Thanks, this is exactly what I was looking for. I am glad you had an error at 4:21, this is quite helpful to see what happens when it is not set up correctly.
also is it a bug that pfsence blocks all wan traffic with a subnet of /32(explicit) my internet provider supplies me ip addresses in a subnet of /31. i was wanting to separate them to tell if one of the lines went down. i live in a new area and one ip originates from one side of the city and the other comes from the other. dumb construction workers dug up/cut one of the main fiber lines and half the city lost internet. luckily i could just switch static ip's and had internet again.
Great job, Tom ,love the pfsense vids. Did this on a Watchguard years ago when the company needed multiple external IPs for external facing HTTPS. Keep it up!
I've been in an outfit using Ciscos with classic 2000's mentality of using elitist CLI-only kit, with zero user-friendliness, monitoring & manageability. I'm about to replace them with a gorgeous pfSense VM (with 8x CPU cores, 10Gb NICs & oodles of RAM) on a 1Gb link - this NAT video has allowed me to properly separate the guest & LAN VLANs, so that guests' WAN IP differs from the one that users on our main LAN get (and is trusted by various cloud services). Thanks!
@@MrFurriephillips I see you posted 3 years ago but this is exactly what I want to do. I would like to run some game servers and each one needs a unique external IP. Are you able to explain how you assign each WAN IP to each VLAN? If I can work out how to do that I'm all sorted.
Super helpful.... still two years later.... thank you - ima let the box find the block via dhcp... then use the virtual for the fine-tuning on the remainder of the static. Much appreciated!!
Great Video, Tom. Another use case: I'm lucky enough to have a class C block allocation of my own (256 portable public IP addresses that are NOT provided by my ISP), so Ive been using this techmique for a while. I have a WAN link over PPPOE, for which the ISP provides an IP address. That becomes the WAN address. The LAN interface uses addresses in my own range, (which the ISP routes to me via their provided IP) and I just route between them. In addition to port forwarding, Ive used virtual WAN IPs from my own allocation as outbound NAT addresses for the private subnets, so that the only traffic I need to care about, coming back, is that of my own address range. Anything else gets dropped - including anything destined for the ISP-provided WAN address.
Honestly though this was gonna be a massive headache to get setup, ISP offers me 5 IPs for free. new server for pfsense ordered, cant wait to get it all working. Thanks Lawrence
Hi I have a gitlab server on a VLAN and have setup 1:1 nat with an public static IP address. This is working fine from other subnets on my network and from outside the network. But if I try to access access the public domain name that points to the public IP address from the same subnet, I get the private IP address of the server. How can I force traffic to access the device through the public IP? Thanks for any advice you can offer?
Very well done! Is there a chance you could go into a little more detail regarding the hardware setup for this case scenario? I have a very similar case setup but I’m finding it difficult to understand the physical hardware setup. If, like in your case I say 3 IP addresses 1, 2, 3. Say 1 is assigned to the outer then 2 to device B and 3 to device C. What hardware and setup are needed to achieve this.
Does this also work with dynamic ips? In guessing the Wan side ips only handle inbound traffic? Because I have 4 ip addresses and they are limited to 250mbit per ip. So if I can assign all four and get it to use all four I think I may be able to break the actual limit. Done some testing with running four computers wired and starting speedtest on all and they all get about 250ish Mbit. So I think it's a per ip limit.
I have two WAN's ISP_A and ISP_B and just one LAN... Both Gateways pings and connects but the system IP's under the ISP_B are not pinging? any idea why? If the gateway ping then why not?
Hi man, I static internet connection and but I need to run on 1000base t but it only runs on 100base tx...when on 1000base t it stops recognizing the adapter...USB Ethernet adapter 1GB speed
Great Video. Question How do you pass through ISP multiple IP addresses to the dedicated VLAN in pfsense. I have couple of server I want them to pick up my isp public ip.
So I just got a few more public IP's but the gateway is different. Would I just add that new gateway to my existing wan address(which has it's own gateway) then continue to follow these instructions?
What if you have different gateways for each different IP? I can't add a virtual IP that works as the gateway is also different, my ISP is weird and every IP has it's own gateway...
I have a Static block for home use and a pfSense behind my in-home gateway. I have need to run OpenVPN (NordVPN) as well as Squid Proxy. I'd also like to hide my DNS from my ISP when not using VPN. I have OpenVPN set up on my default gateway with a static block, as well as Squid Proxy set up on my WAN2 interface (and separate NIC), using a bridged IP address from my in-home ISP gateway. I had to set it up this way so my VPN's DNS doesn't leak out my default WAN pre-encryption. And so I can set up DNS over TLS in the DNS resolver. Ideally I'd like Squid Proxy to have its own IP address from the static block for more privacy. Is there a way for me to set up all three, OpenVPN, Squid Proxy and advanced DNS features on one NIC (maybe by splitting the DNS resolver), so I don't break the VPN? Some DNS resolver features are not supported by Nord. Edit: I'd also like to be able to port forward from Squid Proxy to my videogame consoles for the Open NAT rating the consoles give you when you set up port forwarding. Squid Proxy allows for fast downloads, conceals your IP if it is different from your default and with some videogames it prevents UDP packets from communicating with my console directly which reduces a lot of lag.
