• I've been trying to configure pfsense to pass through a wan subnet /27 to a lan subnet /24 with no luck. I am able to ping both the WAN and LAN interface, yet when creating the 1:1 NAT as Interface WAN External Subnet X.X.X.58 /32 , internal subnet as X.X.X.103 /32, and a WAN virtual ip proxy arp X.X.X.58 /32 it is not passing through. Additionally, my firewall looks completely open.


  • It's not passing through and it seems to be completely open? Isn't that kind of the opposite? Check firewall rules and provide more details about your rules please.

  • Currently there are two firewall rules


    Proto Source Port Destination Port Gateway Description 
    *      *      *        *        *        *


    Proto Source Port Destination Port Gateway Description 
    *      *      *        *        *        *

    Shouldn't those rules allow everything to pass through either way?

  • If you set it up this way, why do you need a firewall then?

    Here is how it works:

    (make sure first that your setup runs correctly with one real IP at the WAN interface, I'm confused by all the xxx in your IPs and all the /32 subnets. do machines from LAN get out to the internet and everything works fine?)

    1. Add Virtual IP
    If your provider doesn't need ARP-Replies for the additional IPs try other
    If your provider needs ARP replies use proxy arp or carp. With carp you can easily add a failover machine later.

    2. Create a 1:1 NAT mapping the virtual IP to the internal IP

    3. Add firewallrules permitting that kind of traffic
    Keep in mind, nat is applied first, then firewallrules.

    Example: You want to have a Webserver running at a machine inside your LAN and want to have that reachable via the virtual IP
    additional public IP (virtual IP)
    LAN IP that is mapped to the additional public IP

    Your firewall rule has to look like this at the WAN interface:
    pass, protocol tcp, source IP any, source port any, destination IP, destination port http/80

    Note that your firewallrule doesn't show the external IP adress but the internal one that is mapped to the external one.

    Do this for every machine inside your lan that uses one of your public IPs.