Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alias Public IP

    Routing and Multi WAN
    4
    7
    801
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      odhiambo
      last edited by

      Hello everyone,

      I am a little confused about how to setup an alias IP and route traffic to it.
      My pfSense WAP IP = a.b.c.d/24 which is obtained via PPPoE and it is permanent anyway. LAN IP is 192.168.0.1/24.
      The ISP has given me a secondary /30 IP block to use. the 1st one in this block should go to the pfSense router while the 2nd will go to a server.
      Given that the server will be behind the pfSense gateway, I am confused about two things:

      1. On which interface should I configure the alias public IP?
      2. What firewall rule should I create to enable the mail server (which will be on the LAN side of pfSense) to be able to access the Internet and also be accessed from the WAN side? I want to allow ALL traffic from the WAN side to reach the server as it hosts mail/websites/etc.

      On a Cisco router, it was pretty easy to add one IP from the /30 block as a secondary/alias IP address on the LAN side of the Cisco and everything just worked.

      Thank you in advance.

      NogBadTheBadN 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad @odhiambo
        last edited by NogBadTheBad

        @odhiambo If you do a traceroute to an address in your secondary ip range where does it stop, your WAN address ?

        I'd not be using a secondary alias on the LAN side. I'd create a DMZ interface, sort out NAT and place firewall rules on the WAN interface to allow traffic to pass to the mail server.

        I'd also create a rule on the DMZ interface to allow traffic out and tie it down a bit more than this:-

        Screenshot 2022-02-25 at 13.43.09.png

        https://www.netgate.com/resources/videos-creating-a-dmz-on-pfsense

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • O
          odhiambo
          last edited by

          Is there an easy way of doing this?
          Already it sounds too complicated for me.
          Let's say I assign the first public IP in the /30 block to my OPT1 interface.
          I then assign the second public IP in the /30 block to my server. I then cable the server ethernet directly into OPT.
          My server (FreeBSD 13) already has PF to do the firewalling. So from pfSense I just want all traffic to be unleashed to this server without any protection.
          How do I go about allowing this to happen? Or is there another way that's easier?

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @odhiambo
            last edited by

            @odhiambo Normally the ISP would route the /30 subnet to your WAN IP. pfSense then "knows" the subnet is on OPT1 and sends traffic there. Set up a rule on WAN allowing traffic from any to the server's IP.

            Using a separate interface just makes it all clearer and you can set a rule to block LAN from connecting to OPT1.

            OPT1 will not have any rules allowing outbound, by default, so to block from OPT1 to LAN, something like:

            • rule blocking from OPT1 to LAN
            • rule blocking from OPT1 to This Firewall port 443
            • rule allowing OPT1 to any

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            O 1 Reply Last reply Reply Quote 1
            • O
              odhiambo @SteveITS
              last edited by

              @steveits I have 197.232.xx.64/30 as the block.
              I have put 197.232.xx.65 as an alias on the WAN.
              I have put 197.232.xx.66 on the server, with its default gateway set to 197.232.xx.65. The server is plugged into a switch, which is connected to the LAN port of the SG-2440.
              I have a firewall rule on the WAN to allow TCP from any to 197.232.xx.64/30
              I have a firewall rule on the LAN to allow TCP from 197.232.xx.64/30 to any.
              I believe this is not the right way since you say that "pfSense knows the 197.232.xx.64/30 subnet is on OPT1".
              So where do you suggest that I put 197.232.xx.65? Should it be configured on OPT1??
              Then I attach the server directly to OPT1 ??
              Then create the firewall rules you stated?
              Is it necessary to create a WAN rule allowing all traffic from (any) to OPT1? or to 197.232.xx.64/30?

              V S 2 Replies Last reply Reply Quote 0
              • V
                viragomann @odhiambo
                last edited by

                @odhiambo said in Alias Public IP:

                I have put 197.232.xx.65 as an alias on the WAN.
                I have put 197.232.xx.66 on the server, with its default gateway set to 197.232.xx.65. The server is plugged into a switch, which is connected to the LAN port of the SG-2440.

                So the server will not be able to talk to the gateway, since you added the IP to WAN.
                You have to add the gateway IP to the interface, which is facing to the server.

                What you want to do is well described in the pfSense docs: Routing Public IP Addresses

                If you have other devices on your LAN apart from the server, it's not recommended to connect the server to the LAN, though that would be possible. Therefor the guys here advice you to add the public gateway IP to OPTx instead of LAN, where you only connect this server to.

                1 Reply Last reply Reply Quote 1
                • S
                  SteveITS Rebel Alliance @odhiambo
                  last edited by

                  @odhiambo said in Alias Public IP:

                  not the right way since you say that "pfSense knows the 197.232.xx.64/30 subnet is on OPT1".

                  I was assuming this was a second public static IP. If they route it to your first public IP, then 97.232.xx.65 would go on OPT1 and the server plugs into OPT1. (or whatever interface, that isn't LAN)

                  If they are not routing the new subnet as the above linked doc page describes then I guess you'd need to set it up on pfSense WAN as you did and use 1:1 NAT to send it to your server on LAN.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.