These pfsense series videos are GOLD.

Thanks, this is exactly what I was looking for. I am glad you had an error at 4:21, this is quite helpful to see what happens when it is not set up correctly.

i just broke my internet 2 days ago trying to do this.(obviously the wrong way) you read my mind by making this video. thanks again

Great job, Tom ,love the pfsense vids. Did this on a Watchguard years ago when the company needed multiple external IPs for external facing HTTPS. Keep it up!

Got dropped into an outfit running pfSense - thanks for making the learning curve so much better

Super helpful.... still two years later.... thank you - ima let the box find the block via dhcp... then use the virtual for the fine-tuning on the remainder of the static. Much appreciated!!

dude ur giving me a crash course in pfsense right now ur the best. id love to outsource ur company oneday and send u some work.

Thank again, as usual, your videos are very informative and this one was just in time because I should received my block of ip's this week.

Great Video, Tom. Another use case: I'm lucky enough to have a class C block allocation of my own (256 portable public IP addresses that are NOT provided by my ISP), so Ive been using this techmique for a while. I have a WAN link over PPPOE, for which the ISP provides an IP address. That becomes the WAN address. The LAN interface uses addresses in my own range, (which the ISP routes to me via their provided IP) and I just route between them. In addition to port forwarding, Ive used virtual WAN IPs from my own allocation as outbound NAT addresses for the private subnets, so that the only traffic I need to care about, coming back, is that of my own address range. Anything else gets dropped - including anything destined for the ISP-provided WAN address.

Honestly though this was gonna be a massive headache to get setup, ISP offers me 5 IPs for free. new server for pfsense ordered, cant wait to get it all working. Thanks Lawrence

Great job! Made my job simple with this tutorial.

Nice job Tom I have learned this and I m Pretty much confident now.

Hi I have a gitlab server on a VLAN and have setup 1:1 nat with an public static IP address. This is working fine from other subnets on my network and from outside the network. But if I try to access access the public domain name that points to the public IP address from the same subnet, I get the private IP address of the server. How can I force traffic to access the device through the public IP? Thanks for any advice you can offer?

Very well done! Is there a chance you could go into a little more detail regarding the hardware setup for this case scenario? I have a very similar case setup but I’m finding it difficult to understand the physical hardware setup. If, like in your case I say 3 IP addresses 1, 2, 3. Say 1 is assigned to the outer then 2 to device B and 3 to device C. What hardware and setup are needed to achieve this.

Does this also work with dynamic ips? In guessing the Wan side ips only handle inbound traffic? Because I have 4 ip addresses and they are limited to 250mbit per ip. So if I can assign all four and get it to use all four I think I may be able to break the actual limit. Done some testing with running four computers wired and starting speedtest on all and they all get about 250ish Mbit. So I think it's a per ip limit.

how to do you set the Lan2 Traffic go through the Second Virtual Ip?

Congratulations for your work. It´s videos with good explanations.

Hi man, I static internet connection and but I need to run on 1000base t but it only runs on 100base tx...when on 1000base t it stops recognizing the adapter...USB Ethernet adapter 1GB speed

I have two WAN's ISP_A and ISP_B and just one LAN... Both Gateways pings and connects but the system IP's under the ISP_B are not pinging? any idea why? If the gateway ping then why not?

Hi. I wonder if that works if I have two different IP pools, or do I need to install two network cards, one for each pool?

Great Video. Question How do you pass through ISP multiple IP addresses to the dedicated VLAN in pfsense. I have couple of server I want them to pick up my isp public ip.

Hey, Im trying to configure an IPSEC site to site vpn using a virtual IP. The IP is working but not able to establish the tunnel.

Excellent video! Thanks again!

Great explanation. Thanks Tom!

Would it be possible to route a specified VLAN only over a specified Virtual IP?

That was too easy, thank you.

Nice vid. But, anyway to force outgoing traffic to use specific IP ?cSo my traffic should be seen as coming from IP2, IP3, ...

