Configuring multiple static ip adresses on only one NIC

antionline · Apr 29, 2021, 4:03 PM

Hi,
My pfsense is installed on 2 nic rack server.
1 nic -> WAN
2 nic -> LAN and vlans.

what is the way to configure my multiple static WAN ip blocks provided from my ISP?

I can configure one ip at a time as Static IPv4 Configuration under Interfaces->WAN, But can not add more than one ip adress for Static IPv4 Configuration.

are there any solutions like making virtual wan or any other ways?

I want to configure my office network get connected on first static ip
I want to configure my application server get connected on second static ip
I want to configure my web servers get connected on third static ip
and goes on.

Thanks

KOM · Apr 29, 2021, 4:03 PM

@antionline Firewall - Virtual IPs. Create an IP Alias for every public address you own and map them to WAN.

Virtual IP Addresses

antionline · Apr 29, 2021, 4:09 PM

@kom thank you for your quick reply.
I did create one Virtual ip alias as name ip_block_2 and assigned the second ip adress of my ip block.

Now, How can I route my network to use that ip, as to be get connected to the internet?

KOM · Apr 29, 2021, 4:23 PM

@antionline I use virtual IPs to handle port forwards to some of our internal servers. I've never tried using them outbound. What's the use-case for that instead of just using the one WAN?

antionline · Apr 29, 2021, 4:27 PM

@kom I have web servers and want them to be get connected via different ip adress to the internet.
I wanted to make seperation to my office network from my web hostings network.
So I decided to get more static ip's to my isp fiber connection.
My ISP gave me 4 more ip's. Now I have 5 static ip adresses.

KOM · Apr 29, 2021, 4:34 PM

@antionline OK then you're doing the same thing I am. You don't need to worry about configuring extra WANs. When you use a virtual IP to forward traffic to an internal server, pfSense keeps track of everything and NATs the outbound traffic through the proper address. Create your virtual IP. Create your NAT port forward and set its Destination to be the virtual IP instead of your WAN address.

antionline · Apr 29, 2021, 4:48 PM

@kom
I did Firewall->Virtual Ip alias-> setted to my public static ip adress / 32.

I did Firewall->NAT->Port Forward like below

Destination -> Virtual IP alias(my ISP provided Public Static IP)
Destination port range -> any
Redirect Target IP -> LAN Adress

Then I checked my servers public static ip via google and the public static ip is still the same. It's not swtiched to the second public static ip.

KOM · Apr 29, 2021, 4:51 PM

@antionline If I understand what you're saying, your FQDN is resolving to your WAN address instead of the assigned virtual IP? If so then you need to update your DNS to reflect that.

antionline · Apr 29, 2021, 5:00 PM

@kom said in Configuring multiple static ip adresses on only one NIC:

FQDN

Yes it is something like that. My main public static ip, which is configured under Interfaces-WAN remains.

I found an web link similar to my problem.
https://community.spiceworks.com/topic/537945-pfsense-how-to-make-lan-s-go-out-another-wan-virtual-ip

they says Firewall->NAT->Outbound(manual configuration) can route the internal network to the second virtual ip to get connected to internet.
I tried that example on my main office network. After that the connection died. I couldn't get connected the internet.

KOM · Apr 29, 2021, 5:14 PM

@antionline Again, you don't need to do anything with outbound NAT.

Here is an example:

LAN is 192.168.1.0/24. Internal web server is at 192.168.1.10.

I have 4 public IP address: 1.2.3.4, 1.2.3.5, 1.2.3.6 and 1.2.3.7.

1.2.3.4 is my WAN.

I create virtual IPs for the other 3. I create a NAT port forward that forwards 1.2.3.7 to my internal web server at 192.168.1.10. An associated firewall rule should be created automatically on the firewall rules WAN tab that allows the forwarded traffic.

I update my DNS so that www.mycompany.com points to 1.2.3.7

Done. Your internal web server should respond to requests to 1.2.3.7 and reply accordingly with that 1.2.3.7 address.

antionline · Apr 29, 2021, 5:26 PM

@kom
I did what you said on my workstation in my office network. Not to my webserver.

I added Firewall->NAT->Port Forward rule like

Destination -> Virtual IP alias(my ISP provided Public Static IP 1.2.3.7)
Destination port range -> any
Redirect Target IP -> my internal office network static ip as 192.168.0.5

But my office workstation is still access to the internet over main WAN IP 1.2.3.4 not from 1.2.3.7

KOM · Apr 29, 2021, 5:31 PM

@antionline That's expected. Your normal Internet use goes out your WAN. When someone from the internet tries to access 1.2.3.7, it's forwarded to your workstation and any replies to that traffic from your workstation will appear to be coming from 1.2.3.7. I'm not seeing why you are needing to put your normal traffic out 1.2.3.7 instead of 1.2.3.4. I suppose you could try creating another gateway and assigning one of your VIPs to it, then create a LAN rule that shunts your workstation traffic to that specific gateway but I don't see the point.

antionline · Apr 29, 2021, 5:46 PM

@kom Could you please give me the example of that configuration (assigning VIPs to another gateway and making decided devices traffic over it).

I also need to access to the internet over 1.2.3.7. I want any of my servers gives response over 1.2.3.7 but also can access to the internet over 1.2.3.7 from internally.

Why I want my networks to use different public static ips is that to secure them more accurately.
if any body get into my network won't be able to find the webservers, application servers, backup servers etc.

SteveITS · Apr 29, 2021, 6:02 PM

@antionline
Inbound NAT affects the incoming connections. Outbound NAT would be necessary if you want to have the web server connect outbound using something besides the WAN IP.

If the additional IP addresses are dedicated to each web server then 1:1 NAT might be more what you're looking for.

@kom said in Configuring multiple static ip adresses on only one NIC:

I'm not seeing why you are needing to put your normal traffic out 1.2.3.7 instead of 1.2.3.4

One reason would be if the web server is for a client and the client is told its IP is 1.2.3.7 but then a different IP is used for outbound connections.

KOM · Apr 29, 2021, 6:09 PM

@antionline Having different virtual WANs doesn't make anything more secure. Put your servers on a VLAN or separate VLANs instead.

KOM · Apr 29, 2021, 6:11 PM

@steveits That's already happening by default. The web serve responds to 1.2.3.7 and replies under that address, but it's outbound comms use the default WAN.

SteveITS · Apr 29, 2021, 6:19 PM

@kom said in Configuring multiple static ip adresses on only one NIC:

but it's outbound comms use the default WAN.

From my reading, that's what he wants to change.

KOM · Apr 29, 2021, 6:32 PM

@steveits For a home config I still don't understand why the web server(s) need to fetch their updates via a specific WAN address, but I suppose he could go to System - Routing - Gateways and add his extra IPs as gateways, then create an outbound NAT rule to direct his servers out those gateways.

SteveITS · Apr 29, 2021, 7:56 PM

I guess I'm not trying to analyze the reason. :) I do know I've been in that situation though where someone else is hosting a web server and I have to figure out what different IP connects out to SQL or whatever else, so I can set a firewall rule.

Here's a link to the Outbound NAT docs for the OP. I've not had to mess with gateways to get outbound NAT to work, though?

KOM · Apr 29, 2021, 8:37 PM

@steveits said in Configuring multiple static ip adresses on only one NIC:

I've not had to mess with gateways to get outbound NAT to work, though?

If your outbound mode is auto then I believe these are created for you automagically when you create the gateway, but if you're using manual or hybrid, you have to create them yourself.