Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Settng Up PfSesne with multiple static IPs

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 6 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danmeek
      last edited by

      I know nearly nothing about Linux or Pfsense but have inherited this problem.

      I get a block of static IPs from my ISP, say 99.99.99.1 through 16, with 99.99.99.1 as the gateway.  The Pfsense GUI says it is set to gateway of 99.99.99.1 and WAN of 99.99.99.2.

      I have 2 windows computers.  For complicated reasons, each one has its own static IP:  99.99.99.3, 99.99.99.4, and 99.99.99.5.  The windows computers are not connected directly to the ISP but are connected to a NIC on the Linux box that is running Pfsense.  Should the gateway for each of these computers be set to 99.99.99.1 or to 99.99.99.2?

      1 Reply Last reply Reply Quote 0
      • Z
        zikmen
        last edited by

        i'm not sure to be right but your specific workstation that needs a direct pass through IP ADRESS will usually be because you'r hosting some application on them that needs to be "outside" the network. But the right way of doing this should not be by keeping those machine inside the network and port fowarding them to the workstation ?

        Also, i never had to use multiple ip adress supplied as a block from the same ISP but i would give it a try using vlan assigned on the wan nic and to give a static ip to thoses interfaces. after what, i would suppost it will be a nating job that would turn arout the "outbound" tab in the NAT.

        I don't know if it's possible to map let's say two port from two different "WAN" interfaces to let's say the same host on the "LAN" interface. i'm sure it could be possible but never had to play with that yet.

        Does it could make sense?

        Zikmen

        Thanks,
        Tommy

        1 Reply Last reply Reply Quote 0
        • D
          danmeek
          last edited by

          Thanks for trying, but I do not understand any of that.  My one question is whether each of the computers should ube using 99.99.99.1 or 99.99.99.2 as the gateway.

          1 Reply Last reply Reply Quote 0
          • N
            Nobbie
            last edited by

            You cannot have the same IP address range inside (LAN) and outside (WAN). You can either port forward from your WAN to an internal IP address or if you're running the same services on different public addresses then you can do 1:1 NAT.  1:1 NAT means that you forward a specific WAN IP address to a specific LAN IP address. To be able to configure 1:1 NAT you must FIRST tell pfSense about the additional IP addresses on the WAN. Go to Firewall–------Virtual IPs to configure these additional addresses. You must do this FIRST so you can forward the specific IPs to the specific internal LAN IPs. It would be a good idea to set the internal machines with static addresses as well to avoid issues if they change.  In either case your LAN computers will be using the LAN IP address as the gateway which by default is 192.168.1.1

            NAT

            (WAN) ------- (LAN) 192.168.1.1 -------------Port Forward (80, 21) -------------------------->LAN PC (192.168.1.100)
                                                                              Port Forward (25, 143)------------------------->LAN PC (192.168.1.101)

            1:1 NAT

            (WAN)---------99.99.99.2----1:1 NAT------------->  192.168.1.100  (In this scenario ALL ports will be forwarded to the target machine. It would be like this machine was directly exposed to the internet)
            (WAN)---------99.99.99.3----1:1 NAT------------->  192.168.1.101

            You can also NAT from a specific WAN IP address by selecting that IP from the Destination option when you create your mapping. Again, this can only be done AFTER you create your virtual IPs.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              What information, exactly, was given to you by your ISP.  Obfuscate the high octets if you must but use real numbers for anything longer than the subnet mask.  What did they tell you was the subnet?  What did they tell you was the gateway, etc?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • D
                danmeek
                last edited by

                Pfsense has been working for years for me without NAT translation.  It is in some sort of bridge mode.  I do not have any internal LAN IPs.  The GUI says the LAN is "Bridge with WAN."  I do not have any virtual IPs.

                My ISP says (not real numbers, except the subnet mask):

                gateway = 50.252.22.1
                subnet = 255.255.255.240
                block of ips = 50.252.22.2 to 50.252.22.23

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  If your "bridging" then the gateway would be your ISP..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    WAN Address: 50.252.22.2
                    WAN Netmask: 255.255.255.240
                    Gateway: 50.252.22.1

                    Create Virtual IPs (Firewall > Virtual IPs) for .3 through .23.  You can use those virtual IPs for outbound NAT, port forwards, and 1:1.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      "The GUI says the LAN is "Bridge with WAN."  I do not have any virtual IPs."

                      Not sure why "wan" would have IP on it then - The bridge should have the IP in your range so you can access it..  I personally would never set it up this way..  But sure it can works - just confused why your asking in the first place if its currently setup and working?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Then, yes.  Create a bridge including the interface connected to the WAN device and the other.  Assign no IPs to the bridge members, assign pfSense WAN to BRIDGE0 and put the above config on WAN.  Then you can assign the other IPs (with the same netmask and gateway) to any other nodes on the bridge (or use them as VIPs.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • jahonixJ
                          jahonix
                          last edited by

                          This document might help you with your filtering bridge setup:
                          Transparent Firewall/Filtering Bridge

                          Found with the search function of this forum.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.