Multi Public IP Round Robin on WAN interface



  • Hi guys,

    I'm searching in the forum for days and didn't find anyone who try to do what I want to do.

    I've got a PfSense with one WAN interface. My ISP is giving me multi Public IP (a /27).
    What I want to do is use all these IP addresses (from .1 to .29) in round robin for my outgoing web traffic. (i.e.: each time I make a web request, I want to use a different IP [.1, then .2, then .3, etc…])

    So I tried by using Firewall/Virtual IPs and created a Proxy ARP with a /28 (because I can't use the same CIDR block :().
    Then in Firewall/NAT/Outbound, I created a rule to use this Subnet as Translation with round robin mode.
    It seems to work because the traffic is outgoing using a different IP in the /28 but I've got no incoming traffic.
    In fact, my web request is received by the web server with an IP in the /28. Apparently, the web server didn't succeed to reply and in the web server side, the connection is stuck at "SYN_RECV", then dies.

    So my question is: How to fix it? How to "route" the incoming traffic (from the /28 IP or /27 if possible…) to the server in LAN which makes the web request? In addition, how can I use all my IP (the /27) in round robin ?
    I don't want to NAT an IP to a specific server (NAT 1:1). Maybe the Proxy ARP is not the solution...
    Here is want I want to do:

    Thanks!



  • Hi guys,

    I succeeded to do this by:

    • Defining NAT/Outbound with my /27 + Round Robin

    • Declaring all Virtual IPs, one by one, as IP Aliases

    Each time I make a web request, a new IP address is chosen.

    Now, I have a little problem. In fact, the .30 is used as the gateway. So, when the .30 is picked by the Round Robin, it doesn't work.
    How can I do to exclude this IP address from Round Robin or map the .30 to .1 in outbound?

    Thanks! :)


  • Rebel Alliance Developer Netgate

    Make an alias containing all of the IP addresses in your block except .30 and then use the alias in the outbound NAT instead of defining it as the whole subnet.



  • It perfectly works!

    Thanks a lot!  :D