Static WAN to LAN pfsense

Hello im having some trouble with multiple WANS on pfsense,
so my WAN gets the local address that AT&T gives me and I also have a /29 block of static IPs from them im running pfatt and figured out how to pass my /29 through he NAT but I just cant find any documentation on having a differnt WAN IP for each physical interface on pfsense.

The config I want:
WAN -> igb0
WAN ->igb1 -> to a server
WAN ->ix1 -> to another router

how would you be able to do something like this?
I’m unsure of how to get each interface to you a independent public IP.

Why have a public IP on each, why not just port forward to the servers behind pfsense allowing pfsense to act as a firewall?

Because I also have a router that I would like to put behind the pfsense.

1 Like

It’s something I have rarely done, but they have a write up here how to do it.

I would personally use a VIP and not do pass any public IPs through.


@LTS_Tom thank you so much that’s exactly what I was looking for. If I have a firewall on that interface it shouldn’t be a bad thing to do right?

It is not bad, just puts more complexity in your setup.

I had a look at this and couldn’t get it to work, my use case was that we host remote servers for a business and they wanted each server to have a Public IP (we have a /29 -14 useable IP’s).

I have my IP’s configured as Virtual IP’s, but without losing two IP’s, I couldn’t figure out how to give a sever a public IP in the /29 range- I think due to the way my ISP hands out the IP’s (PPPOE).

The only option for the servers themselves to have an IP in the /29 is for them (the interface(s) they connect to) to be bridged with the WAN interface. Otherwise there’s no way to route the traffic.

The business won’t accept a 1:1 NAT to a private IP on the servers? It is a bit more of a pain, but it is the proper way to handle this type of ISP subnet assignment. The days of the ISP using a /30 and routing a /29 or larger to it are gone.

I offered the business a whole internal IP Range to play with, to which they replied they wanted Public IPs.

Still haven’t been able to accomplish what i’m trying to do, get a wan IP no problem on the default LAN interface (igb1) but cant get my static block from at&t to work on the other interface (ix2). Tried the documentation you gave me but its more for if your hosing, i just want every port available so i double NAT on the router plugged into it.

It almost sounds like you need to do policy based routing with multiple IP routing tables. I’ve only done this with a Edgerouter but you might want to research PBR or Policy Based Routing.


All i’m trying to do though is match public IPs to physical interfaces. Any good ideas of how to start off with policy routing, my big issue is that my knowledge of how to use pfsense is lacking, are you a Edgerouter user only?

Can you provide a little more information please. I’m assuming that you are NATing everything through Pfsense to internal (non-internet-routable) IP addresses. Is there only one internal LAN or are there two or more internal subnets? As far as sending traffic to an internal router, you will need to provide Pfsense with the static routes of internal IP subnets that might be behind the internal router. Pfsense does not know about what subnet or subnets are on the other side of that internal router. If you can provide more information that would be great.

Yes i am but for my router in my lab i’m trying to bypass a IP from my public block through the NAT, to a physical interface to just connects to my lab router.

Here is the link for the diagram of what im trying to do

This is how I would do this:
Create a bridge including ix2 and ix3
Assign to the new bridge interface
(At this point your devices connected to ix2 and ix3 are online)
Create a virtual interface on the bridge for
Create custom NAT rules to achieve the desired NAT for igb 1
(These last two steps can be skipped if you’re OK for the LAN devices to be NAT’d to 103.22.30.x)

But so if my static block is then i still Assign to the new bridge interface right? and i still need 103.22.30.x to be my main WAN IP since thats how the box connects to AT&T, the is just the block they give me over my 103.22.30.x link to them. Just making sure you knew that, that is why this wont work. That is why im having trouble configuring it. shown at this link

The answer I gave is correct even given your response.

1 Like

ok well then if i dont want to bridge the interfaces, what could you do instead, one ip is going to a router in my lab and the others are going to servers, want to firewall the servers but not the router, since it is a firewall. Do need to do policy based routing for something like that?