Multiple public static IPs… do I need VIPs? and how do I implement them?

  • I have been running a thread for the past week in the NAT forum trying to figure out why my NAT setup wasn't working.  I always assumed it was something with my NAT setup at least, but now I'm starting to think its my VIP setup.  Here's the thread:,25449.15.html

    What we have are 5 static public IP addresses from Comcast.  Right now, during the testing phase, I'm only routing 1 of those IP addresses to the pfSense firewall.  The rest of the IP addresses traffic is routed to the existing firewall.  Ultimately, the old firewall will go away and all 5 addresses will be routed to the pfSense firewall.

    In the end, I need to be able to distinguish between the traffic in that block of 5 IP addresses.  For example, when someone access XXX.XXX.63.137, I need the traffic port forwarded to a particular internal server.  And then someone access XXX.XXX.63.140, I need that traffic forwarded to a different internal server. etc etc….

    So given that simple explanation, do I need Virtual IPs?  Because other people in the other thread where saying that they didn't think I needed them... I figured anyone monitoring this VIP forum might know better...  I just really need a straight answer at this point.  I've been trying to get this thing working for the past week and its just not happening.

    Also, can someone explain which VIP setup I need to use?  I've been trying to use Proxy ARP but now I'm not sure what I need......

  • Rebel Alliance Developer Netgate

    Are you really routing to the inside? Or did you just setup 1:1 on the Comcast modem?

    You probably need to do something like this:

    Comcast modem setup:
    x.x.63.137 1:1 setup to
    x.x.63.138 1:1 setup to
    x.x.63.139 1:1 setup to
    x.x.63.140 1:1 setup to
    (I just used the same last octet to make working with them easier conceptually, it could be anything you want)

    pfSense setup:
    Proxy ARP VIP for and 1:1 to
    Proxy ARP VIP for and 1:1 to
    Proxy ARP VIP for and 1:1 to
    Proxy ARP VIP for and 1:1 to
    (Or whatever internal IPs you want)

    Firewall rules would be set just like the one you have in that other thread.

    Once the public IP hits your comcast modem, it ceases to exist, no matter what you do with NAT. You need to translate it to an IP "internal" to the Comcast box. I don't think you can route those IPs internally the way you describe with their equipment. Ideally the pfSense box would have all public IPs assigned to it, but I understand in some areas Comcast won't let that happen on certain business lines.

  • Hmmmmm okay I think I have a better grasp on what is going on.  Let me reiterate what I think you are saying:

    Leave the WAN interface ip at

    Add the following Proxy ARP VIPs

    And then on my cable modem, do 1-to-1 NATs like this:

    XXX.XXX.63.137 >
    XXX.XXX.63.138 >
    XXX.XXX.63.139 >
    XXX.XXX.63.140 >
    XXX.XXX.63.141 >

  • Brilliant!  It worked!!  The thing that made the light turn on in my head was when you said Once the public IP hits your comcast modem, it ceases to exist, no matter what you do with NAT.  That made me realize that instead of doing this NAT on the modem:

    XXX.XXX.63.140 > (the real IP address of the WAN)

    I needed to do this:

    XXX.XXX.63.140 > (one of the virtual IPs)

    I don't know why it took a week of posting stuff just to get this through my head.  Makes complete sense now.  Thanks a million man!!

  • Rebel Alliance Developer Netgate

    Double NAT is enough to drive anyone batty :)

    Good to hear that did the trick.

  • Ya unfortunately I have to double NAT for now since we are running two (3 actually…) firewalls in parallel all off one modem.  This is all part of an overall plan to get it down to just one.

Log in to reply