Three Public IP Ranges to NAT - one with gateway, two without

  • Hello Everyone,

    We are running pfSense 2.0.1 at both ends. In datacenter1, my pfSense device has 4 physical interfaces and is running HA. In datacenter2, my pfSense device has 2 physical interfaces and has not been installed yet.

    I am focusing on datacenter2 in this post.

    Our facility is providing us BGP address failover between our two datacenters.

    In each datacenter, we have a /30 that will become our "WAN" and it has a gateway of our provider's BGP device. It was explained to me that their device will "NAT" to the /27 and /28 mentioned and forward all ports/traffic to/from those two ranges.

    In datacenter2, our current /28 will become a standard range without a defined gateway. We have a /27 in our primary datacenter (datacenter1) that will swing back and forth, also with no defined gateway.

    My question is, if I configure the default WAN interface with the /30, will I be able to keep NAT functionality if I want to use a /24 private address range on the LAN side?

    If so, how should I configure the /28 and /27 on the WAN side, as virtual IPs bound to the WAN interface? If so, which type should I use? (

    As a bonus, if I configure the /27 and /28 as VIPs, would someone explain how pfSense knows to use the /30 as the gateway?

    Here is an example of what I am thinking I need to configure:

    WAN: (Gateway of, WAN IP assignment of
    WAN-VIP1: (Configured as IP Alias on WAN interface)
    WAN-BGP: (Configured as IP Alias on WAN interface)
    LAN -

    All the WAN blocks mentioned above are valid public IP address ranges in the 68.x.x.x and 72.x.x.x networks.

    Thank you for any guidance you can provide.



  • Scratch this topic. My co-lo provider was handing BGP to us incorrectly. They've since configured it to hand off to us correctly, so I am no longer confused.

Log in to reply