Thanks for the video! I do have a question... I see on your Pfsense dashboard the main WAN address and one (1) LAN of 192.168.40.1. You create a Virtual IP(s) for additional Public IP's and a NAT IP of 192.168.40.50 (on LAN interface). With your example of 3 WWW facing IP's can I put the other 2 on interface OPT1 (LAN 192.168.60.1/24)and OPT2 (LAN 192.168.80.1/24)? Or, Does everything need to point to servers/pc's etc on the actual LAN interface?
This is exactly what I want to do, except with a VPS hosting pfsense and using a block of IP addresses from the provider. Because my provider does not offer or support more than one IP address, I want to use the VPS and provided addresses to assign public IP's to my homelab server that will be tunneled to the vps to connect with pfsense. This seems like it should be possible, right?
interestingly if you do want multiple servers behind a firewall to all run SSH then you can now use SSH's ProxyJump functionality to transparently tunnel through one exposed server which can increase security as well by not exposing other servers and potentially just having a single hardened server exposed with no other services on there.
I am testing a uverse connection and a comcast connection. I have my pfsense box connect to comcast using dhcp on the wan. I have a ubiquit router connected to the uverse box using dhcp on the wan. They are on seperate lan subnets. I have a network cable plugged into my ubiquit box into my comcast lan with dhcp disabled so that I can manually configure a pc on the network to route traffic through my uverse connection. It's working perfect. I have tried to add another virtual ip on the same subnet as the ubiquit router and can get it to work. Any help?
Quick Question. If my ISP hands out a range of addresses that are dynamic and distributed by DHCP how would I assign more than one of them to my WAN interface?
@@LAWRENCESYSTEMS Ah. That's the solution I've devised. I plug my modem into my managed switch, and bring the "Internet" in on a VLAN and then I am able to create as many VLAN interfaces as I need.
My ISP modem has been assigned a static IP but the netmask is 255.255.255.255. How do I assign a static IP from this to my pfsense firewall? Or I would need to request for a static IP not assigned to any device yet?
Would it be possible if your Interface IPv4 Address = 172.16.69.150/24 but IP's (IP Block) from ISP would be on another subnet? for example 172.18.70.150/30
Hi Lawrence, i created 2 NO-IP hostnames and setup NAT from my PfSense. My assigned hostnames can now be access outside BUT it gave me same result on the 2 hostnames thu they have different contents.. meaning i can only access my webserver on both NOIP hostnames.. i cant figure out why.. i know i use port 80 on both.. is there a way to fix this?
Seemed to work great to get my webserver traffic where it should go, but the outbound NAT rule makes all my fire TVs on separate VLAN from the webserver stop talking to the internet. Anyone have any suggestions?
Ofcourse, but you will need to use a outbound NAT entry to accomoplish this. Normally Outbound NAT with pfSense is configured to be automatic, but you can switch to Hybrid/Manual. E.g. server X from you LAN network should choose IP Alias X.X.X.X instead of Y.Y.Y.Y. Create an outbound entry on WAN Interface and change Source (NAT) IP to the Alias of X.X.X.X. You may need to choose network as source and provide the Source of your host with a /32 CIDR. If you need any help, just hit me up :)
Trying to get this same scenario to work for me but I'm on PPOE and the IP address we are setting is on different range (/29) address subnet from the principal wan which is a (/24) is this possible?
Hello, Tom. I'm curious as to what the hardware connections look like. I have a block of 5 static IPs that I'd like pfSense to manage. One of them will be my home network with Unifi stuff behind it, and the rest will be ad-hoc work networks, where I might throw another pfSense box or something like a Linux laptop, another SOHO Wifi Router, or a Raspberry Pi occasionally. How many NICs do I need? How does pfSense route the traffic coming from the internet to the individual static IPs? How would I treat one static IP as the gateway to my internal Unifi network (like I do right now with a single WAN IP), but the rest as their own WANs? I appreciate any tips you can give me.
Good Job Man. Dear I have a problem. while i try to access one of my WAN IPs from my LAN, instead of WAN ip it opens PFsense interface. while it works fine when I access it from other network out side my LAN. Please Help (Urgent)
I am new to pfsense. I setup pfsense with two WAN interfaces and single LAN. WANs are from two different ISPs. I have static public IP from one ISP while other is not static. Obviously in Routing>Gateway Groups I joined both WAN into one group. Whenever I check whatismyip it always shows me ip obtained from non static one. Whereas I want to fix it on my static IP from first ISP. Please advise what should I do?
