How to generate static ip's on pfsense?


  • Hi,
    Got four internet connections, all with static ip, all connected on pfsense load balancer.
    Pf sense gives ip to clients. All normal so far.I need to be able to give clients static ip.
    That means to have a certain client take internet only from one of any connection above and not random as per load balancer.
    Help please!!
    Thank you in advance for your help

  • Netgate Administrator

    Use policy routing to specify a gateway for each static LAN IP.

    http://doc.pfsense.org/index.php/What_is_policy_routing%3F

    Steve


  • @stephenw10:

    Use policy routing to specify a gateway for each static LAN IP.

    http://doc.pfsense.org/index.php/What_is_policy_routing%3F

    Steve

    Thank you Steve. I try it several times.Maybe I do something wrong.
    I go Firewall/ rules.
    The which top tab I have to choose? Floating/WAN/LAN/OPT1/OPT2/OPT3 ?
    Thank you

  • Netgate Administrator

    Say you have a client machine on LAN. You assign your client a static DHCP based on it's MAC, say, 192.168.1.50. This assumes your LAN interface is still on 192.168.1.1/24.

    You need to add a firewall rule on the LAN interface above the 'default allow all' rule:

    Source: 192.168.1.50, Destination: any, Gateway: (whichever gateway you want).

    Steve


  • @stephenw10:

    Say you have a client machine on LAN. You assign your client a static DHCP based on it's MAC, say, 192.168.1.50. This assumes your LAN interface is still on 192.168.1.1/24.

    You need to add a firewall rule on the LAN interface above the 'default allow all' rule:

    Source: 192.168.1.50, Destination: any, Gateway: (whichever gateway you want).

    Steve

    That's what I did. But not sure on source, on type, what category I have to choose?
    After this when i do speed test on client machine, which will show me the external ip address, everytime I have a different external ip chosen random from 4 gateways I have.
    Nornally after aplying the rule it should show me only one gateway right? the one that i specify on the firewall rule.But doesn't. Something I do wrong on this rule!

  • Netgate Administrator

    Can you post screen shots of your rules?

    The other sections of the rule should probably be left as 'any' unless you want to narrow down the range further.
    It sounds like your rule is not catching the traffic for some reason and instead it's being caught by the load balancing rule further down the list.

    Steve

    Edit: Here's an example.

    ![policy route rules.jpg](/public/imported_attachments/1/policy route rules.jpg)
    ![policy route rules.jpg_thumb](/public/imported_attachments/1/policy route rules.jpg_thumb)


  • @stephenw10:

    Can you post screen shots of your rules?

    The other sections of the rule should probably be left as 'any' unless you want to narrow down the range further.
    It sounds like your rule is not catching the traffic for some reason and instead it's being caught by the load balancing rule further down the list.

    Steve

    Edit: Here's an example.

    Here what I did so far. I tried it on different ip.

    ![firewall rules.jpg](/public/imported_attachments/1/firewall rules.jpg)
    ![firewall rules.jpg_thumb](/public/imported_attachments/1/firewall rules.jpg_thumb)



  • Netgate Administrator

    Your screen shots are too small, I can't really read anything from them.
    However I can just barely see that you have one routed TCP connections. Anyother protocol will not be caugh by those rules and will hit the load balancer.

    Steve


  • @stephenw10:

    Your screen shots are too small, I can't really read anything from them.
    However I can just barely see that you have one routed TCP connections. Anyother protocol will not be caugh by those rules and will hit the load balancer.

    Steve

    Sorry Steve. i will resend one by one



  • @stephenw10:

    Your screen shots are too small, I can't really read anything from them.
    However I can just barely see that you have one routed TCP connections. Anyother protocol will not be caugh by those rules and will hit the load balancer.

    Steve

    part2



  • @stephenw10:

    Your screen shots are too small, I can't really read anything from them.
    However I can just barely see that you have one routed TCP connections. Anyother protocol will not be caugh by those rules and will hit the load balancer.