Nice Video Tom very Helpful

So I just got a few more public IP's but the gateway is different. Would I just add that new gateway to my existing wan address(which has it's own gateway) then continue to follow these instructions?

What if you have different gateways for each different IP? I can't add a virtual IP that works as the gateway is also different, my ISP is weird and every IP has it's own gateway...

I have a Static block for home use and a pfSense behind my in-home gateway. I have need to run OpenVPN (NordVPN) as well as Squid Proxy. I'd also like to hide my DNS from my ISP when not using VPN. I have OpenVPN set up on my default gateway with a static block, as well as Squid Proxy set up on my WAN2 interface (and separate NIC), using a bridged IP address from my in-home ISP gateway. I had to set it up this way so my VPN's DNS doesn't leak out my default WAN pre-encryption. And so I can set up DNS over TLS in the DNS resolver. Ideally I'd like Squid Proxy to have its own IP address from the static block for more privacy. Is there a way for me to set up all three, OpenVPN, Squid Proxy and advanced DNS features on one NIC (maybe by splitting the DNS resolver), so I don't break the VPN? Some DNS resolver features are not supported by Nord. Edit: I'd also like to be able to port forward from Squid Proxy to my videogame consoles for the Open NAT rating the consoles give you when you set up port forwarding. Squid Proxy allows for fast downloads, conceals your IP if it is different from your default and with some videogames it prevents UDP packets from communicating with my console directly which reduces a lot of lag.

Thanks for the video! I do have a question... I see on your Pfsense dashboard the main WAN address and one (1) LAN of 192.168.40.1. You create a Virtual IP(s) for additional Public IP's and a NAT IP of 192.168.40.50 (on LAN interface). With your example of 3 WWW facing IP's can I put the other 2 on interface OPT1 (LAN 192.168.60.1/24)and OPT2 (LAN 192.168.80.1/24)? Or, Does everything need to point to servers/pc's etc on the actual LAN interface?

This is exactly what I want to do, except with a VPS hosting pfsense and using a block of IP addresses from the provider. Because my provider does not offer or support more than one IP address, I want to use the VPS and provided addresses to assign public IP's to my homelab server that will be tunneled to the vps to connect with pfsense. This seems like it should be possible, right?

interestingly if you do want multiple servers behind a firewall to all run SSH then you can now use SSH's ProxyJump functionality to transparently tunnel through one exposed server which can increase security as well by not exposing other servers and potentially just having a single hardened server exposed with no other services on there.

Hello, Did you ever tried pfsense with multiple ip's via a gre tunnel?

It would be nice if you could do a video on traffic shaping.

Great Video Thanks. But how to add those extra IPs given from the ISP if you use HA-CARP?

Great stuff!!!! Thanks again for the info!!!

I am testing a uverse connection and a comcast connection. I have my pfsense box connect to comcast using dhcp on the wan. I have a ubiquit router connected to the uverse box using dhcp on the wan. They are on seperate lan subnets. I have a network cable plugged into my ubiquit box into my comcast lan with dhcp disabled so that I can manually configure a pc on the network to route traffic through my uverse connection. It's working perfect. I have tried to add another virtual ip on the same subnet as the ubiquit router and can get it to work. Any help?

Quick Question. If my ISP hands out a range of addresses that are dynamic and distributed by DHCP how would I assign more than one of them to my WAN interface?

My ISP modem has been assigned a static IP but the netmask is 255.255.255.255. How do I assign a static IP from this to my pfsense firewall? Or I would need to request for a static IP not assigned to any device yet?

Would it be possible if your Interface IPv4 Address = 172.16.69.150/24 but IP's (IP Block) from ISP would be on another subnet? for example 172.18.70.150/30

Thanks very much for this. A HUGE HELP to a pfSense newbie like me :D

Hi Lawrence, i created 2 NO-IP hostnames and setup NAT from my PfSense. My assigned hostnames can now be access outside BUT it gave me same result on the 2 hostnames thu they have different contents.. meaning i can only access my webserver on both NOIP hostnames.. i cant figure out why.. i know i use port 80 on both.. is there a way to fix this?

