Somewhat complex NAT setup question. All help is appreciated



  • OK so I am clueless on how to set this up by Im sure its possible.
    Here is what I need

    I have a comcast business connection with 5 Static IP's
    I have 110 users total
    1 Ip will go to the firewall
    3 users need their own static IP's
    15 users need to share an IP
    the remaining users will share the firewall IP

    The reason I need this is because I am using OpenDNS for content filtering and those 15 users do not need content filtering so i am trying to figure out how to do this and I see with OpenDNS you can assign filtering per external IP.

    So thats basically what I need to do, I already have the firewall setup and the 1 to 1 NAT for the 3 users with statics but am clueless on where to even start with those 15 users.

    Ive done some searching but dont feel fully confident with what I have found and if I mess things up and keep them down too long I will never hear the end of it. Im used to working with Sonicwall's and other then my home personal firewall this is my first deployed PFsense but I have been dying to use it in the field.



  • If I'm reading your question right, go into the NAT rules and enable advanced outbound NAT.  At that point, use the internal range of IP addresses for the 15 users (for example 192.168.0.16/28) and NAT them to one of your static addresses (using Virtual IP's set up in firewall menu), and then put a rule at the end for "catchall" using the final IP.

    For example, if your network was 192.168.0.0/24 and you had public range x.x.x.1-x.x.x.5
    x.x.x.1 is the WAN address of your firewall
    x.x.x.2-4 are the 1:1 NATed ip's to maybe 192.168.0.10, 11, and 12 to give 3 users Static IPs (if using DHCP, make sure to map those MACs to 10,11,12)
    x.x.x.5 would have an advanced outbound NAT set up as 192.168.0.16/28 for source (use DHCP leases to give to those clients in that range from 17-30)

    Make your last NAT rule the one that NATs 192.168.0.0/24 to "WAN Interface IP" and you should be fine.

    Let me know if you need more specifics.


Log in to reply