@@LAWRENCESYSTEMS Thanks for the fast reply! We're on 2.4.4-RELEASE-p3, so I assume that's a new Gateway. Since I've already configured a Virtual IP address, I have some untangling to do!
Hey Tom great video! I have a similar setup but my ISP is having me use DHCP for my main traffic and then set up a public subnet for public traffic. The public traffic has to go through a separate upstream gateway as well. How would I set this up? Does this mean I need to set up some sort of a bridge?
Hey Tom love the videos. I did as you said. my other Ip do not have any internet service . i can not access the internet from none of the other 4 ips..
I have a /29 from my ISP, is there a way for a server behind the firewall to have one of the public IP directly ? But I can still use pfSense to make firewall rules? thank you
can this setup work on multiWAN/ISP? let say I put virtual IP from ISP 1 and same as ISP 2 all together, in worst case scenario, should still able to address the NAT IP when either of the ISP goes down? I want to achieve something like having multiple A records pointing to those WAN IP.
@@LAWRENCESYSTEMS do you understood my question sir --can i ping the virtual ip which you have added in the pfsense from external network(from internet)
Near the end of the video you specify it needs to be the first IP of the range? Is this correct? I'm currently using my 2nd IP in my block/range of WAN IP's as main data as the previous one is a secondary service.
It's like your watching my search history.... My problem is trying to set up RemoteApp and 3CX behind Virtual IP addresses which they both dont seem to like. Port forwarding is not working and all guides state to use 1:1 NAT and a whole bunch of other suggestions. Feel free to chime in :)
Jamie Fraser you need to test that your first wan IP on the pfsense port is accessible online. With simple port forwarding to your Web UI. Or other on port 80 You can also ping+ port scan your ISP gateway from outside. You should be able ping the gateway. I'm using this method with 1:1nat working without issues.
holly molly so can this setup by accomplished lets say wan 1 has 128 public IP and wan 2 has 128 plabic Ip block. how can i setup each interface with the blocks and how do I setup the lan devices with each ip and would I be able to setup lets say wan 1 public ip to send lets say smtp packet to warn 2 instated of wan 1
Hmm, sounds easy enough. I'm about to setup my first pfSense box this weekend so I haven't had the chance to try it just yet. But I've tried researching it beforehand, and all I can find is people claiming it isn't possible with DHCP, as you aren't able to specify a MAC address (or rather DHCP client id) for the virtual IPs, which I guess means they won't be able to request an IP from my ISPs DHCP server. Again, I'm very new to pfSense and I might've missed something obvious, in which case I'm sorry. Anyway, I'll give it a shot this weekend and hope I can figure it out. Thanks for the great video!
I didn't manage to pull it off in pfSense alone. I ended up running Proxmox and setting up 5 vNICs in order to get 5 MAC addresses. I've read now that it might be possible to get it working in pfSense on its own using netgraph. Will have to try that at a later point.
@@LAWRENCESYSTEMS Just wanted to let you know that this will hopefully be possible in pfSense 2.5.0. Feature #1337 which is slated for the 2.5.0-release will allow you to spoof the MAC addresses of VLAN "interfaces". I believe this should make it possible to grab multiple IPs with a single NIC, since we'll have multiple MAC addresses to make DHCP requests with. Right now I'm stuck with either having to use 5 WAN NICs or running pfSense virtualized. High hopes for #1337 :)
Getting this far is no problem. The problem is getting out. I need my devices that use one of my assigned WAN IPs to show that they're using said WAN IP. For example, my Plex sees itself as my first available IP when I want it to show as my second. Reaching my Plex from the outside is fine, but internally my Plex thinks it's offline because there is no port forwarding for port 32400 to my first WAN IP. So from what I understand, I'm supposed to use 1:1 NAT plus a firewall rule to get this to work properly, without using port forwarding since the 1:1 NAT is supposed to forward all traffic from my second IP to my Plex's internal IP and vice versa. Well, tried that and it didn't work, but at least my Plex can see itself as my second WAN IP now. The only way it can get it to work is if I delete the firewall rule and do a regular port forward anyway (which automatically creates the appropriate firewall rule). Now all is well, but when I try to do the same thing with the NEXT IP in my block, no go no matter what. Any ideas guys?
