Complicated NAT Question



  • Greetings,

    I am using 2.2.6 pfSense as my router/firewall.  I have two static IPs, which for the purposes of the question we'll say are 1.1.1.1 and 1.1.1.2.

    I want 99.9% of my network traffic to go out to the Internet as 1.1.1.1, but I would also like to NAT any and all traffic for my web server for 1.1.1.2.  I have a very heavy Cisco background, both in routers & firewalls, and I think it is proving more of a hindrance than a help in this situation.

    Can anyone please point me to some documentation about how to create this functionality in pfSense?  My searches seems to have turned up conflicting or unclear information.

    My thanks!


  • LAYER 8 Global Moderator

    Are these public IPs on different connections or the same one.  So your wan on pfsense as 1.1.1.1, create a vip for 1.1.1.2 and forward traffic to your webserver via your vip.  And then on your outbound nat setup your webserver to use the vip for its outbound traffic.



  • Yes.  The IPs are both on the same connection.

    Thanks for your reply.

    Just to be sure I understand, I will:

    1. Create appropriate NAT and Firewall rules for Incoming from Virtual IP that point the the web server.
    2. Create an outbound NAT rule for my web server to use the Virtual IP.

    One other question:  Do I need to remove the auto-generated outbound NAT rules, or will my manual outbound NAT rule be prioritized over them?

    Once again, my thanks!


  • LAYER 8 Global Moderator

    No you do not need to remove the auto..  You need to make sure that the webserver talks back out the same IP it came in.


Log in to reply