Assigning public IP addresses to some vLans



  • Hello,

    I have a situation where I have an incoming bonded ADSL service to my pfSense box that has about a dozen public IP addresses.

    My pfSense box is then connected to a series of vLans (through a vLan switch).

    I think I've got the security of the vLans workings (so that they can't talk to each other), but I also need to give some of them dedicated/sole use of one of the public addresses (so, some vLans will use the 'shared' one and some will each have their own).  This is the bit that I can't seem able to do.  HELP - please!



  • For all of them you will create virtual IPs (except for the one used by gateway and WAN). In NAT, you are going to go to Outbound NAT and switch over to Advanced manual out bound NAT. This will create some default rules based on the main LAN address. You will then duplicate the 2 rules that have the LAN subnet rules and change them over to match the VLAN subnet. Instead of using the WAN address, you are going to change it so that it uses the IP of the VIP you want. This will then force different subnets to use different IPs. Be sure to also go to each VLAN firewall rule page and make sure that a rule is created that is similar to the default rule in LAN. You will just change the source to be the VLAN subnet.
    Once that is complete, then you just have to setup either port forward or 1:1 NAT for any internal services you need to expose to the internet.



  • Pod,

    Thanks, I'm about to play.

    I have one question - what sort of VIP do I need to create?  Can I have an example?  My LAN & vLans are 10.1.0.x, 10.2.0.x, 10.3.0.x, etc..  My gateway is 82.x.y.65, with the pfSense box at .66 and .67 to about .78 are available IPs (we are on a 255.255.255.240 - /24 from memory).



  • IMO, I would use CARP. The reason why is that you can setup clustering later if you use that type of VIP. If you plan to never cluster, then ProxyARP or IP alias works really well also. If clustering is a possibility, it takes 3 public IPs to do that, so start using IPs at the end and work backwards asigning them.


Log in to reply