Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Single public IP subnet on WAN

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WinLin
      last edited by

      Hello,

      I found that pfSense needs to support the feature I need.
      It is described: Single public IP subnet on WAN

      As shown in this picture https://docs.netgate.com/pfsense/en/latest/_images/diagrams-multiple-public-ips-singleblock.png

      Maybe someone has instructions on how to really implement this? Because I fail.

      I have 3 network interfaces (WAN, LAN, OPT1). I create Bridge "Bridges_FW" I assign WAN and OPT1 to it. OPT1 is connected to a switch with a separate VLAN.
      I even tried to allow all firewall -> rules traffic from anywhere to everywhere on WAN, OPT1 and Bridge_FW.
      I even tried temporarily setting Firewall -> NAT-> Outbound to "Disable Outbound NAT"
      But traffic from OPT1 only reaches the WAN address and nowhere higher than the WAN on the external network. It is also not possible to access addresses connected to OPT1 from the external network.

      V W 2 Replies Last reply Reply Quote 0
      • V
        viragomann @WinLin
        last edited by

        @winlin said in Single public IP subnet on WAN:

        Single public IP subnet on WAN
        Single public IP subnet on WAN I create Bridge "Bridges_FW" I assign WAN and OPT1 to it. OPT1 is connected to a switch with a separate VLAN.

        Not clear what you try to achieve with this setup.
        Do you want to have the public IP in the VLAN on OPT1?
        Maybe you can explain and give some details.

        W 1 Reply Last reply Reply Quote 0
        • W
          WinLin @viragomann
          last edited by

          @viragomann My situation is very well reflected in the official image already mentioned above https://docs.netgate.com/pfsense/en/latest/_images/diagrams-multiple-public-ips-singleblock.png. The difference in my case between the ISP router and my pfSense is the additional ISP switch. If necessary, I will be able to draw my own chart specifically.

          I need NAT on the LAN port where the internal IP addresses are issued by pfSense DHCP. And on a network connected to OPT1 (separate switch VLAN), I would have external static IPs that are in the same range as the WAN address (mask 255.255.255.128 and are given to me by the ISP). I want to use pfSense FW to restrict traffic from the public Internet to these static IPs on OPT1 connected devices.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @WinLin
            last edited by

            @winlin said in Single public IP subnet on WAN:

            And on a network connected to OPT1 (separate switch VLAN), I would have external static IPs that are in the same range as the WAN address (mask 255.255.255.128 and are given to me by the ISP).

            So why did you write "Single public IP subnet on WAN" into the topic?

            You have an ISP router, however, you have public IPs behind it? So I'm wondering what's the reason for the local router.

            Since you have bridged WAN and OPT1 you need to configure each OPT1 device with the proper IP, mask and the WAN gateway for proper routing.

            W 1 Reply Last reply Reply Quote 0
            • W
              WinLin @viragomann
              last edited by

              @viragomann
              So why did you write "Single public IP subnet on WAN" into the topic?
              Because I found it so named in the official description at https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html

              You have an ISP router, however, you have public IPs behind it? So I'm wondering what's the reason for the local router.
              We do not control the ISP router. He is to the ISP. We additionally use pfSense NAT for workplaces PC because external addresses are only enough for server services. To avoid the need to purchase additional firewall equipment for the servers, we want to use the existing pfSense server.

              Since you have bridged WAN and OPT1 you need to configure each OPT1 device with the proper IP, mask and the WAN gateway for proper routing.
              Yes I know that. I put the external IP, mask and GW address given by the ISP for the device behind OPT1.

              1 Reply Last reply Reply Quote 0
              • W
                WinLin @WinLin
                last edited by

                For clarity I attach the diagram. It shows how it is now and how I want it to be redesigned.
                2ef5e9de-7e38-428a-8748-ae708c42af28-image.png

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @WinLin
                  last edited by

                  @winlin
                  Really no idea what you could have done wrong here. The set up is quiet simple.

                  Let me recap how I'd do it (apart from basically would try it with NAT instead bridge):
                  Adding OPT1 interface, open the settings and enable it. No IP and gateway.
                  Create a bridge Bridges_FW and add WAN and OPT1 to it.
                  Go to Interfaces > Assignments, add Bridges_FW, open and enble, no IP and gateway.

                  For testing :
                  Connect a computer direct to OPT1, give it an IP out of the /25 WAN subnet, set the correct mask and the WAN gateway. Set a public DNS server.
                  Add a firewall rule on OPT1 allowing anything going out.

                  You should get connection to the internet from the OPT1 device.

                  W 1 Reply Last reply Reply Quote 0
                  • W
                    WinLin @viragomann
                    last edited by

                    @viragomann I tried this before writing here. Now I repeated it again, hoping maybe I was wrong. Unfortunately, the servers behind OPT1 do not even see the ISP GW (ping is not responsible).
                    Status -> System Logs -> Firewall does not show blocked IPv4 traffic.

                    As recommended I tried to delete the Bridge, and put an internal IP (make NAT) on OPT1. When I place the appropriate internal IPs on the servers after OPT1, everything works. So it confirms that the physical ports and network equipment are really connected and working well.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @WinLin
                      last edited by

                      @winlin Not sure I understand why it isn't working either but another method might be to use 1:1 NAT if the servers can be given private IPs (in a different subnet than LAN, if you want them isolated), as it sounds like you have done while testing.

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote ๐Ÿ‘ helpful posts!

                      W 1 Reply Last reply Reply Quote 0
                      • W
                        WinLin @SteveITS
                        last edited by

                        @steveits I was thinking 1:1 NAT, but unfortunately not all services make it appropriate. There are services that answer the "client" what its IP is and which ports it opens dynamically. In the case of 1:1 NAT, the client would receive an incorrect access IP. And some other problems. Therefore, I would not use 1:1 NAT.

                        Is anybody who has successfully working this configuration? I am currently using pfSense version 2.5.2.

                        I think there really has to be someone who uses pfSense and only use FW but not use NAT. I myself know one who nadoja pfSense as FW, but it has Multiple IP subnets from the ISP and they are routed through its WAN IP. So its configuration is not right for me.

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          SteveITS Galactic Empire @WinLin
                          last edited by

                          @winlin Our data center doesn't have NAT but that isn't quite what you're asking for...you are looking to have the same subnet in WAN and OPT1 which would be a bridge. In our case the router's WAN IP has the LAN subnet routed to it by the data center.

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote ๐Ÿ‘ helpful posts!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.