Having trouble with multiple public IP's getting routed correctly.

I'd like to setup the following network:

public_ip1(assigned WAN IF) -> pfSense -> server 1,2,3 -, .12, .13

public_ip2(assigned WAN2 IF) -> pfSense -> server 4 -

I setup a second interface for public_ip2, I also added a firewall and NAT rule that anything on public_ip2 is allowed/forwarded to I added an outbound rule that anything from goes to WAN2.

From the server when I try to use something like curl http://ipecho.net/plain it returns the public_ip1. The gateway for my public_ip2 is set correctly in the interface setup.

I can ssh into the .22 server on public_ip2 and all is well.

What am I missing?

  • 171
  • 2
  • 2
  • 6
  • 1
    Maybe I explained it wrong? I'm not doing anything special in my network that I can tell. I posted the correct answer below. – amanda Aug 13 '14 at 17:21

2 Answers2


So, turns out the order of the firewall rules matter. Of course I knew this but it sometimes in the middle of the battle it's hard to see.

Here is the setup that works perfectly:

The physical setup looks like this:

Cable modem -> DMZ Switch -> LAN1 interface -> LAN2 interface

Setup LAN1 and LAN2 interfaces on pfSense.

208.xxx.xxx.xxx   Gateway 208.xxx.xxx.1
66.xxx.xxx.xxx   Gateway  66.xxx.xxx.1

System->Routing – should show two gateways System->Routes – nothing System->Groups – nothing Firewall->Virtual IP – nothing Status->Gateways – both should be up

Firewall->NAT - must be top rule:

    WAN2    TCP/UDP *   *   WAN2 address    1-65535

Firwall->NAT – outbound – choose manual outbound NAT

    WAN2 *   *   *   WAN2 Address    

Firewall->Rules LAN – must be first rule

    LAN    *   *   *   WAN2GW

Firewall->Rules WAN2– must be first rule

    WAN2    *   *    1-65535 *   

Now if I'm on the server and check my IP it shows the correct 208.xxx.xxx.xxx address meaning it's using the LAN2 gateway. If I'm on a server other than that it shows the 66.xxx.xxx.xxx address. I also have full access to the the server at the 208.xxx.xxx.xxx address. Note that all traffic is forwarded to the server which is running it's own iptables firewall.

pfSense rocks!

  • 171
  • 2
  • 2
  • 6

NAT only defines translation, not direction of traffic. You'll need to policy route that host out the second WAN if you want that NAT to apply. That's documented in detail in the 2.1 book, and the multi-WAN hang out recording from earlier this year, both of which are available to gold subscribers @ portal.pfsense.org.

Chris Buechler
  • 2,938
  • 14
  • 18
  • I'm not sure what a "policy route" is in pfSense terms but a firewall rule allowing the traffic to use gateway2 was the problem. It was at the bottom of the rules and should have appeared at the top. Is that a "policy route"? – amanda Aug 13 '14 at 17:25
  • Policy route is any firewall rule that specifies a gateway. – Chris Buechler Aug 16 '14 at 21:16