Routing NAT out WAN, but using DMZ address
-
I have a Netgate 6100 connected behind AT&T Fiber (a BW320 ONT/gateway) with a public IP address block (/8).
I intend to use the gateway in "Cascaded Router" mode, which means that my WAN IP address will be a private IP address subject to NAT performed by the gateway, but that all traffic directed at my public IP block will be simply routed to my pfsense firewall.
The public address block will be assigned to a (mostly unused) VLAN for my homelab where I will host some services behind HAProxy.
Where this gets interesting, however, is that I want to use the firewall's DMZ address to host services that would typically be on the firewall's WAN address. For example, I would like to run wireguard from pfsense using either the firewall's DMZ address, or a dedicated DMZ address. I would also like to forward the outbound LAN traffic using NAT on the firewall's DMZ address.
The benefit of this is that I don't have to rely on the NAT stack of the ATT CPE, I can just have that route all of this traffic to pfsense and manage it all there.
Is this possible?
-
@dmayle Self-replying here.
It looks like I should be using a VIP (Virtual IP Address) of type "Other":
Other type VIPs define additional IP addresses for use when ARP replies for the IP address are not required. The only function of adding an Other type VIP is making that address available in the NAT configuration drop-down selectors. This is convenient when the firewall has a public IP block routed to its WAN IP address, IP Alias, or a CARP VIP.