pfSense – Assign Public IP of /29 Block Directly to a Connected Device

ippfsense

Ultimately what I want to do is connect a second physically separate gateway, and assign its WAN port one of the public IP addresses given by our ISP.

So I have the following setup currently and is working.

  1. Fibre leased line from ISP.
  2. Fibre comes to ISP box
  3. Ethernet from ISP box plugs into pfSense WAN port
  4. pfSense WAN port set as static IP assignment IP: xxx.xxx.xxx.99, GW: xxx.xxx.xxx.98/30
  5. Add one of the public IP addresses as a virtual IP address in pfSense IP: xxx.xxx.xxx.105/29
  6. Create a new private network and assign it to a spare ethernet port IP: 10.61.1.5/30
  7. Connect the second gateway wan port to pfSense and assign the wan a static IP: 10.61.1.6
  8. In pfSense setup 1:1 NAT and outbound NAT to connect all traffic xxx.xxx.xxx.105 <- between-> 10.61.1.6
  9. Setup firewall rules in pfSense to allow all traffic between WAN xxx.xxx.xxx.105 and LAN 10.61.1.6

While this works and the new device talks over the public IP address, the actual gateway thinks it's public IP address is 10.61.1.6, not xxx.xxx.xxx.105. This make configuration of VPN serves impossible for me as the device is wrongly thinking its public IP is a private one.

To clarify, which is my understanding, I might be wrong, the ISP gateway is xxx.xxx.xxx.98 on a /30 network and have given us a /29 block of IPs that are routable through xxx.xxx.xxx.98/30. From my testing the above rules out being able to connect a switch between the ISP box and pfSense WAN and just assign devices those public IPs of the /29 block.

Is there any way I can configure the WAN port on the secondary device with the public IP address, connect it to pfSense someway and just get pfSense to route it out to xxx.xxx.xxx.98?

Best Answer

I found my answer in the pfSense The Definitive Guide Version 2.1.

Small WAN IP subnet with larger LAN IP subnet

Some ISPs will give you a small IP subnet as the "WAN side" assignment, and route a larger "inside" subnet to your end of the WAN subnet. Commonly this is a /30 on the WAN side, and a /29 or larger for use inside the firewall. The provider's router is assigned one end of the /30, typically the lowest IP, and your firewall is assigned the higher IP. The provider then routes the LAN subnet to your WAN IP. You can use those additional IPs on a routed interface with public IPs directly assigned to hosts, or with NAT using Other VIPs, or a combination of the two. Since the IPs are routed to you, ARP is not needed, and you don't need any VIP entries for use with 1:1 NAT. Because pfSense is the gateway on the OPT1 segment, routing from OPT1 hosts to LAN is much easier than in the bridged scenario required when using a single public IP block. Figure 10.25, “Multiple public IPs in use — two IP blocks” shows an example that combines a routed IP block and NAT. Routing public IPs is covered in the section called “Routing Public IPs”, and NAT in Chapter 11, Network Address Translation.

So I made a spare interface OPT1 and assigned it one of the public IP addresses. Hung a small five port switch off OPT1 and plugged in my servers to it. The servers were then assigned a public IP address with the gateway set as the IP of OPT1. With this, I had to sacrifice one of my public IPs but I was able to directly assign a public IPs to servers on OPT1. At the same time, I was able to continue to use the rest of the spare public IPs as I did before with 1:1 NATs through to servers sat on the private LAN.

The rest of the setup was just setting up firewall rules to allow OPT1 <--> WAN.

enter image description here

UPDATE: Another step that is needed, is that any automatic outbound NAT rules need to be deleted for your public IP block. If they are not deleted the outbound NAT rules will make the public IP's go out as your WAN public IP rather than their own IP.

As noted in the manual here: https://docs.netgate.com/pfsense/en/latest/interfaces/using-public-ip-addresses-on-an-interface.html

Related Topic