Wrong outgoing IP on multiple WAN/Public IP routing setup



  • I have a PFSense setup with 4 nics (3 used).

    NIC1 = WAN
    NIC2 = LAN
    NIC3 = OPT

    WAN to LAN used only for management and vpn.

    WAN to OPT is used to route public ips to and from servers behind the firewall without using NAT.
    Incoming this is working ok. Multiple public ip's are set as alliases or virtual ips.
    The server(s) behind the PFsense are all configured with a public ip and are reachable from the outside on ports opened on PFSense.
    The gateway on the servers is configured as the network gateway and not the ip of the pfsense.
    WAN to OPT is a routing firewall.

    As said, incomming this is working ok.
    Outgoing, strangely, each server is using the PFsense WAN ip as public ip.
    So anything statefull is not working.

    Below is the ip usage/setup (example is correct, only with public ip's instead of the privates used in the example).

    172.16.0.1 is the networks router

    172.16.0.10 to 172.16.0.25 are the ip's i can use.

    PFsense WAN IP is 172.16.0.10

    So a server with IP 172.16.0.14 behind the OPT interface, with subnet 255.255.255.0, a gateway set to 172.16.0.1 (networks router) and dns to 172.16.0.10 (pfsense).
    If lets so i open port 3389 i can rdp to the server on the public ip from outside the network.
    However, when i go to a site like whatsmyip from the server with 172.16.0.14 it says the ip is 172.16.0.10 (pfsense ip).
    So it's not fully transparent

    Again, irl this is done with public ips. The last octet does correspond with the real situation.

    Anyone a clue on what i'm missing, doing wrong or else?

    Any help appriciated



  • Do you still run Automatic outbound NAT? If so, you need to change it to Manual Outbound Nat + create corresponding settings over there
    Another one would be 1:1 NAT if you use internal ip-subnet on server "lan"



  • Thank you for the quick reply.

    Firewall:outbound:NAT is set to Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)

    There is a mapping on the outband NAT like (again with example ip) :

    Interface | Source            | Source Port | Destination | Destination Port | NAT Address | NAT Port | Static Port
    WAN      | 172.16.0.0/24 | *                | *              | *                      | *                | *            | NO



  • If I read this rule correctly at this point of day (20hrs up), it means, that your server lan is included to be NATted to PfSense ip



  • As Metu69salemi said, your firewall rule is NATing your public IP block out your WAN interface.  Change the Source to your LAN subnet.


Log in to reply