Multi WAN and single gateway

  • My DSL provider has given me a small subnet (/29) with a couple of IP addresses I can use.  I use static WAN on WAN with the IP and GW they gave me.  That works well.  Now I try to add my second IP using my second interface on WAN2.  WAN1 and WAN2 are two interfaces on pfSense connected to a switch connected to the DSL router.  The second WAN2 interface is configured as static with the second IP, but I cannot select a gateway as the gateway is already defined on WAN1.

    How can I configure pfSense so that I can use multiple public IP addresses but the same gateway to use in NAT / pf rules?

  • You don't really need 2 cables and two interfaces on your pfSense. This can be configured using Virtual IPs and Outbound NAT, with a single interface. Search on the forum, I believe it has been discussed recently.

    Consider that this will not provide any load balancing or failover, since the internet connection is still the same. The only thing you can achieve is getting different services to identify themselves with different public IPs when going to the internet.

  • Thanks for the response.  I get that - only want to use the extra IP for another 443 service as only one can run per IP.  Will try to find the info.

  • I have followed the steps here:,67018.0.html but am running in to a problem.

    I have one LAN that needs to route out through the WAN interface.  So I have two WAN IPs - one physical WAN and the other a Virtual IP.  What I want is traffic targeting WAN1 to NAT through to LAN, and traffic targeting WAN1 Virtual IP 1 to also route through to LAN.  My manual outbound NAT has one rule - to route traffic on LAN out to WAN, but this seems to be the same as the default.  I do not have a 1:1 between a LAN and a WAN I want to keep separate.  I merely want to be able to reuse ports such as 443 on multiple WAN IPs for services, such as two HTTPS web servers on the LAN behind WAN1 IP and WAN1 Virtual IP 1.

    How do I set this up?  No traffic targeting the WAN1 Virtual IP 1 address ever makes it through the firewall.  Not even ping or telnet.

  • You just need to create a NAT port forward on WAN, destination address: the virtual IP, destination port: the outside port (443), redirect target IP: the internal IP of the server, redirect port: the internal port (probably also 443). It should work after that. Outbound NAT rules are not required if you just want this.

    If you also want that server to identify itself with the other public IP when it goes to the internet, you can create an Outbound NAT on WAN, with source IP: the IP of the server, traslation IP: the virtual IP. But this is not needed if you just want to provide access on the 443 port on the other IP.


Log in to reply