MonkWho/pfatt

Setting up static IPs on pfsense

MatthewGCampbell opened this issue · 11 comments

MatthewGCampbell commented

have a /29 block with AT&T and im trying to get it to pass the IPs through the NAT but im unsure if this needs a 1:1 nat, or just a basic nat rule to exclude the IPs from pfsenses NAT table, anyone have a setup like this? Trying to get the static ips to various physical interfaces and dont want to use vlans.

MonkWho commented

Yet again we haven't seen anyone mention configs like this. Better place to check would probably be netgate forums or reddit.

owenthewizard commented

I have a /29 block working - here's my setup, with OPNSense 20.1.7 and commit 90f5abb:

  1. Setup OPNSense with pfatt as you usually would, including a DHCP public IP on the WAN interface. At this step you should have a "normal" setup, without your static IPs.
  2. Navigate to Interfaces -> [WAN] (replace with your WAN interface name). Scroll down to Alias IPv4 address, and enter the RG IP AT&T provided you. For me, this was one past my last usable static IP.
  3. Navigate to Firewall -> NAT -> One-to-One. Create a new One-to-One NAT rule, with the below values:
    Interface: WAN
    External Network: <your desired useable static IP>
    Source (Single Host or Network): <IP of your LAN host or network that you want to use the static public IP> (Set the subnet mask accordingly - for a single device use /32)
  • 🎉1
MonkWho commented

Excellent write-up @owenthewizard. Thank you for contributing.

  • 🚀1
MatthewGCampbell commented
owenthewizard commented

I forgot to add my source, I struggled with this for a while before I found this: https://reddit.com/r/PFSENSE/comments/c08qyt/wan_static_ip_issues/er34dkb. Gracious hat tip to that lady/gentleman!

owenthewizard commented

I think adding this to the README could be useful - even though it's not directly related to the bypass. Thoughts?

  • 👍2
MonkWho commented

This definitely looks like something that should be added to the readme. Unfortunately I don't have the time currently to write it up all nice and coherent. Could someone please write it up and create a pull request so I can just merge it?

MatthewGCampbell commented
AndrewReaganM commented

Here is at least a starting point. On my PFSense box I do not have a Source option on the new 1:1 rule page. Mine has Internal IP and Destination. I assume Internal IP is correct?

Static IP Setup

If you have a static IPv4 block with AT&T, you can use it with your pfatt configuration. Note that in order to use your IPv4 block, you must set up your connection as stated above first. The normal installation, including setting up DHCP to get a public IP on the WAN interface, should be completed before the steps below.

  1. Navigate to Interfaces > WAN and scroll down to Alias IPv4 address.
  2. Enter the RG IP address that AT&T provided to you. This is typically one past your last usable static IP.
  3. Navigate to Firewall > NAT > 1:1.
  4. Create a new 1:1 NAT rule with the following values.
    1. Interface: WAN
    2. External Network: your desired usable static IP
    3. Internal IP: (Single Host or Network) IP of the LAN host or network that you want to have the static IP.
    4. Set the submask accordingly (single devices use /32)
MatthewGCampbell commented

if this helps any one this is what im trying to do. and here is my solution:
Create a bridge including ix2 and ix3
Assign 34.33.48.21/29 to the new bridge interface
(At this point your devices connected to ix2 and ix3 are online)
Create a virtual interface on the bridge for 34.33.48.25
Create custom NAT rules to achieve the desired NAT for igb 1
(These last two steps can be skipped if you’re OK for the LAN devices to be NAT’d to 103.22.30.x)

MatthewGCampbell commented

I will try my best and add all of this to the read me, thanks guys for your help.