Two Static IPs – route to separate Ethernet LAN ports on pfSense box.



  • I have two static IP addresses and I have only been using one of them for servers (HTTP, FTP, POP3, SMTP, etc.) with their own 192.168.0.x/24 static IP addresses. 
    I have a pfSense box with four Ethernet ports, of which I am using two designated WAN and LAN.  The other two, OPT1 and OPT2, are inactive. 
    I'd like to add the second Static IP to my WAN interface and take all traffic destined to that IP address to what is now the inactive OPT1 port, which I will be naming LAN2.  I want to segregate the data from the two IP addresses such that they route to separate physical Ethernet LAN ports on my pfSense box, each operating in a separate internal IP range.

    See attached diagram.

    I'll change the first two octets in the IP addressing for privacy reasons, but this is what I have been supplied by my ISP:

    Assigned Static IP #1 xx.yy.157.210 (only one currently being used)
    Assigned Static IP #2 xx.yy.157.211 (one I wish to make use of)
    Gateway xx.yy.157.193
    Netmask 255.255.255.224

    Existing Interface Configuration for WAN and LAN ports:

    Enable Interface: Checked
    Description:  WAN
    IPv4 Configuration Type: Static IPv4
    IPv6 Configuration Type: None
    MAC address: Blank
    MTU: Blank
    MSS: Blank
    Speed and duplex: Nothing changed from default in advanced options.
    IPv4 address:  xx.yy.157.210/27
    IPv4 Upstream Gateway:  WANGW - xx.yy.157.193
    "none".
    Private networks
    Block private networks: Checked
    Block bogon networks: Checked

    Enable Interface: Checked
    Description:  LAN
    IPv4 Configuration Type: Static IPv4
    IPv6 Configuration Type: None
    MAC address: Blank
    MTU: Blank
    MSS: Blank
    Speed and duplex: Nothing changed from default in advanced options.
    IPv4 address:  192.168.0.1/23 (note: the /23 is intentional as I have devices on 192.168.0.xx and 192.168.1.xx)
    IPv4 Upstream Gateway:  None
    "none".
    Private networks
    Block private networks: Not checked
    Block bogon networks: Not checked

    I have created a Virtual IP configured as follows for the second IP address:

    Type: IP Alias
    Interface: WAN
    Address:  xx.yy.57.211/32
    Description:  Second Static IP

    Using the above, I've verified that I can route incoming traffic from the IP Alias (second static IP address) to a server on the network.

    So my question (you knew I'd eventually get to that, right?) is, how do I segregate the traffic so that all traffic to/from the xx.yy.157.210 is routed through the LAN port (as it is now) and all traffic for xx.yy.157.211 is routed through the OPT1 port (which I will rename)?

    Normally, I would experiment, but taking things down means taking down email, ftp, and web servers for a few domains (small, but important to me), so I'd like to minimize the down-time.

    Thanks in advance for any help.

    ![Desired Configuration.png](/public/imported_attachments/1/Desired Configuration.png)
    ![Desired Configuration.png_thumb](/public/imported_attachments/1/Desired Configuration.png_thumb)


  • Netgate

    Outbound NAT.  Create entries like this, probably using hybrid outbound rules:

    Interface:  WAN
    Source: LAN2_Network/24
    Port: 500
    NAT Addresses: xx.yy.157.211 VIP
    Static Port: Yes

    Interface:  WAN
    Source: LAN2_Network/24
    Port: *
    NAT Addresses: xx.yy.157.211 VIP
    Static Port: No



  • Thank you!  I'll get started on that and see how it goes – but after I get through a lot more chores around the house this weekend.

    Sometimes I think that pfSense should have "wizards" which people could create to match situations like this.  If I created one, it might save the next person doing the same thing a good bit of time.



  • @fmaxwell:

    "wizards"

    They would never be complete or fetch all possible scenarios.
    Better learn your tools of the trade and configure what you actually need. It's a security product after all.



  • @jahonix:

    They would never be complete or fetch all possible scenarios.

    The same thing can be said of first aid kits, but it doesnt mean that rhey are a bad idea.

    @jahonix:

    Better learn your tools of the trade and configure what you actually need.

    I've been doing networking and computer security for a couple of decades. I've seen a tremendous number of security flaws that have resulted from basic misconfigurations, misunderstandings, and even typos.  Making cofiguration of routing and security more complex and manual a task than it needs to be reduces security.

    But maybe you can help me out; where can I find a good packet flow diagram for the various routing, NAT, and filtering components that make up pfSense?

    @jahonix:

    It's a security product after all.

    Its also a routing product and that's the functionality I'm talking about.