Settng Up PfSesne with multiple static IPs



  • I know nearly nothing about Linux or Pfsense but have inherited this problem.

    I get a block of static IPs from my ISP, say 99.99.99.1 through 16, with 99.99.99.1 as the gateway.  The Pfsense GUI says it is set to gateway of 99.99.99.1 and WAN of 99.99.99.2.

    I have 2 windows computers.  For complicated reasons, each one has its own static IP:  99.99.99.3, 99.99.99.4, and 99.99.99.5.  The windows computers are not connected directly to the ISP but are connected to a NIC on the Linux box that is running Pfsense.  Should the gateway for each of these computers be set to 99.99.99.1 or to 99.99.99.2?



  • i'm not sure to be right but your specific workstation that needs a direct pass through IP ADRESS will usually be because you'r hosting some application on them that needs to be "outside" the network. But the right way of doing this should not be by keeping those machine inside the network and port fowarding them to the workstation ?

    Also, i never had to use multiple ip adress supplied as a block from the same ISP but i would give it a try using vlan assigned on the wan nic and to give a static ip to thoses interfaces. after what, i would suppost it will be a nating job that would turn arout the "outbound" tab in the NAT.

    I don't know if it's possible to map let's say two port from two different "WAN" interfaces to let's say the same host on the "LAN" interface. i'm sure it could be possible but never had to play with that yet.

    Does it could make sense?

    Zikmen



  • Thanks for trying, but I do not understand any of that.  My one question is whether each of the computers should ube using 99.99.99.1 or 99.99.99.2 as the gateway.



  • You cannot have the same IP address range inside (LAN) and outside (WAN). You can either port forward from your WAN to an internal IP address or if you're running the same services on different public addresses then you can do 1:1 NAT.  1:1 NAT means that you forward a specific WAN IP address to a specific LAN IP address. To be able to configure 1:1 NAT you must FIRST tell pfSense about the additional IP addresses on the WAN. Go to Firewall–------Virtual IPs to configure these additional addresses. You must do this FIRST so you can forward the specific IPs to the specific internal LAN IPs. It would be a good idea to set the internal machines with static addresses as well to avoid issues if they change.  In either case your LAN computers will be using the LAN IP address as the gateway which by default is 192.168.1.1

    NAT

    (WAN) ------- (LAN) 192.168.1.1 -------------Port Forward (80, 21) -------------------------->LAN PC (192.168.1.100)
                                                                      Port Forward (25, 143)------------------------->LAN PC (192.168.1.101)

    1:1 NAT

    (WAN)---------99.99.99.2----1:1 NAT------------->  192.168.1.100  (In this scenario ALL ports will be forwarded to the target machine. It would be like this machine was directly exposed to the internet)
    (WAN)---------99.99.99.3----1:1 NAT------------->  192.168.1.101

    You can also NAT from a specific WAN IP address by selecting that IP from the Destination option when you create your mapping. Again, this can only be done AFTER you create your virtual IPs.


  • LAYER 8 Netgate

    What information, exactly, was given to you by your ISP.  Obfuscate the high octets if you must but use real numbers for anything longer than the subnet mask.  What did they tell you was the subnet?  What did they tell you was the gateway, etc?



  • Pfsense has been working for years for me without NAT translation.  It is in some sort of bridge mode.  I do not have any internal LAN IPs.  The GUI says the LAN is "Bridge with WAN."  I do not have any virtual IPs.

    My ISP says (not real numbers, except the subnet mask):

    gateway = 50.252.22.1
    subnet = 255.255.255.240
    block of ips = 50.252.22.2 to 50.252.22.23


  • LAYER 8 Global Moderator

    If your "bridging" then the gateway would be your ISP..


  • LAYER 8 Netgate

    WAN Address: 50.252.22.2
    WAN Netmask: 255.255.255.240
    Gateway: 50.252.22.1

    Create Virtual IPs (Firewall > Virtual IPs) for .3 through .23.  You can use those virtual IPs for outbound NAT, port forwards, and 1:1.


  • LAYER 8 Global Moderator

    "The GUI says the LAN is "Bridge with WAN."  I do not have any virtual IPs."

    Not sure why "wan" would have IP on it then - The bridge should have the IP in your range so you can access it..  I personally would never set it up this way..  But sure it can works - just confused why your asking in the first place if its currently setup and working?


  • LAYER 8 Netgate

    Then, yes.  Create a bridge including the interface connected to the WAN device and the other.  Assign no IPs to the bridge members, assign pfSense WAN to BRIDGE0 and put the above config on WAN.  Then you can assign the other IPs (with the same netmask and gateway) to any other nodes on the bridge (or use them as VIPs.



  • This document might help you with your filtering bridge setup:
    Transparent Firewall/Filtering Bridge

    Found with the search function of this forum.


Log in to reply