Dedicated public IP



  • Me again - sorry!

    I'm trying to install a pfSense firewall/gateway to replace a pf running on FreeBSD - I'm slowly getting there!

    On the LAN side, it is a case of there are half a dozen vLans (the vLans cannot talk to each other - apart from vLan64 which will be accessible from all of the vLans).

    I've got two questions.

    Firstly, the WAN has a number (over 12)  of dedicated IP addresses, so I want to give each vLan its own external address.

    Secondly, there are a couple of instances where external IP addresses point to statically addressed machines on certain vLans.

    I've got the DHCPing, vLan (vLan switch is used) and gateway bit all done, and it works fine - I'm just not sure how to do the other bits.

    I do have the pf.conf file if anyone wants to have a look at it.

    Any help would be mega appreciated.



  • your needs is satisfied with 1:1 nat and manual outbound nat



  • Metu,

    You, sir, are genius.  That seems to be it.  I assume that you can have multiple 1:1 setups (for the several vLans) and that any you don't do it on just use the 'global' public IP.

    Just though on one other thing - forwarding a port (say 1042) on the general public IP to a specific port on one of the vLans (10.64.0.50, port 80 from memory).



  • you can do that with port forward



  • That's where I thought it would be.  I'm in Blighty and it nearly 2100hrs here, so I'll have a further play and look tomorrow.

    I hope that my choice of PC to use will be up to the job.



  • Metu,

    Somewhere I'm going wrong!!  whatismyip is returning the same IP address (.149) for the vLan (vLan3) which I've tried to get to use .151

    I've set up a 1:1 and told the NAT to be manual (but used the default manual rules) and I'm still on .149

    Any help - please!!



  • post your manual outbound nat screenshot without public ip info



  • It was auto-created when I clicked on manual (I did save it, etc).  I'm currently playing/learning before I have to do this in a real situation (in about a week).

    It looks like this;

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

    WAN  10.1.0.0/24 * * 500 * *
    YES
    Auto created rule for ISAKMP - LAN to WAN

    WAN  10.1.0.0/24 * * * * *
    NO
    Auto created rule for LAN to WAN

    WAN  127.0.0.0/8 * * * * 1024:65535
    NO
    Auto created rule for localhost to WAN

    WAN  10.2.0.0/24 * * 500 * *
    YES
    Auto created rule for ISAKMP - VLAN2 to WAN

    WAN  10.2.0.0/24 * * * * *
    NO
    Auto created rule for VLAN2 to WAN

    WAN  127.0.0.0/8 * * * * 1024:65535
    NO
    Auto created rule for localhost to WAN

    WAN  10.3.0.0/24 * * 500 * *
    YES
    Auto created rule for ISAKMP - VLAN3 to WAN

    WAN  10.3.0.0/24 * * * * *
    NO
    Auto created rule for VLAN3 to WAN

    WAN  127.0.0.0/8 * * * * 1024:65535
    NO
    Auto created rule for localhost to WAN

    WAN  10.64.0.0/24 * * 500 * *
    YES
    Auto created rule for ISAKMP - VLAN64 to WAN

    WAN  10.64.0.0/24 * * * * *
    NO
    Auto created rule for VLAN64 to WAN

    WAN  127.0.0.0/8 * * * * 1024:65535
    NO
    Auto created rule for localhost to WAN



  • Sorry to chase you up, but any help/advice available?



  • In your outbound rule you have to specify the additional IP you want to be used when NATing to the WAN (the translation drop-down).

    If you dont see any additional IPs under "Translation" then you first need to add your additional IPs under "Firewall –> Virtual IPs".



  • Sorry, I'm not getting anywhere here!!

    I have 4 Public IP addresses - .148, .149, .150 and .151.

    I have multiple vLans on a van switch.

    I want to get vLan 3 to use the .151 public address - but all of my vLans (including 3) say from whatismyip.com that they are using .149 (why not .148?).

    I'm getting close to introducing the computer (running pfSense 2) to attempted flight from a window upstairs!



    • What is the IP of your WAN.

    • Did you assign your additional public IP's on the WAN as virtual IPs?

    • Did you create any manual outbound rules to map your internal networks to these public IPs?



  • The WAN has 4 Public IP addresses - .148, .149, .150 and .151

    I'd guess as things are addressing as .149 that that's the IP of the WAN?



  • I've created a 1:1.
    I've created a virtual IP (with the public/32).
    I had a play with the auto created rules.

    But it ain't working - getting very close to seeing if it can fly!!

    I have the pf.conf rules that I'm trying to copy over (shame there is no direct import to convert!!)



  • Your WAN can only have 1 IP.
    –> What IP is configured if you go to the config page of the WAN. --> That's the IP of the WAN.
    Per default all communication with/from the pfSense is done with this IP.

    You can add additional IPs on the WAN interface via "Firewall --> Virtual IP".
    These additional IPs are only usable by the pfSense itself if the VIP type is:

    • CARP (requires that the VIP is in the same subnet as the WAN-IP)
    • alias (just your standard alias).

    These VIPs can be used in NAT rules.
    --> Eg. outbound rules.

    If you want traffic from your different VLANs to leave via their own IP you need to enable manual rule generation and crate a rules like:
    Interface: WAN (interface on which traffic exits)
    Source: vlan_x_subnet
    Destination: any (aka internet).
    Translation: VIP (set here one of the previously create VIPs).

    If you have done that and it doesn't work, then please post screenshots of all the pages where you configured something.



  • If you're still having issues with applying this send me a pm.



  • I'm thinking that the issue is with my modem/router not giving out the right IP addresses (rather than pfSense not allocating them the way I want - my guess is that it is only receiving a single one).

    Does that sound feasible?



  • Sort of feasible:
    if you have modem in routing mode, then it's feasible
    -or-
    you have modem at bridging mode and you have not done all the virtual ip's for the pfsense
    -or-
    you have every single wan ip set, but manual outbound nat rules isn't set right


Log in to reply