Using Public IPs and NAT

  • Hi,
    We have a server that needs to use a REAL public ip. It's behind our pfsense that is currently doing NAT.
    How can we open the public ip directly to the machine without using NAT at all?
    Is this possible?


  • hi
    you could put it on its own interface on pfSense that is bridged with the WAN interface. that way you can allocate a public ip directly on the server.

  • there is only 2 nics in the box. wan and lan. do i create a virtual interface and bridge it to the lan?

  • @cssystems:

    there is only 2 nics in the box. wan and lan. do i create a virtual interface and bridge it to the lan?

    With only 2 NICs you either need to use VLAN or you can't do it. Instead you can connect your internet connection (whatever it is) into a switch, and connect one port to pfSense's WAN interface, and another to your server. In this way you are completely bypassing the firewall.

    If you don't want to use VLAN, and can't add a third NIC to the existing firewall, but need to control access using a firewall, then you would have to set up a second firewall, and connect that second switch port above to that firewall instead of directly to the server. If this is going to be a second pfSense box then it will still need 3 NICs (unless there's a way to bridge the WAN to the LAN and use it successfully that way, but I'm not aware of how to do that at this time).

  • can you direct me how to setup this VLAN and bridge it with the wan interface?
    I dont want to experiment, since this is a live environment

  • If you aren't familiar with VLAN already and this is a production system, I am going to recommend you scrap this option. VLAN isn't really something to be taken lightly.

    You will need a VLAN capable switch. For your situation I would recommend using the LAN interface's NIC for the VLANs and we'll leave the WAN alone. You have to go to the Interfaces -> Assign menu and then choose the VLAN tab. Click Add, choose the parent interface (the one currently being used for the LAN), enter the tag ID. You're going to do this twice: once for the VLAN that will become the LAN and once for the VLAN that will become the OPT.

    Then you go back to the Interface Assignments tab, and change the LAN from its current physical interface to the vlanx interface you created to replace the LAN. Click the plus on the bottom right to add an OPT, and choose the other vlan interface you created.

    After that, it's just like setting up any other OPT on a physical NIC, and you can bridge it as such, except for the configuration you'll need in your VLAN capable switch. You should already know what needs to be done in there, and if you don't, then I don't recommend using this method. I'll write it out briefly anyway.

    In the switch, the port that connects to the parent interface in pfSense should be set to tagged only, and should be a member of both of the vlans you created. The other ports that go to your LAN hosts should be untagged, with a PVID that matches the LAN vlan. The one port that goes to your host that requires a public IP should be untagged with a PVID that matches your OPT's VLAN ID.

    Again, if this all seems overwhelming, experiment on a test network or just don't do it. You can always bypass the firewall completely and run a software firewall on the host itself.

  • so i cant leave lan alone? i would need to make both lan and opt use vlans?

  • Although it is technically possible to have both tagged and untagged traffic in the same NIC, I have always heard it discouraged because of the possibility of unexpected issues. There is no restriction on it in pfSense, so it will let you do it that way, it's just recommended that you don't. I can't really say for sure what kind of issues you might run into as I've just avoided it.

  • got it..
    might try to play with it, but will probably have to update all my rules and be on location in case something goes wrong

Log in to reply