Seemed to work great to get my webserver traffic where it should go, but the outbound NAT rule makes all my fire TVs on separate VLAN from the webserver stop talking to the internet. Anyone have any suggestions?

Thanks for this great video. Is it also possible to route outgoing connections through one of those virtual IPs?

Trying to get this same scenario to work for me but I'm on PPOE and the IP address we are setting is on different range (/29) address subnet from the principal wan which is a (/24) is this possible?

Hey what are some of the limitations of using VIPS?

when will the opnsense videos come?

Hello, Tom. I'm curious as to what the hardware connections look like. I have a block of 5 static IPs that I'd like pfSense to manage. One of them will be my home network with Unifi stuff behind it, and the rest will be ad-hoc work networks, where I might throw another pfSense box or something like a Linux laptop, another SOHO Wifi Router, or a Raspberry Pi occasionally. How many NICs do I need? How does pfSense route the traffic coming from the internet to the individual static IPs? How would I treat one static IP as the gateway to my internal Unifi network (like I do right now with a single WAN IP), but the rest as their own WANs? I appreciate any tips you can give me.

Would this configuration allow me to assign different WAN IP address to proxmox VM's?

Good Job Man. Dear I have a problem. while i try to access one of my WAN IPs from my LAN, instead of WAN ip it opens PFsense interface. while it works fine when I access it from other network out side my LAN. Please Help (Urgent)

Exactly what i need to know. Man you are the boss! Thx a bunch :)

I am new to pfsense. I setup pfsense with two WAN interfaces and single LAN. WANs are from two different ISPs. I have static public IP from one ISP while other is not static. Obviously in Routing>Gateway Groups I joined both WAN into one group. Whenever I check whatismyip it always shows me ip obtained from non static one. Whereas I want to fix it on my static IP from first ISP. Please advise what should I do?

How do you handle it if the second Static IP has a different gateway than the first?

Hey Tom great video! I have a similar setup but my ISP is having me use DHCP for my main traffic and then set up a public subnet for public traffic. The public traffic has to go through a separate upstream gateway as well. How would I set this up? Does this mean I need to set up some sort of a bridge?

Hey Tom love the videos. I did as you said. my other Ip do not have any internet service . i can not access the internet from none of the other 4 ips..

Nice vid thanks, have you done any showing how to restrict ports to certain WAN addresses on a multi WAN IP pfSense system? Thanks.

Thank you very much, very helpful video!!!

I have a /29 from my ISP, is there a way for a server behind the firewall to have one of the public IP directly ? But I can still use pfSense to make firewall rules? thank you

i want a single website redirect to pacific WAN please guide or make a video. Thank You!

can this setup work on multiWAN/ISP? let say I put virtual IP from ISP 1 and same as ISP 2 all together, in worst case scenario, should still able to address the NAT IP when either of the ISP goes down? I want to achieve something like having multiple A records pointing to those WAN IP.

can you ping the public ip which you have NAT from external network ---- 152 ping from external network

thanks, could you do a video on HA for dual WAN failover in PFsense?

excelente video, me sirvio, saludos desde Ecuador!!!!

Near the end of the video you specify it needs to be the first IP of the range? Is this correct? I'm currently using my 2nd IP in my block/range of WAN IP's as main data as the previous one is a secondary service.

i would like to add one alias ip to open vpn server, it can be done?

wow that was very very helpful... tnx a lot man :)

Truly this is helpful topic.

It's like your watching my search history.... My problem is trying to set up RemoteApp and 3CX behind Virtual IP addresses which they both dont seem to like. Port forwarding is not working and all guides state to use 1:1 NAT and a whole bunch of other suggestions. Feel free to chime in :)

How to establish a site-to-site vpn with one of the virtual IP address ?

