Help setting up Nat for AT&T Business DSL with 5 static ip addresses

  • I am not sure what I am doing wrong, but was hoping someone could either point out where my settings errors are, or point me to a good tutorial on how to set this up.  I have AT&T Business Class DSL with 5 static ip addresses.  I have the modem set up in bridge mode, and have it successfully connected and working in pfsense 2.0 RC1 via PPPoE.  I will point out that the ip address I am assigned through the PPPoE connection is not one of my statics, though after reading many posts it seems that may be normal.

    If I understand correctly, I need to do three things:  I need to set up my static addresses as virtual IP's under Firewall->Virtual IP's,  I have to configure 1:1 Nat under Firewall->NAT, and I have to set rules to allow traffic under Firewall:Rules.  I will list what I have put in each section below.  If anyone can point out my error's I would greatly appreciate it :)

    Firewall->Virtual IP's
    Type: Proxy ARP
    Interface: WAN
    IP Address(es): Type - Single Address, Address [My First Static IP]
    Virtual IP Password: blank
    VHID Group: Left at default
    Advertising Frequency: Left at default
    Description: First Static IP

    Disabled: is unchecked
    Interface: WAN
    External subnet IP: [My First Static IP]
    Internal IP: Not is unchecked, Type - Single Host, Address - [Web Server Address on LAN], /31 is subnet by default and will not let me change.
    Destination: Not is unchecked, Type is any, Address is blank, Description - Webserver1, NAT reflection - use system default

    Action: Pass
    Disabled: unchecked
    Interface: WAN
    Protocol: TCP
    Source: not unchecked, type - single host, address - [My First Static IP], port range - HTTP
    Destination: not unchecked, type - single host, address - [Web Server Address on LAN], port range - HTTP
    Description - Allow inc Webserver1 HTTP

    I have scoured the forums and docs and just can't seem to see where I am making my mistake.  Any help is greatly appreciated.

  • Ok, I think I am about halfway there.  Using option A from this person's post, I took one of my unused interfaces and enabled it as an opt port.  I gave it the first of my static ip's, then created virtual ip's for the other four static ip's and bound them to the opt adapter.  Now, from outside the network, I can ping all five static ip addresses successfully.  However, I cannot figure out how to assign any of these static ip's to a specific server.

    Really port forwarding would be best because I may want port 80 on IP1 to go to a specific webserver, but port 25 to point to a different server altogether.  I have tried just port forwarding, and NAT 1:1 but cannot get it to hit the webserver.  The web server is reachable by any other machine on the network.

  • @arstacey:

    Really port forwarding would be best because I may want port 80 on IP1 to go to a specific webserver, but port 25 to point to a different server altogether.  I have tried just port forwarding, and NAT 1:1 but cannot get it to hit the webserver.  The web server is reachable by any other machine on the network.

    If you wish to port forward select ports to specific servers you will find your management much easier if you break the 1:1 NAT, assign each server an internal IP (static recommended otherwise use reserved DHCP addresses) and then build your port forward rules for the exact port to the exact server.  Since you have multiple external static IPs, make sure they are defined in Virtual IP so that they can be used.

    With your Virtual IP's defined, you should now have access to them in the drop down when you create new NAT rules in the EXTERNAL ADDRESS block.  You will be able to target specific external static IP addresses and ports and redirect to any internal IP and port combo.

  • Neither port forwarding nor 1:1 nat seem to work for me.  I can ping any of the static ip addresses and get back good results.  If I delete an ip from Virtual Ips, then I can no longer ping it externally, which says to me that my isp is properly forwarding the ip's to my modem and they are seen by pfsense.  However, my port forwards are not hitting any box on my network regardless of how I have them configured.  For example:

    Under Firewall->Virtual Ip's I have an IP Alias for x.x.145.50. Once I save that, I can successfully ping x.x.145.50 from an external site.
    Under Firwall->NAT->Port Foward I set the interface to WAN, Protocol to TCP, Destination allows me to select the static ip alias I set above, port range 80, Redirect target ip is the local ip address of the webserver, redirect target port is 80, NAT reflection is "use system default", and filter rile association is "Add associated filter rule"

    *NOTE On port forward, I have tried changing the interface to the OPT1 that I set the static ip up on according to the directions in the link in my last post but get the same result.

