How to route traffic for 1 Virtual IP to a specific virtual interface

  • Hi everybody,

    I have several public-IP´s from my ISP and I have several virtual interfaces on the LAN. Now I want to route all traffic for 1 of these public IP´s to 1 of the virtual interfaces (each virtual interface has a different subnet).

    Actually I am stuck on how to do this, although the question seems absolutely easy. Any help is really appreciated!

    I created a VIP, now I guess I need to create a firewall rule on the WAN-Interface? But how does this rule have to look like?
    Or is there a different way how to do this?

    pfSense 2.0.1 is what I am using.


  • Manual Outbound NAT is your answer

  • Banned

    Explain why you would use outbound NAT for an inbound configuration?

  • i figured this out that way, that (s)he wants to use one public ip / vlan in outbound connections. Might be that i didn't understood this problem so well afterall.

  • Hi everybody,

    thank you for your postings and sorry for not explaining better: It is needed for inbound connections.


  • Ok try to make a drawing of your current and wanted topology. and can you explain in what kind of case you want to happen.
    Do you want to have server in vlan or do you want to have one ip which is used by one vlan no matter what size it's?

  • Hi,

    right now I am interested in the 2nd case, how to use one of my public-IP´s for one specific internal network (running on a virtual interface) only.
    But I am also interested how to create the first case, how to, for example, have 1 ip for 1 server only (either by using kind of a DMX or exposing them completely).

    VLAN1 - (LAN-NIC) - (WAN-NIC) - Public IP 1
    VLAN2 -  (LAN-NIC) - (WAN-NIC) - Public IP 2
    VLAN3-n /

    LAN-NIC is a NIC physically available, same for WAN-NIC, this means I have 2 NIC build in my server (I don´t know how to display this in my little drawing above). On the LAN-NIC I run several virtual interfaces.
    So VLAN1 should be reachable only over public IP 1, the rest over public IP 2.
    I hope this explaination helps.

    Best regards

  • For Inside to outside trafic: Manual outbound nat
    For Outside to inside trafic: Portforward or 1:1 Nat
    Additional IP's to wan-nic: VIP's

    Edited: Middle section

  • ok, now one question:

    Imagine I have 2 public IPs and 2 NTP-servers. Both are listening on Port 123.
    NTP1 is showing the time for timezone 1, NTP2 is showing the time for timezone2 .

    Now if people want to reach NTP1 they should type the IP1 in their NTP-Client to reach it or if they want to reach NTP2 they need to type the public-IP2. But how to set this up on the pfSense?
    Portforward  and NAT will only allow me to forward port 123 to one server, or am I wrong? Or how do I need to setup Portforwarding-Rules or NAT-Rules to listen to only 1 specific IP-adress? Do I need to setup some virtual WAN-NICs to get this to work?

    Thank you VERY MUCH for your help up to here, I really appreciate it.


  • With a search you can found that your question is already answered.
    But, do you want to send also different trafic from these servers via these public-ip's?

    if only this ntp trafic is what you want:
    1. Add VIP's as many you have/need
    1.1 Go To: Firewall: Virtual IPs and press +
    Then add these values:

    Type: IP Alias
    Interface: WAN
    IP Adress: Your additional p-IP with a mask /32
    Description: What ever you want

    1.2 Apply changes after saving

    2. Add Aliases
    2.1 Go To: Firewall: Aliases and press +
    Then add these values:

    Name: Server1 (or second round: Server2)
    Description: VLAN # NTP-Server(or whatever you like)
    Type: Host(s)
    IP: Server internal IP
    Description: Server name (or whatever you like)
    Now do it again for another server, and after that
    NAME: PublicServer1 (or second round: PublicServer2)
    Description: what ever you like, but keep it descipive
    Type: Host(s)
    IP: Server Outside IP
    Description: what ever you like
    So you end up to have 4 Host-aliases: Server1, Server2, PublicServer1, PublicServer2

    2.2 Apply changes after saving

    3. Port Forwards
    3.1 Go To: Firewall: NAT and press +
    Then add these values:

    !Notice, that if you find a field which is not told to be touched unnotice those.
    Interface: WAN
    Protocol: UDP
     Type: you can either select your WAN/VIP or "Single Host or Alias"
     Address: If you chose "Single Host or Alias", then you can type PublicServer1 (or PublicServer2)
    Destination port range: from:NTP to:NTP
    Redirect target IP:Server1 (or Server2)
    Redirect target port: NTP
    Description: what ever you like
    Now save and do it again for second server

    3.2 Apply after saving changes

    Before 4th step you need to choose, if you want to have any other trafic also flowing with this additional public-ip
    like all trafic from vlan2 to go via p-ip1 and all trafic from vlan3 go via p-ip2

    4. Manual Outbound NAT
    4.1 Go To: Firewall:NAT:Outbound
    4.2 Press Manual Outbound NAT and save
    4.3 Press + and after that add these values

    NOTICE!: If you find untold field, leave it as is
    Interface: WAN
    Protocol: UDP (or if any trafic from this vlan, then ANY)
     Type: Network
     Address: Either Server1/Server2 (or your vlan subnet) and SM is to server /32 and vlan probably /24
     Address: Again you can choose WAN/VIP or Host alias(then choose PublicServer(1/2) )
    Description: What ever you like
    Repeat these to another server

    4.4 Change the order of the Mappings, that your server rules is above any other rules
    4.5 Save, Apply changes

    5. Test that anything works
    5.1 Enjoy

    In case of something doesn't work Read/search forum before posting. also Documentation might help

Log in to reply