Pass 5 Static WAN IPs to Internal Routers.

  • I have taken over a system, and need to replace a failing router with pfSense router with the following configuration.

    Fiber from ISP has a block of 5 WAN IPs setup on a Cisco RV042G router, that is end of life. The router passes all 5 WAN IPs to other internal routers as their WAN IPs.

    Cisco RV042G WAN IP is, let's say on internet port
    LAN IP for this router is
    Subnet is
    Gateway is

    In this RV042G there is 1:1 NATs set with the 5 IPs Like this: to on interface port 1 to on interface port 2
    and so on to .63 on port 4, .64 is not used right now.

    The first internal router is setup like this.
    WAN IP on Internet interface connected to RV042G on port 1. The LAN IP is something like this
    Subnet is with Gateway as

    The Second internal router is setup like this.
    WAN IP and is connected to RV042G on port 2.
    LAN is, Subnet is, and Gateway is

    The Third WAN IP connects to a DMZ with mail server setup on it. Subnet, and Gateway as

    The fourth and fifth are not used at this time.

    I would like to setup a Netgate XG-7100 to replace the RV042G.
    ETH1 as my WAN port with
    ETH2 as my first 1:1 NAT with
    ETH3 as my second 1:1 NAT with and so on to pass the external IPs to the internal routers.

    This is setup and working now on the old RV042G, and I want to use a XG-7100 I have to replace it. I am new to pfSense and have been searching around and so far have not found this configuration setup on pfSense any where yet. Can someone point me in the right direction, or explain the best way to do this on pfSense? Thank you


  • @MCITDept You can do the same with pf
    a. Create virtual ip's for all routed wan ip's on the public facing interface
    b. Assing private ip's on internal routers wan interfaces
    I believe that current setup does some kind of bridging and not 1:1 nat, since both ip's are the same
    c. Enable 1:1 on pf for each internal router
    d. Create firewall rules as needed to allow traffic to pass through pf, inbound and outbound.

  • I have seen this setup on some videos on youtube, and looks like this would work, but this would not pass the WAN IP to the internal routers, as I need. The internal routers do connect with VPNs outside the Network, and I wonder if that would be a problem if I setup this way?

    The RV042G does call the setup a 1 to 1 NAT, not bridging, but I agree that is sort of what it is doing, since both IPs are the same on each side of the router.

    If possible I would like to have the WAN IPs at the internal routers, if there is a way to do that in pfSense. I am running a test lab with the XG-7100, but getting the VPNs to test will be a major setup for sure.
    Thanks for your reply.

  • @MCITDept Running on a 1to 1 nat should be ok with vpn's.

    The only way to assign wan ip's to internal routers is to route them. It will require additional subnets though.

    Still your setup sounds a bit complicated. Perhaps eliminating internal routers and moving vpn's to the edge where they belong, could make your life easier.

Log in to reply