One thing that gave me trouble on pfSense was limiters. There is a particular large company that updates its software regularly, but does not ask to download gigabytes of data, it just goes and does it at the worst possible time. I won't name them but lets just say that they support "Developers, developers, developers, developers" Anyway, once I got a hold of all the IPs and subnets they use, I put them into an alias and set up a limiter to limit the amout of bandwidth. I could not for the life of me get the floating rules to match any of the packets. It can be confusing since the limiter definitions swap around depending on if the connection is inbound or outbound, but nothing I tried seemed to work. Eventually after months of occasional random tweaking (and a couple of pfSense updates) it finally started working but I have no idea why. Its all just voodoo magic. If you're looking for video ideas, Traffic Shaper / Limiter might be a good one.
It's not that it's voodoo, they just don't always work when certain other tasks are occuring... It also depends heavily on the version of PFSense... In some versions, if you had SQUID enabled, limiters wouldn't work at all. Then in other versions, the limiters had broken entirely and bleh! Pretty sure in 2.4.x limiters are mostly fixed, haven't had issues with setting up aliases with limiters. But, why use floating rules for a limiter? That would most likely break the limiter (least it always has for me?)... You would be best of setting a normal rule and specify the inbound/outbound separately in the firewall rules.
Because Im trying to "Match" packets and divert them through the limiter. Im not trying to filter them, nor do I need to. The per-interface rule sets dont do matching (only Pass, Block, and Reject). Additionally the one and only working example that I managed to find also used floating rules, for these very reasons.
Hi Tom, great video! Could you please create a video tutorial on how to setup L2TP over IPsec server for mobile clients? macOS, Windows, Android, iOS. Thank you!
Great video an explanation. But I have a problem. I have ATT Bussines. I have 1 ip address in one pool and other 5 in different pool. For example: 172.11.22.21/15 196.11.22.106 to 109/29 So, i need to manage two different gateways. And not sure how to do that. The problem is that this connection been working like this for years, lot of services maped on the primary ip address and hardcoded in some devices (complicated to change without problems), but recently company wanted to add more IP address and ATT gave me a complete different subnet for those
@@LAWRENCESYSTEMS You are one of those tech guys that everything just comes naturally. I don't know you from Adam, but I can tell you are a talented guy! ALL THE BEST
Works as inbound, but you should also make a nat outbound rule, because your server on 192.168.40.50, goes out from same wan ip 172.16.69.150 and not from the alias .152 as your in rule. You can check easly from your .40.50 server by shell using this "dig +short myip.opendns.com @resolver1.opendns.com"
![Noob To Max With DRAGON REWORK In Blox Fruits [FULL MOVIE]](http://i.ytimg.com/vi/LnBMOinoOvA/mqdefault.jpg)
These pfsense series videos are GOLD.
Absolutely they are! His whole channel, srsly.
Thanks, this is exactly what I was looking for. I am glad you had an error at 4:21, this is quite helpful to see what happens when it is not set up correctly.
i just broke my internet 2 days ago trying to do this.(obviously the wrong way) you read my mind by making this video. thanks again
also is it a bug that pfsence blocks all wan traffic with a subnet of /32(explicit) my internet provider supplies me ip addresses in a subnet of /31. i was wanting to separate them to tell if one of the lines went down.
i live in a new area and one ip originates from one side of the city and the other comes from the other. dumb construction workers dug up/cut one of the main fiber lines and half the city lost internet. luckily i could just switch static ip's and had internet again.
Great job, Tom ,love the pfsense vids. Did this on a Watchguard years ago when the company needed multiple external IPs for external facing HTTPS. Keep it up!
Got dropped into an outfit running pfSense - thanks for making the learning curve so much better
I've been in an outfit using Ciscos with classic 2000's mentality of using elitist CLI-only kit, with zero user-friendliness, monitoring & manageability. I'm about to replace them with a gorgeous pfSense VM (with 8x CPU cores, 10Gb NICs & oodles of RAM) on a 1Gb link - this NAT video has allowed me to properly separate the guest & LAN VLANs, so that guests' WAN IP differs from the one that users on our main LAN get (and is trusted by various cloud services). Thanks!
@@MrFurriephillips I see you posted 3 years ago but this is exactly what I want to do. I would like to run some game servers and each one needs a unique external IP.
Are you able to explain how you assign each WAN IP to each VLAN? If I can work out how to do that I'm all sorted.
Super helpful.... still two years later.... thank you - ima let the box find the block via dhcp... then use the virtual for the fine-tuning on the remainder of the static. Much appreciated!!
dude ur giving me a crash course in pfsense right now ur the best. id love to outsource ur company oneday and send u some work.
Thank again, as usual, your videos are very informative and this one was just in time because I should received my block of ip's this week.
Great Video, Tom. Another use case: I'm lucky enough to have a class C block allocation of my own (256 portable public IP addresses that are NOT provided by my ISP), so Ive been using this techmique for a while. I have a WAN link over PPPOE, for which the ISP provides an IP address. That becomes the WAN address. The LAN interface uses addresses in my own range, (which the ISP routes to me via their provided IP) and I just route between them. In addition to port forwarding, Ive used virtual WAN IPs from my own allocation as outbound NAT addresses for the private subnets, so that the only traffic I need to care about, coming back, is that of my own address range. Anything else gets dropped - including anything destined for the ISP-provided WAN address.
