How to setup pfSense with multiple public IP's
Having trouble with multiple public IP's getting routed correctly.
I'd like to setup the following network:
public_ip1(assigned WAN IF) -> pfSense -> server 1,2,3 - 192.168.0.11, .12, .13
public_ip2(assigned WAN2 IF) -> pfSense -> server 4 - 192.168.0.22
I setup a second interface for public_ip2, I also added a firewall and NAT rule that anything on public_ip2 is allowed/forwarded to 192.168.0.22. I added an outbound rule that anything from 192.168.0.22 goes to WAN2.
From the 192.168.0.22 server when I try to use something like curl http://ipecho.net/plain it returns the public_ip1. The gateway for my public_ip2 is set correctly in the interface setup.
I can ssh into the .22 server on public_ip2 and all is well.
What am I missing?
Solution 1:
So, turns out the order of the firewall rules matter. Of course I knew this but it sometimes in the middle of the battle it's hard to see.
Here is the setup that works perfectly:
The physical setup looks like this:
Cable modem -> DMZ Switch -> LAN1 interface -> LAN2 interface
Setup LAN1 and LAN2 interfaces on pfSense.
208.xxx.xxx.xxx Gateway 208.xxx.xxx.1
66.xxx.xxx.xxx Gateway 66.xxx.xxx.1
System->Routing – should show two gateways System->Routes – nothing System->Groups – nothing Firewall->Virtual IP – nothing Status->Gateways – both should be up
Firewall->NAT - must be top rule:
WAN2 TCP/UDP * * WAN2 address 1-65535 192.168.0.22
Firwall->NAT – outbound – choose manual outbound NAT
WAN2 192.168.0.22/32 * * * WAN2 Address
Firewall->Rules LAN – must be first rule
LAN 192.168.0.22 * * * WAN2GW
Firewall->Rules WAN2– must be first rule
WAN2 * * 192.168.0.22 1-65535 *
Now if I'm on the 192.168.0.22 server and check my IP it shows the correct 208.xxx.xxx.xxx address meaning it's using the LAN2 gateway. If I'm on a server other than that it shows the 66.xxx.xxx.xxx address. I also have full access to the the 192.168.0.22 server at the 208.xxx.xxx.xxx address. Note that all traffic is forwarded to the 192.168.0.22 server which is running it's own iptables firewall.
pfSense rocks!