Public IP's routed to server through two PFSense gateways?!?



  • Bit of an oddity here, our network is soon to be upgraded with a new replacement gateway that would easily handle this in one unit, But for the moment I'm needing to have a server behind two PFSense gateways route to a public facing IP given to us by our ISP.

    So for a bit of the visual:

    Public IP Range Assigned by ISP > PFSense GW01 > PFSense GW02 > Server

    x.x.x.x                      >    10.0.1.1      >      10.0.1.20  > Server

    So far I've done the following:

    Add the Public IP's into GW01's PFSense as Virtual IP's,
    Created a 1:1 NAT from GW01 > GW02 (using one of said Public IP's)
    Created Firewall rules on GW01 and GW02 to allow access to interface from WAN (Testing purpose, To be disabled later)

    I can successfully log into GW02 using the Public IP entered into GW01's NAT Mapping and such, But I'm just all sorts of confused on what step I would take next to pass this on to the Server. GW01 acts as the primary gateway of the entire building's network, while GW02 would be powering a server rack. At the moment I only need to forward one IP for a controller server, but eventually there would likely be the need to forward more in a similar manner for other servers hosted in the same rack under GW02.



  • I guess you just repeat similar stuff on GW02. Make VIPs for some IPs in that middle subnet 10.0.1.0/24 and GW01 will be forwarding to those, then forward those onward on GW02 to the server(s) behind GW02.
    Firewall rules will need to be for the appropriate destination IP address at each stage, as the concerned router sees the packets after NAT.