Static public ip on lan client



  • is it possible to have a external ip on the lan side for a client machine ?
    if yes a small howto would be apreciated

    thnx



  • I'm not sure why you want to put an external IP address on an internal NIC. Perhaps it would help if you could explain what you're trying to do.


  • Banned

    If you don't have a separate interface and at least /29 for this (plus at least /30 for your WAN), forget about it. Configure 1:1 NAT and move on.



  • i got 2 /24 blocks on the wan side and multiple nics

    now how would i go by doing this ? it can't be that much of a secret….....

    the reason for this is i have a bunch of houses on an island with wifi cpe's and these ppl like to have a public ip and the cpe set to router mode so they can port forward their stuff


  • Banned

    In a nutshell:

    • Take one of the /24s, put it on some OPT interface
    • Now, go to outbound NAT configuration, switch either to Manual Outbound NAT, or to Hybrid NAT on 2.2.x (much better) and click Save.
    • Now, you'll see a bunch of rules shown. Locate the NAT rule for your /24 containing the public IPs and delete it. Click Apply changes.
    • You need proper firewall rules on that OPT to permit outbound traffic. Configure a DHCP server on that OPT interface to give out the public IPs.
    • Finally, if the goal is that users will maintain their own firewall on their CPE or whatnot, go to WAN firewall rules and allow all inbound traffic to OPT (i.e., source - any, destination - OPT subnet)

    You could split the other /24 and do the same, just keep some small /30 for WAN, unless you already have a separate one for that purpose.

    Important note: You will want to block both inbound traffic from WAN and from OPT to the IP assigned to the OPT interface on pfSense, ports TCP 22/80/443 at least. You do not want everyone to mess with your WebGUI and hammer SSH. Be careful with the rules ordering.



  • thank you very much i will give this a shot later on on a test machine so i don't break the production box  ;D


Log in to reply