So how do I go about doing this?
I had read up on the NAT issue but drawing a blank when it comes to able to put the IPs in DHCP.
Lets say a /28 worth of public IPs.
I tried doing it via DHCP server and it just told me that it cant be part of the WAN address.
Documentation That I have read.
https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html
https://docs.netgate.com/pfsense/en/latest/book/nat/1-1-nat.html
What is the goal? Are you just trying to do routing but not NAT?
I got a block of IPs from the provider and I want them assigned to the servers via DHCP but I want the servers to handle its own firewall.
So basically yes. Routing and no NAT.
That the routing the whole block around the NAT from the first link looks right but the DHCP is what’s throwing me off.
Not sure if that is supported.
I guess in a way it would be the same as using a pfsense box as an ISP. They just DHCP public IPs to the clients and don’t have NAT.
When setting up a normal internet router (in the true sense of the word - no NAT or firewall), the router itself has a public IP in a separate subnet from the block of IPs you are assigned. For example here is what an ISP would give you if that were the case:
Block #1
1.2.3.4/30
Your IP: 1.2.3.6
Default gateway (ISP’s device): 1.2.3.5
Block #2 (routed by the ISP to 1.2.3.6)
5.6.7.0/28
You can use any IP you want in this block as the inside IP of your router (default gateway for the other devices), commonly the first IP or 5.6.7.1
If the ISP only gives you the /28, and their device is using one of the IPs within that block (5.6.7.1 in the above example) for you to use as the default gateway, then a router is not the easiest solution. In this case there are three options I’m aware of:
In my environment, method #3 is preferred because then we can use the firewall’s IPS to protect the devices behind the 1:1 NATs, and some of them we limit using an ACL.
Tried all 3 and couldn’t get them to work
Used this as a guide for the bridge.
I’m trying to do this same thing did you get it working I tried bridging and just set a static IP address and it wouldn’t route
Hello
i was looking for something else and i stumbled across this old thread, so just wanted to leave a comment incase someone else saw it.
it is actually very easy to accomplish public ip’s on lan/dmz side.
Assuming you have 2 IP block’s as stated by brwainer, commonly reffered to as communication subnet and routed subnet.
communication subnet usually is /30 or /29, and sits on the WAN interface of your pfSense, connected to your ISP router
routed subnet is usually bigger, /28+ and sits on the lan/dmz interface of your pfSense, connected to your internal switch.
The routed subnet MUST be routed to one of your communication subnets IP by your ISP, either to your WAN interface IP directly or to a IP Alias or CARP
Then, you create an alias for your routed subnet for easier reference.
A firewall rule on the WAN side to allow incoming traffic to it.
A No Nat rule under NAT, Outbound
After that you can use your pfsense lan/dmz IP as default gateway for internal hosts or vm’s, and any other ip from the routed subnets as the interface ip for your internal hosts or vm’s
Notes:
Under the Nat, Outbound, you should enable manual outbound nat for proper rules configurations.
The nat rule should be as following
tick the Do not Nat option
interface must be your WAN ( the one with the /29 communication subnet )
the source should be the routed subnet alias.
also don’t forget to create rules under the lan/dmz interface itself
hope this helps