Solved: How to (properly) configure second IP address on WAN interface

soupdiver

I have a root Server (ESXi) on which I run pfSense.
I have a "main" IP for the server and this one is bound to the ESXi web interface.
I have a second IP for the server and this one I assigned to pfSense WAN interface.
I have a separate MAC for each IP and configured IP/Mac for the 2nd IP in my WAN interface and this works smoothly.

Now I want to add a third IP to run some services through a separate IP.
I ordered an extra IP with my hoster and got it assinged.
I tried two things:

1. Adding this IP as a virtual IP
2. Creating a new interface with the new IP

Virtual IP did not give any errors but it also does not seem to work. I added NAT port forwarding for the IP address but no connection seems to succeed. I might miss some configuration? Do I have to update Outgoing NAT as well? Could the mismatching Mac addresses be the issue here?

Creating another interface for the new IP also did not work because the IP is in the same network as my first ip. Like 135.20.20.10/29 and 135.20.20.12/29

How do I get my second WAN IP working on my box?

viragomann

@soupdiver
Adding the second IP as virtual of type IP Alias to the existing WAN interface is the way to go in this case.

In the NAT port forwarding you can use this IP as destination for access from the internet after that.

The outbound NAT is only needed for outgoing connection. Without adding an outbound NAT rule, you devices use the default WAN IP for accessing the internet.
If you want one or some devices or a subnet to use the second IP for accessing internet resources you need to add an outbound NAT rule for these. If you only want to use it for a single device you can also configure a 1:1 NAT rule instead.

soupdiver

@viragomann

Adding the second IP as virtual of type IP Alias to the existing WAN interface is the way to go in this case.

Yeah but unfortunately this does not work so far.
I have a service running on my LAN and I want to make it accessible from the internet. I added the IP Alias to my WAN interface and configured Port Forwarding under Firewall > NAT.

Result: No connectivity from the internet to my service.

As soon as I change the Port Forwarding Destination Address back to "WAN address" my service is reachable again.

viragomann

@soupdiver
Possibly the requests don't reach your WAN interface.
Use the Packet capture tool on pfSense to investigate that.
If there is nothing, maybe it isn't passed by the ESXi. I guess you're not able to sniff the traffic on its external interface.

You may also try a traceroute to the second IP and compare the hops with the other IP to see if there is an routing issue.

soupdiver

Ok, I figured it out. The issue was not with my configuration, that was all good.
But my hoster (Hetzner) is routing additional IP addresses by default through my main IP. This was not wrong for my scenario.
I got a separate /29 subnet instead a single IP which can be routed through my second IP that I use for pfSense.
Virtual IPs of that subnet work perfectly.

Thanks anyway!