Assigning Public IP Address to Server on VLAN
-
I'm trying to assign a static IP address to a VPN server that is located on a machine behind the pfSense appliance.
We were assigned a block of 5 static IP addresses, and have the first usable IP assigned to the WAN interface. I would like to use the second usable IP on a server that resides on a VLAN.
I have read this article (https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html) and found that the Single IP Subnet on WAN most closely resembles our situation.
My two questions:
-
In the diagram on the article I linked, they show a bridge between the WAN and OPT1 interfaces. Can this bridge be created between the WAN and VLAN interfaces and still function the same as described?
-
If the answer to my first question is yes, then why would the external IP address I assign to my server on VLAN not have network access? (I'm assuming firewall rules, CIDR notation, or something else has been configured incorrectly if this is even possible.)
tl;dr - In summary, I'm trying to assign one of my public IP addresses on a server that sits behind a pfSense appliance on a VLAN interface but can't seem to figure out how to get it to work.
Thanks in advance, and sorry for any ignorance of articles that have been written regarding the topic. I have done my best to search the forums and documentation before posting.
-
-
Yes, you can bridge WAN to VLAN and then use a public IP on a server in that VLAN directly.
It will have internet access as long as you have firewall rules in place and have configured the server correctly.
A common mistake here is to us pfSense as the gateway on the server where is should be using the ISP gateway directly since it's in the public subnet.Steve
-
@stephenw10 what firewall rules should I set? On the WAN or VLAN interface. The reason I ask, is I allowed all from all on all ports on the VLAN interface and it didn't work. I'll try again when I get back to the office on Monday.
-
@grepusername Wouldn't it be simpler to use an IP alias VIP and just NAT the server out your WAN? I have a small block of IPs and I use one of them in this manner to forward a Nextcloud server.
-
@kom that is what we have setup right now. The server is a VPN server and the IPsec tunnel is having issues connecting because the wan IP address shows the internal and the NAT traversal feature isn't working reliably.
-
@grepusername Could you not use pfSense as the VPN endpoint for your IPsec tunnel and get rid of the VPN server?
-
If you need external clients to connect to the server you would need rules on the WAN to allow that.
Rules on the VLAN would allow the server to connect out.That is assuming you have not assigned the bridge as WAN, for example, which is something you could do but probably just complicates things.
Steve