NAT public IP to DHCP on VLAN

  • I have pfsense 2.0.3 with WAN /24, DMZ (bridged with WAN) and OPT1 (Internet Customers)

    I want to give every customer a public IP, so when they are surfing they should use that IP and not the one I have given the firewall.

    The customers have there own VLAN with there own DHCP-server (on my pfsense).
    Is it possible to NAT 1:1 or something, one public IP to the DHCP server?

    I tested to create a VIP (IP alias) with one public ip, then created a NAT 1:1 to the vlan subnet. this resulted in failure as all the servers on DMZ stopped receiving traffic (I believe that the subnet range took every WAN ip and made it NAT to the vlan subnet).. then I changed it to a single host and entered the DHCP server gateway (, but that did nothing.

  • Why not just disable NAT completely, and just use a straight routed connection. Have your DHCP server hand out the public addresses to clients, and no need at all for NAT.

  • Thats not really what Im looking for, why I use Vlan and separated dchp is that all customers should not share the same network. And if a customer wants to have the internet access on more then one ethernet port in the office we can connect them to the same VLAN even if the ports are in different buildings.

    For example we have one customer that has 10 ethernet ports in the office, they should share one public IP they want to connect all the computers directly to the ports. (the ports are already installed by us and they dont want to install there own network).
    Then we have one that only needs one port.

    This all might be complicated, but thats how we have it today.
    at the moment we have a fysical dchp server for each, but that is not what we want to have when pfsense can do DHCP on each VLAN on its own.

  • Cmon guys, help me with this.

    NAT or no NAT there must be a way to get a public IP connected with a DHCP-server inside PFs
    Why should every one connected to the firewall need to go on the internet through the firewall IP? why cant I have separated IPs for each DHCP-server inside PF? is it a standard limit of some sort on this?

    All I want in the end is to have all our dhcp servers inside pfsense with unique public IP on each.
    Problems we would have with it right now is that some customers have their IPs white listed on some external systems etc, if everyone connects to the internet with the same firewall IP then allot of unauthorised people can connect to those systems. =BAD

    It is pretty useless to have it like we have it right now with one external server just for acting DCHP for each customer, there is alot single points of failure and alot of hardware to handle.

  • Banned

    I seriously do not understand what are you doing there… Sounds like you want a router, not a firewall in the first place. Also sounds like the DHCP is a totally redundant part of the chain there; and I'm afraid "why cant I have separated IPs for each DHCP-server inside PF" does make little sense to me.

  • I think he wants to set up VLAN and 1:1 NAT many seperate public IPs to seperate VLANs but, like you, I have no idea because the terminology being used.  Seems like he wants to get a bunch of different clients all on separate public IPs and not able to see into each others connections, but I'm guessing because…  Lack of a drawing of how he wants his network to look.
    I think he wants a router at the other side of a 1:1 NAT via pfsense to see its public IP on its WAN.

  • Banned


    I think he wants a router at the other side of a 1:1 NAT via pfsense to see its public IP on its WAN.

    Not even sure there's any router on the other side of the VLANs or whatnot… Then again, what's this thing with DHCP there... Why'd you want to use DHCP for a single public IP "range". You set that up statically on the router and move on. Maybe reading this would be a good start...

  • haha.  I wouldn't suggest that what he is asking for is possible.  Just that he is asking for it.

  • Okej. lets see if I can explain.

    In the pfsense there is WAN, DMZ, LAN, OPT1 (OPT1 is the interface that we use dedicated to our customers who needs internet connection, each on separated VLANS)
    All works fine for DMZ and LAN.

    So now the customers, these are customers who need internet connection, each has its own VLAN on OPT1.
    In the building we have alot of ethernet ports in each office, and is connected via a switch with VLANs, if the customer has the need for 10 ports we set these ports to that VLAN the customer is assigned.

    One customer has 10 ports and because that customer does not want to administrate a router etc in house, we offer that instead (I have described bad earlier, this customer has a dedicated router with a public IP and with DHCP, this router is at the moment connected via DMZ as thats the only way to give them a dedicated IP at the moment).

    What we want is to remove this dedicated router hardware and merge it with pfsense and into OPT1.
    But what ever I try the users connected directly to pfsense via a VLAN on OPT1 uses the firewalls IP.

    I have not made a drawing, so Im open for examples how I can do it.

    The customers get a or whatever internal IP range. not a dhcp of 1 public IP. The traffic should route through to the public IP I assign the customer.

  • This sounds quite simple - there is a VLAN interface for each customer, which has a subnet and DHCP range, e.g.
    You want the outbound NAT for each VLAN to go to a particular public IP, so use Manual Outbound NAT. When you change from automatic to manual outbound NAT, pfSense will put all the default automatic rules into the manual list. It should just be a matter of changing the target public IP for the rules of each VLAN to be the unique public IP that you want.
    If required, you can also do port forwards for customers, that is the other direction, where connects are coming from the internet and need to go in to a server on the customer network. If it is needed it should be no problem to define.
    And prevent customer VLANs from routing to each other - e.g. on VLAN11, block source *, destination (easy to block the whole internal super-net range in 1 go, or use an alias…) - that example will also block access to the WebGUI from VLAN11, you might want that anyway, or you might want a rule before that allows traffic to VLAN11address...

  • See - possibilities emerge.  I figured someone would have an angle on it.
    I've never tried anything like this.  This is getting into "How to be your own ISP" territory.

  • phil.davis! YOUR THE MAN!!
    You just saved me alot of hair ;)

    Now they get their own public IP, exactly how I wanted it to be.

Log in to reply