Multiple public static IPs on one Wan adapter to VLAN switch

  • I am installing my first PFsense device and trying to figure out if the hardware setup makes sense.

    What I am trying to accomplish is using three public, static IP's from comcast business through one PFsense WAN connection out from PFsense LAN connection to an HP procure switch that has three VLans setup (vlan ID 1-3).
    I would like to be able to assign one static public IP to each VLAN ID for all internet traffic.

    Do I need a WAN card for each static IP connected to a Comcast business router with everything turned off (NAT, DHCP and firewall) or can I use virtual IPs to do the same thing?

  • Rebel Alliance Developer Netgate

    You shouldn't need to do that. If you have a subnet of IPs behind the Comcast router, your pfSense box should be using one of those IPs for WAN (not DHCP!) and then use the other IPs in that subnet via Virtual IPs like CARP.

    The GUI on the business gateway should tell you what your public subnet is, and what your gateway should be for that subnet. Those business gateways are odd in that if you use DHCP from behind them you will get a private IP that NAT's to the WAN IP of the Comcast box, but you can use the public IPs in the subnet directly and it works fine.

    At least that's how it was the last time I touched one.

  • Comcast gave me a sheet with the static IPs and gateway info. That should be the same info you'd mentioned by accessing through the business router?

    Will carp be able to direct each of the remaining three public IPs for the WAN side to each of the VLANs on the HP procure switch using ID tagging? Allowing me to access each VLAN through it's corresponding static, public IP?

  • Rebel Alliance Developer Netgate

    The info should be the same, yeah.

    Not sure quite how you mean the second one. If the IPs are in use on WAN (like with CARP) they can't also be used behind the router. Though you could setup 1:1 NAT between one of the other CARP VIPs and one device on that VLAN, or you could setup outbound NAT and/or port forwards on a CARP VIP to let you access things on the inside.

Log in to reply