I had read up on the NAT issue but drawing a blank when it comes to able to put the IPs in DHCP.
Lets say a /28 worth of public IPs.
I tried doing it via DHCP server and it just told me that it cant be part of the WAN address.
I got a block of IPs from the provider and I want them assigned to the servers via DHCP but I want the servers to handle its own firewall.
So basically yes. Routing and no NAT.
That the routing the whole block around the NAT from the first link looks right but the DHCP is what’s throwing me off.
When setting up a normal internet router (in the true sense of the word - no NAT or firewall), the router itself has a public IP in a separate subnet from the block of IPs you are assigned. For example here is what an ISP would give you if that were the case:
Block #2 (routed by the ISP to 1.2.3.6)
5.6.7.0/28
You can use any IP you want in this block as the inside IP of your router (default gateway for the other devices), commonly the first IP or 5.6.7.1
If the ISP only gives you the /28, and their device is using one of the IPs within that block (5.6.7.1 in the above example) for you to use as the default gateway, then a router is not the easiest solution. In this case there are three options I’m aware of:
Connect a switch between the ISP and the devices needing to use a public IP. One of these devices can operate a DHCP server, or the switch can if you use a managed switch with that function.
Use a firewall or router in bridge mode (in PFSense, just bridge the interfaces together) and configure it to run DHCP on the bridge. This effectively turns it into a switch like #1, but may offer additional options.
Use a firewall or router with 1:1 NAT between the public IPs, and the devices that should use them. For example:
5.6.7.2 - router’s public IP, for regular traffic
5.6.7.3 - 1:1 NAT to 10.6.7.3
5.6.7.4 - 1:1 NAT to 10.6.7.4
5.6.7.5 - 1:1 NAT to 10.6.7.5
Etc
And the router/firewall just runs DHCP for 10.6.7.0/28 on its LAN side.
In my environment, method #3 is preferred because then we can use the firewall’s IPS to protect the devices behind the 1:1 NATs, and some of them we limit using an ACL.