Routing Public IP Addresses¶
This section covers the routing of public IP addresses where a public IP subnet is assigned to an internal interface on a single firewall deployment.
If a High Availability cluster is in use, see High Availability Configuration Example without NAT.
At least two public IP subnets must be assigned by the ISP. One is for the WAN of the firewall, and one for the inside interface. This is commonly a /30 subnet for the WAN, with a second subnet assigned for the internal interface. This example will use a /30 on WAN as shown in Table WAN IP Block and a /29 public subnet on an internal OPT interface as shown in Table Inside IP Block.
ISP router (pfSense® default gateway)
pfSense WAN interface IP address
pfSense OPT interface
First configure the WAN and OPT interfaces. The LAN interface can also be used for public IP addresses if desired. In this example, LAN is a private IP subnet and OPT1 is the public IP subnet.
The default of translating internal traffic to the WAN IP must be overridden when using public IP addresses on an internal interface.
Browse to Firewall > NAT
Click the Outbound tab
Select Hybrid Outbound NAT rule generation
Click to add a new rule to the top of the list with the following settings:
- Do not NAT
Checked, so that NAT will be disabled
Network, enter the local public IP subnet,
This will override the default automatic rules which translate all traffic from
local interfaces leaving the WAN interface to the WAN IP address. Traffic
sourced from the OPT1 network
192.0.2.128/29 is not translated because of
the manually added rule excluding it from NAT. This configuration maintains the
automatic behavior for other internal interfaces, so that the advantages of
automatic outbound NAT rules are not lost. This configuration is shown in Figure
Outbound NAT Configuration.
If public IP addresses are used on all local interfaces, then set Disable Outbound NAT rather than using Hybrid mode.
Firewall Rule Configuration¶
The NAT and IP address configuration is now complete. Firewall rules will need to be added to permit outbound and inbound traffic. Figure OPT1 Firewall Rules shows a DMZ-like configuration, where all traffic destined for the LAN subnet is rejected, DNS and pings to the OPT1 interface IP address are permitted, and HTTP is allowed outbound.
To allow traffic from the Internet to the public IP addresses on an internal interface, add rules on the WAN using the public IP addresses as the Destination. Figure WAN Firewall Rules shows a rule that allows HTTP to 192.0.2.130, one of the public IP addresses on the internal interface as shown in Table Inside IP Block.
After configuring the firewall rules as desired, the setup is complete.
Traffic will flow from LAN to this public subnet by default without NAT. If this behavior is not desired, adjust the LAN firewall and NAT rules accordingly. Additionally, policy routing may need to be bypassed to allow from LAN to this interface.