Configuration advice for subnet routed to WAN IP?

  • Hello all,

    My apologies if this is covered somewhere else and I missed it. I posted this in the VIP section as my question pertains to whether I should use VIPs, but if there is a better section, I'd appreciate if a moderator would be kind enough to relocate this question.

    I have a small (/28) subnet that is routed to my WAN address. I am looking for advice on the best way to configure it with pfsense.

    Currently, I have three interfaces configured. WAN with my primary public IP address, LAN with private ip addresses/NAT, and OPT1 with the subnet using the routable addresses and no NAT. I do not have any virtual IPs configured. I have firewall rules allowing the appropriate traffic to and from the OPT1 device and it appears to be working in that fashion.

    Poking around a bit, it seems like an alternative would be to use some combination of Virtual IP and a 1:1 NAT. Would this be a better set up? If so, what would be the best way to configure this?

    This is a home setup, so I'm all for tinkering around.

    Thanks for any advice!


    ETA: Running 2.0.1 if that helps.

  • Well you can setup proxyarp, carp, or IP alias for your extra addresses on opt1 and then use 1:1 NAT if you only want to use 1 external per 1 internal. Otherwise, port forward is the way to go. If you use port forward, don't forget to setup any advanced outbound NAT you might need.

  • Aside from having the machine having a nonroutable IP in the event pfsense was misconfigured to allow unintended traffic through or needing to access more machines than I have IPs, what is the advantage of using a port forward or NAT rather that just letting pfsense route the allowed traffic to the ports in question?

  • There might be a slight performance gain with jut routing, but the extra level of security, to me, out ways that performance gain. If you are talking about a filtering bridge, then there is really no performance gain. You will still have to have a firewall whether it is at the perimeter or on the server.

Log in to reply