pfSense - DHCP Public IPs with no NAT

Networking & Firewalls
#1

So how do I go about doing this?

I had read up on the NAT issue but drawing a blank when it comes to able to put the IPs in DHCP.
Lets say a /28 worth of public IPs.
I tried doing it via DHCP server and it just told me that it cant be part of the WAN address.

Documentation That I have read.
https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html
https://docs.netgate.com/pfsense/en/latest/book/nat/1-1-nat.html

#2

What is the goal? Are you just trying to do routing but not NAT?

#3

I got a block of IPs from the provider and I want them assigned to the servers via DHCP but I want the servers to handle its own firewall.
So basically yes. Routing and no NAT.
That the routing the whole block around the NAT from the first link looks right but the DHCP is what’s throwing me off.

#4

Not sure if that is supported.

#5

I guess in a way it would be the same as using a pfsense box as an ISP. They just DHCP public IPs to the clients and don’t have NAT.

#6

When setting up a normal internet router (in the true sense of the word - no NAT or firewall), the router itself has a public IP in a separate subnet from the block of IPs you are assigned. For example here is what an ISP would give you if that were the case:

Block #1
1.2.3.4/30
Your IP: 1.2.3.6
Default gateway (ISP’s device): 1.2.3.5

Block #2 (routed by the ISP to 1.2.3.6)
5.6.7.0/28
You can use any IP you want in this block as the inside IP of your router (default gateway for the other devices), commonly the first IP or 5.6.7.1

If the ISP only gives you the /28, and their device is using one of the IPs within that block (5.6.7.1 in the above example) for you to use as the default gateway, then a router is not the easiest solution. In this case there are three options I’m aware of:

  1. Connect a switch between the ISP and the devices needing to use a public IP. One of these devices can operate a DHCP server, or the switch can if you use a managed switch with that function.
  2. Use a firewall or router in bridge mode (in PFSense, just bridge the interfaces together) and configure it to run DHCP on the bridge. This effectively turns it into a switch like #1, but may offer additional options.
  3. Use a firewall or router with 1:1 NAT between the public IPs, and the devices that should use them. For example:
    5.6.7.2 - router’s public IP, for regular traffic
    5.6.7.3 - 1:1 NAT to 10.6.7.3
    5.6.7.4 - 1:1 NAT to 10.6.7.4
    5.6.7.5 - 1:1 NAT to 10.6.7.5
    Etc
    And the router/firewall just runs DHCP for 10.6.7.0/28 on its LAN side.

In my environment, method #3 is preferred because then we can use the firewall’s IPS to protect the devices behind the 1:1 NATs, and some of them we limit using an ACL.

1 Like
#7

Tried all 3 and couldn’t get them to work
Used this as a guide for the bridge.
https://support.adamnet.works/t/running-on-a-transparent-pfsense-bridge/79

#8

I’m trying to do this same thing did you get it working I tried bridging and just set a static IP address and it wouldn’t route