Honestly though this was gonna be a massive headache to get setup, ISP offers me 5 IPs for free. new server for pfsense ordered, cant wait to get it all working. Thanks Lawrence
Great job! Made my job simple with this tutorial.
Nice job Tom I have learned this and I m Pretty much confident now.
Hi I have a gitlab server on a VLAN and have setup 1:1 nat with an public static IP address. This is working fine from other subnets on my network and from outside the network. But if I try to access access the public domain name that points to the public IP address from the same subnet, I get the private IP address of the server. How can I force traffic to access the device through the public IP? Thanks for any advice you can offer?
Very well done!
Is there a chance you could go into a little more detail regarding the hardware setup for this case scenario?
I have a very similar case setup but I’m finding it difficult to understand the physical hardware setup. If, like in your case I say 3 IP addresses 1, 2, 3. Say 1 is assigned to the outer then 2 to device B and 3 to device C. What hardware and setup are needed to achieve this.
Does this also work with dynamic ips? In guessing the Wan side ips only handle inbound traffic? Because I have 4 ip addresses and they are limited to 250mbit per ip. So if I can assign all four and get it to use all four I think I may be able to break the actual limit.
Done some testing with running four computers wired and starting speedtest on all and they all get about 250ish Mbit. So I think it's a per ip limit.
how to do you set the Lan2 Traffic go through the Second Virtual Ip?
Congratulations for your work. It´s videos with good explanations.
I have two WAN's ISP_A and ISP_B and just one LAN...
Both Gateways pings and connects but the system IP's under the ISP_B are not pinging?
any idea why? If the gateway ping then why not?
Hi man, I static internet connection and but I need to run on 1000base t but it only runs on 100base tx...when on 1000base t it stops recognizing the adapter...USB Ethernet adapter 1GB speed
Hi. I wonder if that works if I have two different IP pools, or do I need to install two network cards, one for each pool?
Great Video. Question How do you pass through ISP multiple IP addresses to the dedicated VLAN in pfsense. I have couple of server I want them to pick up my isp public ip.
Hey, Im trying to configure an IPSEC site to site vpn using a virtual IP. The IP is working but not able to establish the tunnel.
Excellent video! Thanks again!
Great explanation. Thanks Tom!
Would it be possible to route a specified VLAN only over a specified Virtual IP?
Did you figure this out?
@@jasond580 I ended up just using Outbound NAT
Cool. Think that is the same as what I went with, running in a hybrid mode. Thanks!
That was too easy, thank you.
Nice vid. But, anyway to force outgoing traffic to use specific IP ?cSo my traffic should be seen as coming from IP2, IP3, ...
Yes, outbound NAT rules
Nice Video Tom very Helpful
So I just got a few more public IP's but the gateway is different. Would I just add that new gateway to my existing wan address(which has it's own gateway) then continue to follow these instructions?
What if you have different gateways for each different IP? I can't add a virtual IP that works as the gateway is also different, my ISP is weird and every IP has it's own gateway...
I have a Static block for home use and a pfSense behind my in-home gateway.
I have need to run OpenVPN (NordVPN) as well as Squid Proxy. I'd also like to hide my DNS from my ISP when not using VPN.
I have OpenVPN set up on my default gateway with a static block, as well as Squid Proxy set up on my WAN2 interface (and separate NIC), using a bridged IP address from my in-home ISP gateway.
I had to set it up this way so my VPN's DNS doesn't leak out my default WAN pre-encryption. And so I can set up DNS over TLS in the DNS resolver. Ideally I'd like Squid Proxy to have its own IP address from the static block for more privacy.
Is there a way for me to set up all three, OpenVPN, Squid Proxy and advanced DNS features on one NIC (maybe by splitting the DNS resolver), so I don't break the VPN? Some DNS resolver features are not supported by Nord.
Edit: I'd also like to be able to port forward from Squid Proxy to my videogame consoles for the Open NAT rating the consoles give you when you set up port forwarding. Squid Proxy allows for fast downloads, conceals your IP if it is different from your default and with some videogames it prevents UDP packets from communicating with my console directly which reduces a lot of lag.
Thanks for the video! I do have a question... I see on your Pfsense dashboard the main WAN address and one (1) LAN of 192.168.40.1. You create a Virtual IP(s) for additional Public IP's and a NAT IP of 192.168.40.50 (on LAN interface). With your example of 3 WWW facing IP's can I put the other 2 on interface OPT1 (LAN 192.168.60.1/24)and OPT2 (LAN 192.168.80.1/24)? Or, Does everything need to point to servers/pc's etc on the actual LAN interface?
