How to use multiple IP on a WAN interface?



  • Hello,

    I have a bit of a problem with my pfSense 1.2.3 configuration and I need some help solving it.
    Basically my pfSense box has 2 WAN interfaces in Load Balancing mode, and a LAN interface with multiple subnets.

    WAN1 (now using only one IP)
    (89.xxx.xxx.2)
    …-...
    (89.xxx.xxx.6)

    WAN2
    (86.xxx.xxx.105)

    LAN
    (192.168.10.1)
    …-...
    (192.168.50.1)

    Router: 192.168.10.2
    Videoconference equipment: 192.168.10.3

    On my WAN1 interface I have 4 more IP addresses available for use (89.xxx.xxx.3 -89.xxx.xxx.6) and I need to assign two of them to some of my LAN devices (a router and a videoconferencing equipment). Those equipments are behind the pfSense box and have IP addresses belonging to one of the LAN subnets. How can I make them use two of the available IP addresses on my WAN1 interface?

    89.xxx.xxx.3 <==> 192.168.10.2
    89.xxx.xxx.4 <==> 192.168.10.3

    Thank you.



  • ProxyARP, CARP or IP Alias in the Virtual IP tab. I would start there and then ask more specific questions. You can set them up in a port forward or 1:1 NAT …
    with portforward you might need to use advanced outbound NAT as well.
    Sticky Connections will be a must.



  • @podilarius:

    ProxyARP, CARP or IP Alias in the Virtual IP tab. I would start there and then ask more specific questions. You can set them up in a port forward or 1:1 NAT …
    with portforward you might need to use advanced outbound NAT as well.
    Sticky Connections will be a must.

    I have exactly the same problem, the only difference is that, instead of load balancing, I'm using failover.
    Could someone please elaborate more on this topic,  for example, how do I ensure that the Virtual IP and NAT 1:1 rules created exclusively for the WAN interface would work via OPT1 (WAN2 actually) if WAN goes down?
    Do I have to duplicate the virtual IP and NAT rules (already created) for OPT1 (WAN2)? Or just a firewall rule allowing traffic to the internal IP via the gateway group corresponding to the failover would take care of all that? Thanks in advance.



  • You would probably have to match the NAT and rules configuration unless you created the rules in floating. Failover and balancing was not really made for internal services. If you want true failover, then you have to have a provider give you 2 drops with the same IPs available on them and then run 2 boxes in a cluster or two drop and LAGG (mainly datacenters). MultiWAN is more of an outbound (internet) thing to me. Reason being that you have to have DNS setup just right for websites and SMTP to continue to flow behind the firewall in case of a failure. Don't forget to use sticky connections to help.


Log in to reply