Multiple WAN firewall rules

  • Hi, My ISP provides me with up 5 static public IP's and I'd like to know if pfsense will allow me to create rules that forward traffic bound for one of the 5 public IP's to any internal NAT address. I am able to do this currently only with two interfaces using a Netgear device, but I require more public IP's now. My ISP requires a unique MAC for each external interface, hence the move to pfsense. I've read through many of the posts, but haven’t seen this exact scenario. I do not need load balancing or failover, just routing capability, and all the public IP's are on the same subnet. Thanks for the help.

    • go to Firewall>Virtual IPs and create the additional IPs there
    • add portforwards or 1:1 mappings at firewall>NAT for these IPs
    • add firewalrules at firewall>rules for traffic that you want to pass (when using portforwards they will be autocreated, for 1:1 you have to manually add them)

  • @ziggyrama:

    My ISP requires a unique MAC for each external interface

    I think this is the tricky part of the setup. If you search, there are several people who had similar questions. Unfortunately, I don't recall a viable solution being offered. My solution would be to try to get the ISP to act sane, and change to a new provider if they didn't.

  • VIP type CARP will generate a fake MAC for the IP.

  • Thank you for the replies. I've gone ahead and setup pfsense and I'll experiment with it over the weekend. Unfortunately, Surewest migrated from their old Cajun stuff (that didn’t care about using fake MAC's) to new Cisco equipment and they now force the traffic to go out the same MAC it originated on. It will probably be best that I just do some more testing, but was curious if it was even a possibility.

  • I think proxyARP will use the same macadress for traffic. If they route these IPs to you anyway regardless of a macadress you also can use type "other".

Log in to reply