Awesome, thanks for this.

What if you want youre internal server to only go out with the .152 address i guess its going to be in outbound nating ?

holly molly so can this setup by accomplished lets say wan 1 has 128 public IP and wan 2 has 128 plabic Ip block. how can i setup each interface with the blocks and how do I setup the lan devices with each ip and would I be able to setup lets say wan 1 public ip to send lets say smtp packet to warn 2 instated of wan 1

Is there any way to do this with dynamic IPs? I.e. 5 dynamic IPs on one WAN interface?

Very helpful July 2022. Thank you Edit had to revisit

lawrence you tell that you cant use 2 services on the same public ip ->> do you even reverse proxy bro?

Getting this far is no problem. The problem is getting out. I need my devices that use one of my assigned WAN IPs to show that they're using said WAN IP. For example, my Plex sees itself as my first available IP when I want it to show as my second. Reaching my Plex from the outside is fine, but internally my Plex thinks it's offline because there is no port forwarding for port 32400 to my first WAN IP. So from what I understand, I'm supposed to use 1:1 NAT plus a firewall rule to get this to work properly, without using port forwarding since the 1:1 NAT is supposed to forward all traffic from my second IP to my Plex's internal IP and vice versa. Well, tried that and it didn't work, but at least my Plex can see itself as my second WAN IP now. The only way it can get it to work is if I delete the firewall rule and do a regular port forward anyway (which automatically creates the appropriate firewall rule). Now all is well, but when I try to do the same thing with the NEXT IP in my block, no go no matter what. Any ideas guys?

Thanks i was just trying ti figure out how to do this.

Thanks for the help

So you wouldn't have a public IP on WAN, and then another public IP on OPT1 with the same firewall rule?

One thing that gave me trouble on pfSense was limiters. There is a particular large company that updates its software regularly, but does not ask to download gigabytes of data, it just goes and does it at the worst possible time. I won't name them but lets just say that they support "Developers, developers, developers, developers" Anyway, once I got a hold of all the IPs and subnets they use, I put them into an alias and set up a limiter to limit the amout of bandwidth. I could not for the life of me get the floating rules to match any of the packets. It can be confusing since the limiter definitions swap around depending on if the connection is inbound or outbound, but nothing I tried seemed to work. Eventually after months of occasional random tweaking (and a couple of pfSense updates) it finally started working but I have no idea why. Its all just voodoo magic. If you're looking for video ideas, Traffic Shaper / Limiter might be a good one.

can you make a video with ppoe client with ip public.

Thank you - Thank you - Thank you

Hi Tom, great video! Could you please create a video tutorial on how to setup L2TP over IPsec server for mobile clients? macOS, Windows, Android, iOS. Thank you!

My teacher...thanks.

Very good!! Excellent

Thanks. Very useful.

vedio great, thank you verymuch

All of our web servers can be accessed from the internet without any problems, but all cannot be accessed from our LAN.

Thanks

Bravo et merci bq...

you are the besttttttt

Awesome!!!!

Great video an explanation. But I have a problem. I have ATT Bussines. I have 1 ip address in one pool and other 5 in different pool. For example: 172.11.22.21/15 196.11.22.106 to 109/29 So, i need to manage two different gateways. And not sure how to do that. The problem is that this connection been working like this for years, lot of services maped on the primary ip address and hardcoded in some devices (complicated to change without problems), but recently company wanted to add more IP address and ATT gave me a complete different subnet for those

Why is everything "pretty straightforward" to this guy lol

Hi, it's a good video. I think you can be a tutor in Udemy.

ths

nat 1:1

Works as inbound, but you should also make a nat outbound rule, because your server on 192.168.40.50, goes out from same wan ip 172.16.69.150 and not from the alias .152 as your in rule. You can check easly from your .40.50 server by shell using this "dig +short myip.opendns.com @resolver1.opendns.com"