Starting over, maybe this is the question I should have asked…



  • Here goes…

    What I need to do is setup a pfSense box that has 4 public IP's and DHCP.  We have 5 public IP's total, 1 to the pfSense box the others are free and there is no failover to worry about.

    I have the WAN, LAN, and OPT 1 interfaces setup on the pfSense server.

    The 4 machines I am setting up 1 is a voip server that has to have its IP available to the public and not a NAT'ted Ip, 1 is a web-server (requires 2 of the available public IP's, and 1 is a data/test server.

    I wanted the voip setup on the LAN subnet and I think that the other 2 servers should be setup on OPT1 subnet for security reasons, right?  Maybe I am wrong and it does not matter if the web server and data servers are on the LAN?

    I have a separate network to setup the pfSense box on and configure it for testing before I migrate everything over to the network it will be residing on permanently.  Why you ask, because all of the public IP's are already in use and I can not take the network down long enough to do the changes.  I figured if I pre-setup the pfSense server I could minimize on downtime and complaints from developers and users alike.

    Something that I have read over and am still puzzled about is, do I need to use VIP's and 1:1 or can I just setup port forwards?

    I have read confusing posts like "You may be making it more complex than you have to. You don't really NEED VIPs and 1-1 NAT..." in this post http://forum.pfsense.org/index.php?topic=4398
    towards the end of the post only to read another post saying to use 1:1 NAT in a similar situation, so who is right?

    I need to have at least the voip server respond back with its public IP and not the forwarded IP.  The web server or data servers do not matter as much with that.

    Something else, is it possible to setup DHCP on the OPT1 or DMZ?  I figure it is not and anything on that interface would have to have a public IP.

    Thank you in advance for helping to answer any of my questions…



  • As you referenced my earlier post, I'll clarify a few things:
    To use public IP's other than that of the Firewall, you will need to add VIPs.
    Port-forwards are easier to setup, IMO, as you can auto-create the firewall rules while creating the port-forward. Port-forwards are also more flexible in multi-wan setups. 1-1 NAT's have the advantage that you can have the machines pingable, and once the NAT is setup, you only have to worry about adding firewall rules to open new ports. Use whatever you are more comfortable with.
    To address a few things in your post:
    If you want to connect machines with public IPs, you would either want to have a public switch on the WAN side, or bridge your DMZ to the WAN. If you want a natted DMZ, you could put it on a different private subnet and use VIPs and 1-1 NAT for your servers.
    If you use port-forwards instead of 1-1's, you can set the outbound IP via advanced outbound nat.
    You can run DHCP on OPT interfaces. If your OPT interface is bridged to the WAN, I don't believe you can run DHCP, but the machines would probably all have static public IP's.



  • dotdash,

    Thank you for clarifying things up a bit.

    So if I read and understand everything correctly I have to 1. setup VIPs for any of my public IP servers 2. setup 1:1 NAT 3. add port forward rules all in that order?



  • If you use 1-1 NAT, then everything is forwarded from the external IP to the internal IP. You just have to open the ports you want in the firewall. If you use port forwards, then you would just add the VIPs, and select the correct external IP from the drop-down when creating the port-forward.


Log in to reply