NAT and routing

  • Hi,

    i have one WAN Interface with pppoe und one WAN with a static Adress. I also have some internal interfaces for DMZ, LAN, etc. For some server in the DMZ I added a virtual IP and a 1:1 NAT. Everything works great. But I want to setup a new internal Interface which should be routed (with Firewall rules). At the static interface this is no problem, i could use a bridge. But what about my pppoe connection? The connection get a static ip from the provider and the provider routes some ips trough this connection (2x /27 subnet). Is it possible to build a bridge or route some ips to another internal interface? The firewall has enough free ports.




  • well you would not use a internet routable unless it is routed by your ISPs to one of the WAN addresses. Since you are already using NAT, I would setup 1:1 NAT with the new IP in a different subnet on a new interface.

  • I logged on today to ask the same basic question as BJXYZ. If BJXYZ's issue is anything like mine, 1:1 NAT won't work for everything.

    I'm replacing a ZyWall configured to use 3 subnets. One address from subnet A is configured on my WAN. I use this address for 1:n NAT. Subnets B and C are routed through the WAN address (the one from subnet A). I use subnet B for various 1:1 NAT mappings. Subnet C is routed to my DMZ where I host services that don't play well with NAT. Now I'm looking at replacing the ZyWall with pfSense.

    Is this configuration possible with pfSense?


    You indicate you've used a bridge on one of your WANs. Following the trail of documentation about bridges (starting here: seems to indicate you'll run into a problem when your LAN clients try to access devices on the bridged interface (assuming your LAN clients use NAT). Have you noticed any such problems?

    Regards everyone!

  • You could enable Manual Outbound NAT, delete any auto-generated rules for the DMZ interface and just route subnet C.

  • Thanks Dhatz,

    That's what I was thinking too. I guess it's off to the test lab!

Log in to reply