  • I guess I should ask which Virtual IP you used - Proxy ARP, CARP, IP Alias or other?  I am using Proxy ARP but am not using squid or

    Please make sure that source and source ports are all set to ANY.  Please double check the rules and make sure that the appropriate rule is active and there is nothing BELOW the rule that would shut down the ports.  Remember that rules are processed from the top down on the list so your general block should be at the top of the list with the specified ports lower on the list.

    What about a local firewall on the destination server?  On or off?

    For all respects your configuration is similar to mine, yet I can readily access my servers.

  • I am using IP Alias.  If I switch it over to Proxy Arp, I cannot ping the addresses any more.  This is pretty much a fresh installation so I have no rules set whatsoever other than the default ones.  Also, the webserver is a Windows 7 machine and I have the windows firewall turned off, just to be sure.

  • arstacey,

    Did you get this sorted out? I have the exact same problem. I'm switching from v1.2.3-RELEASE, which is working fine to 2.0-RC3. Thankfully I can revert back to my old v1.2.3 setup.  :D

    No matter what I do, 1:1 or port forward, I doesn't work, except for using port forwarding on my WAN interface to a temporary test web server.

  • Well, yes and no.  What I wanted was for my modem to be in bridge mode and let pfsense handle everything.  I never could get that to work.  I even switched the motorola 2210 modem out for a motorola 3347, as AT&T told me the 2210 wouldn't handle multiple static IP's.

    In the end, I followed these instructions,, except I skipped the dhcp server part (I didn't want it serving my public static's as ip addresses over the nic interfaces).  I then connected port 1 of the modem to the wan port on my pfsense box, assigned the wan interface to my first usable public static ip address, then created 4 virtual ip's for the remaining ip addresses.  After all that 1:1 Nat and port forwarding were working fine on all the static addresses.

  • Ah, so this was really an AT&T issue then? I'm thinking my ISP (Comcast) may be the culprit here too. I'm not sure, but I had a similar issue affect my setup after a Comcast outage a while back. Suddenly my (previously) perfectly working setup wouldn't forward anything to my servers. I don't know this, but from what I've read, it may have to do with the upstream (Comcast's) ARP cache.

    Glad you kind of got yours working.

  • It was mostly an AT&T issue.  Pfsense would not take both a pppoe AND a static ip for the WAN connection.  I tried every combination I could think of.  I went to Interfaces->Assign and configured the pppoe under the ppp tab, then set the static in WAN and it would not work.  I did pppoe on the wan and created an opt1 bonded to the same adapter and gabe opt1 the static, still nothing.  In all, I messed with it for 3 weeks and what I have now is the only way I could get it to go AND I had to do a fresh install to boot.  Good luck with yours!

  • I had the same issue was able to resolve it by performing the following:

    -Set the AT&T Modem to Bridge Mode

    -Set the WAN Interface to PPPoE and configure the credentials

    -Once the interface is connected you will receive a dynamic IP from AT&T (this is normal, the 5 static IP's are routed on their end through the PPPoE Session)

    -Create a Virtual IP with one of the available Static IP's (first usable IP in the range provided to you) Type: IP Alias

    -Create a 1:1 NAT Rule with the following settings:
       Interface: WAN
       External subnet IP: The IP Address you added as a Virtual IP
       Internal IP: Type: Single Host or alias, Address: the internal IP of the server/device you are creating this mapping for
       Destination: Type: any

    -Create a Rule to allow the ports required, in this example I will allow port 25 (SMTP)
      Action: Pass
      Interface: WAN
      Destination: Type: Single Host or Alias, Address: (should be same Internal IP as the 1:1 NAT Rule)
      Destination Port range: from: SMTP, to: SMTP

    Save the changes and apply the configuration, everything should work! I am using Pfsense 2.0 RC3 in case it matters.

