Public IPs from inside and outbound load balancing

  • Hello,

    I'm using 1.2 and configured two connections (a DSL and a T1) in outbound load-balancing according to the documentation. It's working great so far. My issue is that I have servers in my LAN and DMZ mapped to each connection's public IP. The servers host both a webserver and custom software that uses high (>5000) ports for communication. I've configured NAT and firewall rules and accessing each server from outside works fine.

    *** LAN ***                                              *** DMZ ***

    Server A –-----|                                  --------D-Link router ---- ADSL-------|
                          |                                  | WAN                                            |
                          Switch ------- Pfsense ---|                                              INTERNET
                                                              | OPT                                            |
                                                              -------Switch ----- T1--------------|
                                                                        |      |
                                                                        |      |
                              Server B ---  D-Link router---- |      |
                                                                          D-Link router
                                                                          Server C

    The D-Link router is there because the ADSL uses PPPoE. So the ADSL DMZ uses a private IP block different from the internal LAN. The router has of been configured to forward the necessary ports to the Pfsense. On the T1 side, we have a /29 mask, so we have a different public IP that goes to the Pfsense, Server B and C.

    My problem is that the servers need to communicate with each other using their public IP address. I've searched the forums and didn't find a case similar to mine. Server A (mapped to the ADSL) sees Server B and C just fine using their public address . The reverse, however, does not work. Servers B and C are unable to communicate with Server A using Server A's public IP == ADSL public IP.

    The plan is to move Server B inside the LAN, which would give it the OPT public IP. However I need to keep Server C outside the LAN in the T1 DMZ. I need to be able to access each server from inside the LAN so filtered bridge would not be a solution? Anything else I can try?

    Thanks and best regards,


  • What are the default gateways of your servers B and C?
    I assume they have as gateway the OPT interface of pfSense, right?
    Now the public IP on the pfSense WAN is actually on the Dlink router in front of it.

    The immediate solution i see is:
    You set the Dlink router in front of pfSense into bridging mode and let pfSense handle the PPPoE authentication.
    Like this you will get the public IP of the WAN directly on pfSense.
    Then all you need to do is enable NAT reflection and it should work. (At least for port-ranges <500 (this doesnt mean you cannot have ports >500)).

  • Hi,

    thanks for the answer. However, from what I understand, oubound load-balancing will not work if the WAN interface uses PPPoE directly? I've tried on 1.2 and I'm unable to add a PPPoE link to the pool. Unless this is fixed in 1.3?

    Thanks and best regards,


Log in to reply