    Steve

    part 3

    ![firewall rules.jpg](/public/imported_attachments/1/firewall rules.jpg)
    ![firewall rules.jpg_thumb](/public/imported_attachments/1/firewall rules.jpg_thumb)


  • @stephenw10:

    Your screen shots are too small, I can't really read anything from them.
    However I can just barely see that you have one routed TCP connections. Anyother protocol will not be caugh by those rules and will hit the load balancer.

    Steve

    Theese TCP are just trials that I did. I can delete them all.
    So you mean that I can have a such rule just once? only for one Ip?

  • Netgate Administrator

    @stephenw10:

    you have one routed TCP connections

    Sorry, that was a typo. I meant only routed TCP connections.
    Your firewall rules look correct. Assuming they are on the correct interface they should be routing those IPs via the specified gateway.
    Is that not happening?

    Steve

    Edit: One thing that looks a bit odd is that you are using 20.0.0.* for your LAN. This is not private address space but you seem to be using it as such.


  • @stephenw10:

    @stephenw10:

    you have one routed TCP connections

    Sorry, that was a typo. I meant only routed TCP connections.
    Your firewall rules look correct. Assuming they are on the correct interface they should be routing those IPs via the specified gateway.
    Is that not happening?

    Steve

    Edit: One thing that looks a bit odd is that you are using 20.0.0.* for your LAN. This is not private address space but you seem to be using it as such.

    there is only one interface that is used for dhcp, and that is lan.
    The static ip will be used for a cctv system/dvr so it can be accessed anywhere from internet. So is needed that the client to get always the same gateway.
    Still when I do several speed test on client machine, I have different gateways coming up each time. Drives me crazy. Something is wrong there…

  • Netgate Administrator

    What speedtest are you using?
    Speedtest.net uses only http and hence tcp connections so should be good.
    Try changing the protocol to 'any' in your rules.

    Do you have any floating rules?

    If you need it to use only one gateway only because you want it to be accessible from the internet then it doesn't matter.
    All external clients will only come in via a single gateway and the replies will always go out via the same gatway since the connection is already in place.

    Steve


  • @stephenw10:

    What speedtest are you using?
    Speedtest.net uses only http and hence tcp connections so should be good.
    Try changing the protocol to 'any' in your rules.

    Do you have any floating rules?

    If you need it to use only one gateway only because you want it to be accessible from the internet then it doesn't matter.
    All external clients will only come in via a single gateway and the replies will always go out via the same gatway since the connection is already in place.

    Steve

    I use also speedtest.net..
    No floating rules.
    I need only one gateway only for one specific client.If gateway changes for that client is not good for me.
    But still doesn't work.
    I need all 4 gateways for the rest of clients so I'll have to have them all connected.
    Drives me crazy this. Actually looks so simple, but it doesn't work! Somewhere we are wrong..

  • Netgate Administrator

    Just to be sure are you talking about outbound loadbalancing? Reading back through the thread it's unclear.

    Did you understand what I said about outbound loadbalancing not affecting services from the internet?

    Have you set and manual outbound NAT rules?

    You never said why you are using 20.0.0.* for you LAN.  :-\

    Steve


  • @stephenw10:

    Just to be sure are you talking about outbound loadbalancing? Reading back through the thread it's unclear.

    Did you understand what I said about outbound loadbalancing not affecting services from the internet?

    Have you set and manual outbound NAT rules?

    You never said why you are using 20.0.0.* for you LAN.  :-\

    Steve

    Sorry Steve being a pain for you..
    Yes I use the server as a load-balancer.
    We are a small internet provider company.So we use it to loadbalance four static internet connections.
    I have some clients need static ip for accessing their CCTV system from internet. For this I need a static ip for each
    one of them. I don't know if there is a way around it.
    I am not an expert on pfsense so excuse if I may not understand some of your questions.
    Thank you anyway for your ongoing help..
    NAT outbound is set as automatic.

  • Netgate Administrator

    Hmm, I don't know why that isn't working. I use an almost identical setup at home and it works no problem. Did you change the protocol to 'any'?

    How do you have external access setup to the CCTV system?
    You would normally use port-forwarding on one WAN to do it. In that situation The URL on which external clients connect to the CCTV box will only ever point to one WAN. It should not make any difference to external clients even if you can't use policy based routing.

    And the reason you're using 20.0.0.* is…..?

    Steve