Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two Static IPs – route to separate Ethernet LAN ports on pfSense box.

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 3 Posters 984 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fmaxwell
      last edited by

      I have two static IP addresses and I have only been using one of them for servers (HTTP, FTP, POP3, SMTP, etc.) with their own 192.168.0.x/24 static IP addresses. 
      I have a pfSense box with four Ethernet ports, of which I am using two designated WAN and LAN.  The other two, OPT1 and OPT2, are inactive. 
      I'd like to add the second Static IP to my WAN interface and take all traffic destined to that IP address to what is now the inactive OPT1 port, which I will be naming LAN2.  I want to segregate the data from the two IP addresses such that they route to separate physical Ethernet LAN ports on my pfSense box, each operating in a separate internal IP range.

      See attached diagram.

      I'll change the first two octets in the IP addressing for privacy reasons, but this is what I have been supplied by my ISP:

      Assigned Static IP #1 xx.yy.157.210 (only one currently being used)
      Assigned Static IP #2 xx.yy.157.211 (one I wish to make use of)
      Gateway xx.yy.157.193
      Netmask 255.255.255.224

      Existing Interface Configuration for WAN and LAN ports:

      Enable Interface: Checked
      Description:  WAN
      IPv4 Configuration Type: Static IPv4
      IPv6 Configuration Type: None
      MAC address: Blank
      MTU: Blank
      MSS: Blank
      Speed and duplex: Nothing changed from default in advanced options.
      IPv4 address:  xx.yy.157.210/27
      IPv4 Upstream Gateway:  WANGW - xx.yy.157.193
      "none".
      Private networks
      Block private networks: Checked
      Block bogon networks: Checked

      Enable Interface: Checked
      Description:  LAN
      IPv4 Configuration Type: Static IPv4
      IPv6 Configuration Type: None
      MAC address: Blank
      MTU: Blank
      MSS: Blank
      Speed and duplex: Nothing changed from default in advanced options.
      IPv4 address:  192.168.0.1/23 (note: the /23 is intentional as I have devices on 192.168.0.xx and 192.168.1.xx)
      IPv4 Upstream Gateway:  None
      "none".
      Private networks
      Block private networks: Not checked
      Block bogon networks: Not checked

      I have created a Virtual IP configured as follows for the second IP address:

      Type: IP Alias
      Interface: WAN
      Address:  xx.yy.57.211/32
      Description:  Second Static IP

      Using the above, I've verified that I can route incoming traffic from the IP Alias (second static IP address) to a server on the network.

      So my question (you knew I'd eventually get to that, right?) is, how do I segregate the traffic so that all traffic to/from the xx.yy.157.210 is routed through the LAN port (as it is now) and all traffic for xx.yy.157.211 is routed through the OPT1 port (which I will rename)?

      Normally, I would experiment, but taking things down means taking down email, ftp, and web servers for a few domains (small, but important to me), so I'd like to minimize the down-time.

      Thanks in advance for any help.

      ![Desired Configuration.png](/public/imported_attachments/1/Desired Configuration.png)
      ![Desired Configuration.png_thumb](/public/imported_attachments/1/Desired Configuration.png_thumb)

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Outbound NAT.  Create entries like this, probably using hybrid outbound rules:

        Interface:  WAN
        Source: LAN2_Network/24
        Port: 500
        NAT Addresses: xx.yy.157.211 VIP
        Static Port: Yes

        Interface:  WAN
        Source: LAN2_Network/24
        Port: *
        NAT Addresses: xx.yy.157.211 VIP
        Static Port: No

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • F Offline
          fmaxwell
          last edited by

          Thank you!  I'll get started on that and see how it goes – but after I get through a lot more chores around the house this weekend.

          Sometimes I think that pfSense should have "wizards" which people could create to match situations like this.  If I created one, it might save the next person doing the same thing a good bit of time.

          1 Reply Last reply Reply Quote 0
          • jahonixJ Offline
            jahonix
            last edited by

            @fmaxwell:

            "wizards"

            They would never be complete or fetch all possible scenarios.
            Better learn your tools of the trade and configure what you actually need. It's a security product after all.

            1 Reply Last reply Reply Quote 0
            • F Offline
              fmaxwell
              last edited by

              @jahonix:

              They would never be complete or fetch all possible scenarios.

              The same thing can be said of first aid kits, but it doesnt mean that rhey are a bad idea.

              @jahonix:

              Better learn your tools of the trade and configure what you actually need.

              I've been doing networking and computer security for a couple of decades. I've seen a tremendous number of security flaws that have resulted from basic misconfigurations, misunderstandings, and even typos.  Making cofiguration of routing and security more complex and manual a task than it needs to be reduces security.

              But maybe you can help me out; where can I find a good packet flow diagram for the various routing, NAT, and filtering components that make up pfSense?

              @jahonix:

              It's a security product after all.

              Its also a routing product and that's the functionality I'm talking about.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.