This is exactly what I want to do, except with a VPS hosting pfsense and using a block of IP addresses from the provider. Because my provider does not offer or support more than one IP address, I want to use the VPS and provided addresses to assign public IP's to my homelab server that will be tunneled to the vps to connect with pfsense. This seems like it should be possible, right?
interestingly if you do want multiple servers behind a firewall to all run SSH then you can now use SSH's ProxyJump functionality to transparently tunnel through one exposed server which can increase security as well by not exposing other servers and potentially just having a single hardened server exposed with no other services on there.
Hello, Did you ever tried pfsense with multiple ip's via a gre tunnel?
It would be nice if you could do a video on traffic shaping.
Great Video Thanks. But how to add those extra IPs given from the ISP if you use HA-CARP?
Great stuff!!!! Thanks again for the info!!!
I am testing a uverse connection and a comcast connection. I have my pfsense box connect to comcast using dhcp on the wan. I have a ubiquit router connected to the uverse box using dhcp on the wan. They are on seperate lan subnets. I have a network cable plugged into my ubiquit box into my comcast lan with dhcp disabled so that I can manually configure a pc on the network to route traffic through my uverse connection. It's working perfect. I have tried to add another virtual ip on the same subnet as the ubiquit router and can get it to work. Any help?
Quick Question.
If my ISP hands out a range of addresses that are dynamic and distributed by DHCP how would I assign more than one of them to my WAN interface?
DHCP go to each MAC address so DHCP ranges will not work properly. The work around would be to have multiple interfaces.
@@LAWRENCESYSTEMS Ah. That's the solution I've devised.
I plug my modem into my managed switch, and bring the "Internet" in on a VLAN and then I am able to create as many VLAN interfaces as I need.
My ISP modem has been assigned a static IP but the netmask is 255.255.255.255. How do I assign a static IP from this to my pfsense firewall? Or I would need to request for a static IP not assigned to any device yet?
Would it be possible if your Interface IPv4 Address = 172.16.69.150/24 but IP's (IP Block) from ISP would be on another subnet? for example 172.18.70.150/30
Thanks very much for this. A HUGE HELP to a pfSense newbie like me :D
Hi Lawrence, i created 2 NO-IP hostnames and setup NAT from my PfSense. My assigned hostnames can now be access outside BUT it gave me same result on the 2 hostnames thu they have different contents.. meaning i can only access my webserver on both NOIP hostnames.. i cant figure out why.. i know i use port 80 on both.. is there a way to fix this?
Seemed to work great to get my webserver traffic where it should go, but the outbound NAT rule makes all my fire TVs on separate VLAN from the webserver stop talking to the internet. Anyone have any suggestions?
Thanks for this great video. Is it also possible to route outgoing connections through one of those virtual IPs?
did you find out if this is possible? I'm trying to figure out the same thing
Ofcourse, but you will need to use a outbound NAT entry to accomoplish this. Normally Outbound NAT with pfSense is configured to be automatic, but you can switch to Hybrid/Manual. E.g. server X from you LAN network should choose IP Alias X.X.X.X instead of Y.Y.Y.Y. Create an outbound entry on WAN Interface and change Source (NAT) IP to the Alias of X.X.X.X. You may need to choose network as source and provide the Source of your host with a /32 CIDR. If you need any help, just hit me up :)
@@sir-mac yes it is :)
Trying to get this same scenario to work for me but I'm on PPOE and the IP address we are setting is on different range (/29) address subnet from the principal wan which is a (/24) is this possible?
Hey what are some of the limitations of using VIPS?
when will the opnsense videos come?
Hello, Tom. I'm curious as to what the hardware connections look like. I have a block of 5 static IPs that I'd like pfSense to manage. One of them will be my home network with Unifi stuff behind it, and the rest will be ad-hoc work networks, where I might throw another pfSense box or something like a Linux laptop, another SOHO Wifi Router, or a Raspberry Pi occasionally. How many NICs do I need? How does pfSense route the traffic coming from the internet to the individual static IPs? How would I treat one static IP as the gateway to my internal Unifi network (like I do right now with a single WAN IP), but the rest as their own WANs? I appreciate any tips you can give me.
Would this configuration allow me to assign different WAN IP address to proxmox VM's?
I don't use Proxmox, so not sure.
Good Job Man. Dear I have a problem. while i try to access one of my WAN IPs from my LAN, instead of WAN ip it opens PFsense interface. while it works fine when I access it from other network out side my LAN. Please Help (Urgent)
Exactly what i need to know. Man you are the boss! Thx a bunch :)
I am new to pfsense. I setup pfsense with two WAN interfaces and single LAN. WANs are from two different ISPs. I have static public IP from one ISP while other is not static. Obviously in Routing>Gateway Groups I joined both WAN into one group. Whenever I check whatismyip it always shows me ip obtained from non static one. Whereas I want to fix it on my static IP from first ISP.
