Ultimately what I want to do is connect a second physically separate gateway, and assign its WAN port one of the public IP addresses given by our ISP.
So I have the following setup currently and is working.
- Fibre leased line from ISP.
- Fibre comes to ISP box
- Ethernet from ISP box plugs into pfSense WAN port
- pfSense WAN port set as static IP assignment IP: xxx.xxx.xxx.99, GW: xxx.xxx.xxx.98/30
- Add one of the public IP addresses as a virtual IP address in pfSense IP: xxx.xxx.xxx.105/29
- Create a new private network and assign it to a spare ethernet port IP: 10.61.1.5/30
- Connect the second gateway wan port to pfSense and assign the wan a static IP: 10.61.1.6
- In pfSense setup 1:1 NAT and outbound NAT to connect all traffic xxx.xxx.xxx.105 <- between-> 10.61.1.6
- Setup firewall rules in pfSense to allow all traffic between WAN xxx.xxx.xxx.105 and LAN 10.61.1.6
While this works and the new device talks over the public IP address, the actual gateway thinks it's public IP address is 10.61.1.6, not xxx.xxx.xxx.105. This make configuration of VPN serves impossible for me as the device is wrongly thinking its public IP is a private one.
To clarify, which is my understanding, I might be wrong, the ISP gateway is xxx.xxx.xxx.98 on a /30 network and have given us a /29 block of IPs that are routable through xxx.xxx.xxx.98/30. From my testing the above rules out being able to connect a switch between the ISP box and pfSense WAN and just assign devices those public IPs of the /29 block.
Is there any way I can configure the WAN port on the secondary device with the public IP address, connect it to pfSense someway and just get pfSense to route it out to xxx.xxx.xxx.98?
Best Answer
I found my answer in the pfSense The Definitive Guide Version 2.1.
So I made a spare interface OPT1 and assigned it one of the public IP addresses. Hung a small five port switch off OPT1 and plugged in my servers to it. The servers were then assigned a public IP address with the gateway set as the IP of OPT1. With this, I had to sacrifice one of my public IPs but I was able to directly assign a public IPs to servers on OPT1. At the same time, I was able to continue to use the rest of the spare public IPs as I did before with 1:1 NATs through to servers sat on the private LAN.
The rest of the setup was just setting up firewall rules to allow OPT1 <--> WAN.
UPDATE: Another step that is needed, is that any automatic outbound NAT rules need to be deleted for your public IP block. If they are not deleted the outbound NAT rules will make the public IP's go out as your WAN public IP rather than their own IP.
As noted in the manual here: https://docs.netgate.com/pfsense/en/latest/interfaces/using-public-ip-addresses-on-an-interface.html