When setting up a normal internet router (in the true sense of the word - no NAT or firewall), the router itself has a public IP in a separate subnet from the block of IPs you are assigned. For example here is what an ISP would give you if that were the case:
Block #1
1.2.3.4/30
Your IP: 1.2.3.6
Default gateway (ISP’s device): 1.2.3.5
Block #2 (routed by the ISP to 1.2.3.6)
5.6.7.0/28
You can use any IP you want in this block as the inside IP of your router (default gateway for the other devices), commonly the first IP or 5.6.7.1
If the ISP only gives you the /28, and their device is using one of the IPs within that block (5.6.7.1 in the above example) for you to use as the default gateway, then a router is not the easiest solution. In this case there are three options I’m aware of:
- Connect a switch between the ISP and the devices needing to use a public IP. One of these devices can operate a DHCP server, or the switch can if you use a managed switch with that function.
- Use a firewall or router in bridge mode (in PFSense, just bridge the interfaces together) and configure it to run DHCP on the bridge. This effectively turns it into a switch like #1, but may offer additional options.
- Use a firewall or router with 1:1 NAT between the public IPs, and the devices that should use them. For example:
5.6.7.2 - router’s public IP, for regular traffic
5.6.7.3 - 1:1 NAT to 10.6.7.3
5.6.7.4 - 1:1 NAT to 10.6.7.4
5.6.7.5 - 1:1 NAT to 10.6.7.5
Etc
And the router/firewall just runs DHCP for 10.6.7.0/28 on its LAN side.
In my environment, method #3 is preferred because then we can use the firewall’s IPS to protect the devices behind the 1:1 NATs, and some of them we limit using an ACL.