Please advise what should I do?
The the one you want to be the default in the settings
How do you handle it if the second Static IP has a different gateway than the first?
Add more WAN interfaces with different gateways
@@LAWRENCESYSTEMS Thanks for the fast reply! We're on 2.4.4-RELEASE-p3, so I assume that's a new Gateway. Since I've already configured a Virtual IP address, I have some untangling to do!
Hey Tom great video! I have a similar setup but my ISP is having me use DHCP for my main traffic and then set up a public subnet for public traffic. The public traffic has to go through a separate upstream gateway as well. How would I set this up? Does this mean I need to set up some sort of a bridge?
Hey Tom love the videos. I did as you said. my other Ip do not have any internet service . i can not access the internet from none of the other 4 ips..
Nice vid thanks, have you done any showing how to restrict ports to certain WAN addresses on a multi WAN IP pfSense system? Thanks.
Thank you very much, very helpful video!!!
I have a /29 from my ISP, is there a way for a server behind the firewall to have one of the public IP directly ? But I can still use pfSense to make firewall rules? thank you
Hey my ips has given /29 ip, can you please showed me how to setup in pfsense
i want a single website redirect to pacific WAN please guide or make a video. Thank You!
can this setup work on multiWAN/ISP? let say I put virtual IP from ISP 1 and same as ISP 2 all together, in worst case scenario, should still able to address the NAT IP when either of the ISP goes down? I want to achieve something like having multiple A records pointing to those WAN IP.
Yes, you need a rule for each WAN IP
can you ping the public ip which you have NAT from external network ---- 152 ping from external network
Not sure I understand the question, you can ping public IP's that respond to ping.
@@LAWRENCESYSTEMS do you understood my question sir --can i ping the virtual ip which you have added in the pfsense from external network(from internet)
@@LAWRENCESYSTEMS why can't I ping virtual ip from externally network (internet} also i added firewall rules for my addational public ips
thanks, could you do a video on HA for dual WAN failover in PFsense?
cool, lets see if he makes a video about it. its something i want to try in my lab.
excelente video, me sirvio, saludos desde Ecuador!!!!
Near the end of the video you specify it needs to be the first IP of the range? Is this correct? I'm currently using my 2nd IP in my block/range of WAN IP's as main data as the previous one is a secondary service.
i would like to add one alias ip to open vpn server, it can be done?
wow that was very very helpful... tnx a lot man :)
Truly this is helpful topic.
It's like your watching my search history.... My problem is trying to set up RemoteApp and 3CX behind Virtual IP addresses which they both dont seem to like. Port forwarding is not working and all guides state to use 1:1 NAT and a whole bunch of other suggestions. Feel free to chime in :)
Jamie Fraser how many IPS your ISP gave you?
6
Jamie Fraser you need to test that your first wan IP on the pfsense port is accessible online. With simple port forwarding to your Web UI. Or other on port 80
You can also ping+ port scan your ISP gateway from outside. You should be able ping the gateway.
I'm using this method with 1:1nat working without issues.
How to establish a site-to-site vpn with one of the virtual IP address ?
By choosing the virtual IP in your VPN configuration
Awesome, thanks for this.
What if you want youre internal server to only go out with the .152 address i guess its going to be in outbound nating ?
holly molly so can this setup by accomplished lets say wan 1 has 128 public IP and wan 2 has 128 plabic Ip block. how can i setup each interface with the blocks and how do I setup the lan devices with each ip and would I be able to setup lets say wan 1 public ip to send lets say smtp packet to warn 2 instated of wan 1
Very helpful July 2022.
Thank you
Edit had to revisit
Is there any way to do this with dynamic IPs? I.e. 5 dynamic IPs on one WAN interface?
Just set the WAN to DHCP
Hmm, sounds easy enough.
I'm about to setup my first pfSense box this weekend so I haven't had the chance to try it just yet.
But I've tried researching it beforehand, and all I can find is people claiming it isn't possible with DHCP, as you aren't able to specify a MAC address (or rather DHCP client id) for the virtual IPs, which I guess means they won't be able to request an IP from my ISPs DHCP server.
Again, I'm very new to pfSense and I might've missed something obvious, in which case I'm sorry.
Anyway, I'll give it a shot this weekend and hope I can figure it out. Thanks for the great video!
I didn't manage to pull it off in pfSense alone. I ended up running Proxmox and setting up 5 vNICs in order to get 5 MAC addresses.
I've read now that it might be possible to get it working in pfSense on its own using netgraph. Will have to try that at a later point.
@@LAWRENCESYSTEMS Just wanted to let you know that this will hopefully be possible in pfSense 2.5.0.
