Routing Public IP Addresses

This section covers the routing of public IP addresses where a public IP subnet is assigned to an internal interface on a single firewall deployment.

See also

If a High Availability cluster is in use, see Providing Redundancy Without NAT.

IP Assignments

At least two public IP subnets must be assigned by the ISP. One is for the WAN of the firewall, and one for the inside interface. This is commonly a /30 subnet for the WAN, with a second subnet assigned for the internal interface. This example will use a /30 on WAN as shown in Table WAN IP Block and a /29 public subnet on an internal OPT interface as shown in Table Inside IP Block.

WAN IP Block
198.51.100.64/30
IP Address Assigned To
198.51.100.65 ISP router (pfSense default gateway)
198.51.100.66 pfSense WAN interface IP address
Inside IP Block
192.0.2.128/29
IP Address Assigned To
192.0.2.129 pfSense OPT interface
192.0.2.130 Internal hosts
192.0.2.131
192.0.2.132
192.0.2.133
192.0.2.134

Interface Configuration

First configure the WAN and OPT interfaces. The LAN interface can also be used for public IP addresses if desired. In this example, LAN is a private IP subnet and OPT1 is the public IP subnet.

Configure WAN

Add the IP address and gateway accordingly. Figure WAN IP and Gateway Configuration shows the WAN configured as shown in Table WAN IP Block.

../_images/routing-wan-ip-config.png

WAN IP and Gateway Configuration

Configure OPT1

Now enable OPT1, optionally change its name, and configure the IP address and subnet mask. Figure Routing OPT1 Interface Configuration shows OPT1 configured as shown in Table Inside IP Block.

../_images/routing-opt-config.png

Routing OPT1 Interface Configuration

../_images/routing-opt-ip-config.png

Routing OPT1 IP Address Configuration

NAT Configuration

The default of translating internal traffic to the WAN IP must be overridden when using public IP addresses on an internal interface.

  • Browse to Firewall > NAT
  • Click the Outbound tab
  • Select Hybrid Outbound NAT rule generation
  • Click Save
  • Click fa-level-up to add a new rule to the top of the list with the following settings:
    Do not NAT:Checked, so that NAT will be disabled
    Interface:WAN
    Protocol:Any
    Source:Network, enter the local public IP subnet, 192.0.2.128/29
    Destination:Any
  • Click Save

This will override the default automatic rules which translate all traffic from local interfaces leaving the WAN interface to the WAN IP address. Traffic sourced from the OPT1 network 192.0.2.128/29 is not translated because of the manually added rule excluding it from NAT. This configuration maintains the automatic behavior for other internal interfaces, so that the advantages of automatic outbound NAT rules are not lost. This configuration is shown in Figure Outbound NAT Configuration.

If public IP addresses are used on all local interfaces, then set Disable Outbound NAT rather than using Hybrid mode.

../_images/routing-outbound-nat.png

Outbound NAT Configuration

Firewall Rule Configuration

The NAT and IP address configuration is now complete. Firewall rules will need to be added to permit outbound and inbound traffic. Figure OPT1 Firewall Rules shows a DMZ-like configuration, where all traffic destined for the LAN subnet is rejected, DNS and pings to the OPT1 interface IP address are permitted, and HTTP is allowed outbound.

../_images/routing-opt1-example-rules.png

OPT1 Firewall Rules

To allow traffic from the Internet to the public IP addresses on an internal interface, add rules on the WAN using the public IP addresses as the Destination. Figure WAN Firewall Rules shows a rule that allows HTTP to 192.0.2.130, one of the public IP addresses on the internal interface as shown in Table Inside IP Block.

../_images/routing-wan-example-rule.png

WAN Firewall Rules

After configuring the firewall rules as desired, the setup is complete.

Note

Traffic will flow from LAN to this public subnet by default without NAT. If this behavior is not desired, adjust the LAN firewall and NAT rules accordingly. Additionally, policy routing may need to be bypassed to allow from LAN to this interface.