How to Attach a Floating IP via pfSense?

This SOP provides step-by-step instructions to configure pfSense firewall, including attaching and using a Floating IP via a dedicated network interface. This allows the internal VM to be reachable via public IP using 1:1 NAT.

Pre-requisites:

  • pfSense VM deployed and accessible

  • Floating IP is available in the public pool

  • VM created and reachable from pfSense LAN

STEPS TO FOLLOW:

Step 1: Assign the New Public Interface to pfSense

  1. Attach a floating IP or public interface to the pfsense VM.

  2. Access pfSense Web GUI:

Use a VM (e.g., a Windows or Linux VM) that is created from the same internal VPC/subnet as pfSense's LAN interface

  • Open a browser on that VM via console

  • Go to: https://<pfSense-LAN-IP>

Example: https://192.168.7.1

Accessing pfSense GUI in Browser

  1. Log in to the pfSense Web UI.

  2. Go to: Interfaces > Assignments

  1. Under Available Network Ports, click Add next to the newly attached public (Floating IP) network interface.

Step 2: Configure the New Interface (e.g., OPT1)

  1. Navigate to: Interfaces > OPT1 (or whatever the new interface is named)

  1. Check Enable Interface.

  1. Change the description to a client-specific name, such as Client1_FloatingIP_Interface. (Optional)

  2. Set:

a. IPv4 Configuration Type: DHCP

  1. Scroll down, click Save, then Apply Changes.

Step 3: Create Firewall Rule to Allow Traffic on New Interface

  1. Go to: Firewall > Rules

  1. Select the tab for the new interface (e.g., OPT1) and click + Add rule.

a. Action: Pass

b. Interface: OPT1

c. Source: Any

d. Destination: Any

e. Add Description: Allow Public Access for Client. (Optional)

  1. Click Save, then Apply Changes

This allows incoming traffic to the Floating IP for the client VM. You can restrict it to specific IPs later.

Step 4: Configure 1:1 NAT to Internal VM

  1. Navigate to: Firewall > NAT > 1:1

  1. Click + Add

  1. Fill in:

  • Interface: OPT1(Newly added—eg windowsvm1)

  • External Subnet IP: The Floating IP assigned via DHCP

  • Internal IP: Private IP of the internal VM (e.g., 192.168.7.10)

  • Description: e.g., Client1_Floating_NAT

  1. Click Save, then Apply Changes

This sets up a 1:1 mapping between the public IP and the internal VM.

Step 5: Validate Connectivity

  1. Ping or browse to the Floating IP

  2. Ensure it forwards correctly to the internal VM (e.g., RDP, HTTP, SSH)

Additional Notes

  • You can configure multiple NAT rules if the client has more internal VMs and Floating IPs.

  • pfSense's firewall rules work similarly to Security Groups — restrict access as needed by source IP, port, or protocol.

  • Ensure that the internal VM has pfSense's LAN IP as the gateway.

PreviousHow to install pfSense from ISO on AceCloud?NextHow to Install and Configure SSL Certificates in Apache?

Last updated

Was this helpful?