Feature #1337 which is slated for the 2.5.0-release will allow you to spoof the MAC addresses of VLAN "interfaces".
I believe this should make it possible to grab multiple IPs with a single NIC, since we'll have multiple MAC addresses to make DHCP requests with.
Right now I'm stuck with either having to use 5 WAN NICs or running pfSense virtualized. High hopes for #1337 :)
lawrence you tell that you cant use 2 services on the same public ip ->> do you even reverse proxy bro?
Yes, and I have videos on HAProxy.
Getting this far is no problem. The problem is getting out. I need my devices that use one of my assigned WAN IPs to show that they're using said WAN IP. For example, my Plex sees itself as my first available IP when I want it to show as my second. Reaching my Plex from the outside is fine, but internally my Plex thinks it's offline because there is no port forwarding for port 32400 to my first WAN IP. So from what I understand, I'm supposed to use 1:1 NAT plus a firewall rule to get this to work properly, without using port forwarding since the 1:1 NAT is supposed to forward all traffic from my second IP to my Plex's internal IP and vice versa. Well, tried that and it didn't work, but at least my Plex can see itself as my second WAN IP now. The only way it can get it to work is if I delete the firewall rule and do a regular port forward anyway (which automatically creates the appropriate firewall rule). Now all is well, but when I try to do the same thing with the NEXT IP in my block, no go no matter what. Any ideas guys?
Thanks i was just trying ti figure out how to do this.
Thanks for the help
So you wouldn't have a public IP on WAN, and then another public IP on OPT1 with the same firewall rule?
Each interface needs it's own rules
One thing that gave me trouble on pfSense was limiters. There is a particular large company that updates its software regularly, but does not ask to download gigabytes of data, it just goes and does it at the worst possible time. I won't name them but lets just say that they support "Developers, developers, developers, developers" Anyway, once I got a hold of all the IPs and subnets they use, I put them into an alias and set up a limiter to limit the amout of bandwidth. I could not for the life of me get the floating rules to match any of the packets. It can be confusing since the limiter definitions swap around depending on if the connection is inbound or outbound, but nothing I tried seemed to work. Eventually after months of occasional random tweaking (and a couple of pfSense updates) it finally started working but I have no idea why. Its all just voodoo magic. If you're looking for video ideas, Traffic Shaper / Limiter might be a good one.
It's not that it's voodoo, they just don't always work when certain other tasks are occuring... It also depends heavily on the version of PFSense... In some versions, if you had SQUID enabled, limiters wouldn't work at all. Then in other versions, the limiters had broken entirely and bleh!
Pretty sure in 2.4.x limiters are mostly fixed, haven't had issues with setting up aliases with limiters. But, why use floating rules for a limiter? That would most likely break the limiter (least it always has for me?)... You would be best of setting a normal rule and specify the inbound/outbound separately in the firewall rules.
Because Im trying to "Match" packets and divert them through the limiter. Im not trying to filter them, nor do I need to. The per-interface rule sets dont do matching (only Pass, Block, and Reject). Additionally the one and only working example that I managed to find also used floating rules, for these very reasons.
can you make a video with ppoe client with ip public.
Thank you - Thank you - Thank you
Hi Tom, great video! Could you please create a video tutorial on how to setup L2TP over IPsec server for mobile clients? macOS, Windows, Android, iOS. Thank you!
What is wrong with using OpenVPN?
My teacher...thanks.
Very good!! Excellent
Thanks. Very useful.
vedio great, thank you verymuch
All of our web servers can be accessed from the internet without any problems, but all cannot be accessed from our LAN.
The same problem here, do you find any solution?
Thanks
Bravo et merci bq...
you are the besttttttt
Awesome!!!!
Great video an explanation. But I have a problem. I have ATT Bussines. I have 1 ip address in one pool and other 5 in different pool. For example:
172.11.22.21/15
196.11.22.106 to 109/29
So, i need to manage two different gateways. And not sure how to do that. The problem is that this connection been working like this for years, lot of services maped on the primary ip address and hardcoded in some devices (complicated to change without problems), but recently company wanted to add more IP address and ATT gave me a complete different subnet for those
did you get this to work?
Why is everything "pretty straightforward" to this guy lol
Hmm 🤔, I'm sure there is some straight forward answer...
@@LAWRENCESYSTEMS You are one of those tech guys that everything just comes naturally. I don't know you from Adam, but I can tell you are a talented guy! ALL THE BEST
Hi, it's a good video. I think you can be a tutor in Udemy.
ths
nat 1:1
Works as inbound, but you should also make a nat outbound rule, because your server on 192.168.40.50, goes out from same wan ip 172.16.69.150 and not from the alias .152 as your in rule.
You can check easly from your .40.50 server by shell using this "dig +short myip.opendns.com @resolver1.opendns.com"