Another scenario that is common enough to warrant discussion is when you have one or more public IP addresses on an internal interface. In this scenario, you will have at least two public IP addresses: one for the WAN interface of your firewall, and another for the internal interface. More commonly, you might have an entire subnet allocated to you by your ISP, but the steps discussed here apply whether you are assigned a single IP address or a subnet. This configuration has four steps:

1. WAN configuration
2. Internal interface configuration
3. Outbound NAT configuration
4. Firewall rule configuration

As an example, assume that our ISP has assigned us several IPs: an IP for the ISP-provided router that is directly connected to the internet, an IP for the WAN interface of pfSense, and a block of eight IPs (six of which are usable) which can be used by an interface that is internal to our network. The IP assignment is as follows:

1. The first step is to set up the WAN interface:
   1. This you can do by navigating to Interfaces | WAN. Your WAN interface may be directly connected to the internet, but more likely your ISP provided you a router, which is directly connected to the internet.
   2. In this case, the IP address of this router will be your WAN gateway IP. If your ISP assigned an IP address for pfSense's WAN interface, choose Static IPv4 (or Static IPv6 if it is an IPv6 address) as your configuration type, and enter the assigned IP address in the appropriate edit box.
   3. Specify the upstream router's IP address in the IPv4 Upstream gateway (and/or IPv6 Upstream gateway); you may have to use the Add a new gateway button if you have not yet added the upstream router as a gateway. If you haven't, then press this button and enter the information in the corresponding dialog box.
   4. Next, you need to configure the internal interface.
   5. If you haven't added it yet, navigate to Interfaces | (assign) and add an interface by selecting an available interface from the Available network ports drop-down box, and clicking on the Add button to the right of the drop-down box.
   6. Click on the name of the interface (for example, OPT1) and begin configuration. If you have already added the interface, you can navigate directly to its configuration page.
2. 7. On the interface's configuration page, you must check the Enable checkbox, and you can optionally change the name of the interface in the Description edit box.
   8. The configuration type should be set to Static (either Static IPv4, Static IPv6, or both).
   9. Enter one of the public IP addresses assigned by your ISP in the appropriate edit box. In our example, this would be 192.0.20.1/29. We were assigned a /29 subnet, which gives us six usable IP addresses (2^3 – 2 = 6). One IP address is assigned to the interface, and five IP addresses are available for internal hosts that require public IP addresses.
   10. When you have finished making changes, click on the Save button at the bottom of the page and click on the Apply Changes button when the page reloads.

2. The next step is outbound NAT configuration. By default, outbound traffic on internal interfaces is translated to the WAN IP, and we want to disable this behavior:
   1. To do this, navigate to Firewall | NAT and click on the Outbound tab.
   2. Under General Logging Options, select the Manual Outbound NAT rule generation radio button, and click on the Save button.
   3. Now you should be able to add, edit and delete the mappings. In the Mappings tab, look for an autocreated rule for the internal interface to which a public IP address has been assigned (for example, Autocreated rule – OPT1 to WAN).
   4. Since we don't want to map outbound traffic on this interface to the WAN IP, delete this rule.
   5. Then click on Apply Changes on the main NAT page.
3. The last step is firewall rule configuration. Since users on the internet trying to reach the public IPs on the internal interface will be coming in through the WAN interface, at a minimum you will have to create a rule on the WAN interface to allow traffic to pass to one or more of the public IPs.

For example, if we are hosting a web server on 192.0.20.2, we would create a rule on the WAN interface with Action set to Pass, Protocol set to TCP, Source set to any, and Destination set to Single Host or alias with the source address set to 192.0.20.2 and Port set to 80.

You will likely also want to create rules for the internal interface. For example, you'll probably want to block access to local networks, and possibly create a rule allowing access to the WAN interface, thus allowing connections to the internet. You could also create a more restrictive rule (for example, only allow outbound connections on port 80).