  • I was able to put AT&T's Netopia 3347-02 into bridge mode and successfully relay the PPPoE connection point to pfSense 2.0 by following details in a post on Netopia's support site (Configuring Bridge Mode in the Netopia Internet Router). Besides switching Netopia to Bridge mode (Expert Mode > Configure > Advanced > Ethernet Bridge > Enable System Bridge) I also turned off Netopia's WAN Interface (Expert Mode > Configure > WAN > PPP over Ethernet vcc1 > Enable interface (uncheck)) and switched off its Gateway Option (Expert Mode > Configure > WAN > IP Gateway > Enable Gateway Option (uncheck)). I also disabled Netopia's DHCP server which was enabled by default.

    With the above done, Netopia rebooted, and – last but not least – typed in the correct username (it's "", not ""  ::)) pfSense 2.0 finally connected without any problems!

  • @arstacey:


    Source: not unchecked, type - single host, address - [My First Static IP], port range - HTTP

    For what it is worth, your firewall rule is wrong here. The source is not your first static, but rather any (meaning any host on the internet). Also, the port is going to need to be any or 1024:65536. You will not know the port coming from the remote system. You could have set that up perfectly, but this rule would never allow any traffic other than from the NIC itself on port 80. You might have already moved past that, but it is worth noting that for any who come to read this in the future.

  • Im having this exact problem and have spent about 2 hours of down time at night trying to work out the details. Can some one point out what might be wrong?

    PPOE is working and I am getting the dynamic IP from At&t. On my local lan I can browse the internet so I know that's good.

    Virtual IP's
    I setup my 5 vitual ip's as IP ALIAS and then went to NAT and 1:1 I then made the virtuals point to the internals

    Rules just to get it working I opened them up to allow any from the wan to the 5 internals

    I know I have to have done something wrong. I setup a test network using a VirtualBox pfsense 2.0 and I put my windows machine on its local lan. I then connected up to the wan port to my local network and gave it a static ip. I added a virtual ip to point to my local ip of the windows box. Then from the wan side I use RDP to connect to the desktop so I know that I can setup 1:1 nat when using a real static IP on the wan.

    At&t delivers us a dynamic IP from another network range. I guess were in a VLAN as my static IP's are not the same range.

    I know from when I talked to their business setup 2 years ago she said I actually had 8ip but only 5 usable
    .232 Don't remember what this is used for
    .233 was the gateway
    .234 first usable
    .238 last usable
    .239 broad cast address

    Maybe this will help.

  • @mmidgett:

    .232 Don't remember what this is used for

    network name?

  • Should I setup the .233 IP as a CARP instead of a IP Alias?

  • Only if you are going to ever cluster … if not, then pick ProxyARP. i have not used IP Alias, but it might work well you for.

  • ProxARP can't be used for the firewall it self. What I am thinking here is att expects for my lan traffic to pass through .233 as this is the gateway address when I do not have the modem in bridge mode.

    IP Alias and CARP can be used by the firewall. But I can't assign it to the wan as it gets a dynamic IP.

    Can I assign the xxx.yyy.zzz.233 to the opt interface as a static and just do my 5 public ips

    I was really wanting to use 1:1 nat has I was going to have some service load balancing with multiple servers connected to a private san for HA failover. I will be moving to a colocation center in a 6 to 8 weeks and wanted to get the whole thing working using my business DSL line.

    I know I can make it all work if i don't put the modem into bridge mode and just use one of my statics on the wan side of the firewall. I wasn't wanting to give up one IP

  • Just found this over in the Routing / Multi Wan This might be of some help but seems like I have done this before.,43107.0.html

Log in to reply