    ETH2 as my first 1:1 NAT with 44.123.138.60.
    ETH3 as my second 1:1 NAT with 44.123.138.61 and so on to pass the external IPs to the internal routers.

    This is setup and working now on the old RV042G, and I want to use a XG-7100 I have to replace it. I am new to pfSense and have been searching around and so far have not found this configuration setup on pfSense any where yet. Can someone point me in the right direction, or explain the best way to do this on pfSense? Thank you

    MCIT



  • @MCITDept You can do the same with pf
    a. Create virtual ip's for all routed wan ip's on the public facing interface
    b. Assing private ip's on internal routers wan interfaces
    I believe that current setup does some kind of bridging and not 1:1 nat, since both ip's are the same
    c. Enable 1:1 on pf for each internal router
    d. Create firewall rules as needed to allow traffic to pass through pf, inbound and outbound.



  • I have seen this setup on some videos on youtube, and looks like this would work, but this would not pass the WAN IP to the internal routers, as I need. The internal routers do connect with VPNs outside the Network, and I wonder if that would be a problem if I setup this way?

    The RV042G does call the setup a 1 to 1 NAT, not bridging, but I agree that is sort of what it is doing, since both IPs are the same on each side of the router.

    If possible I would like to have the WAN IPs at the internal routers, if there is a way to do that in pfSense. I am running a test lab with the XG-7100, but getting the VPNs to test will be a major setup for sure.
    Thanks for your reply.
    MCIT



  • @MCITDept Running on a 1to 1 nat should be ok with vpn's.

    The only way to assign wan ip's to internal routers is to route them. It will require additional subnets though.

    Still your setup sounds a bit complicated. Perhaps eliminating internal routers and moving vpn's to the edge where they belong, could make your life easier.


Log in to reply