How to seperate traffic from a public network to a different public ip



  • Hello,

    I am a newbie to PfSense and I do have a question.

    Untill now I have used (still using because the pfsense box is not productive yet) shorewall as our company firewall.
    On our shorewall box we use masquerading for outgoing traffic from our public Lan network (for open wifi, guest login, and so on) to another public IP apart from the one used on the main network. on the box we have 4 interfaces off which eth0 is the Wan side

    It looks like this:

    all outgoing traffic from 192.168.1.0/24 through

    eth0 to use source address 206.124.146.176 which is NOT the

    primary address of eth0. You want 206.124.146.176 added to

    be added to eth0 with name eth0:0.

    ###############################################################################
    #INTERFACE         SUBNET ADDRESS PROTO PORT(S) IPSEC

    #office subnet
    eth0                10.0.2.0/24 xxx.xxx.150.98

    #public wireless (pub)
    eth0         192.168.2.0/24 xxx.xxx.150.99

    I'd like to do the same thing on our new pfsense box but I can't find a clear solution. I think it has to do with Virtual IP's. Does anyone have some experience in PfSense to this subject and can you help me out what I should do?
    Regards, Fons



  • That is possible with advanced outbound NAT and virtual IPs. eth0:0 is just an IP alias with id 0 setup on eth0. It will depend on your WAN setup which VIP type you should use. Most would use an IP alias for this, but you might need to use proxy arp if you have a special WAN setup. We would need more details to help you further.



  • Hello

    we use the latest PfSense 2.0.1 on a dedicated six interface box.

    our WAN side is configured on interface em1 with static IP: xxx.xxx.150.110/27 and gateway: xxx.xxx.150.97

    the subnet "Foyer" for guests is on interface em4 with static IP: 10.1.0.1/22 (lots of guests!)
    we would like the outbound traffic of this subnet use IP: xxx.xxx.150.111

    thanks in advance, Fons



  • That is not a problem.

    First, go to Firewall -> Virtual IPs. Add one of type IP Alias
    xxx.yyy.150.111/27

    Then go to Firewall -> NAT -> Outbound and switch from auto to manual. This will put in all the subnets already configured with the default rules. You then need only to edit 10.1.0.1/22 to use xxx.yyy.150.111 as the outbound address.



  • Ok, Done

    Thank you very much. As from now I understand much better how I can mould the pfsense box to our needs.

    Thanks again, Fons


Log in to reply