Another situation that is close enough to static routing to justify inclusion in this section is a situation in which you have one or more public IP addresses on an internal interface. You might just have a single public IP address on an internal interface, but more commonly, you will have an entire subnet allocated by the ISP. In either case, you would follow a four step procedure to setting things up:

1. Configuration of the WAN interface
2. Configuration of the internal interface
3. Configuration of outbound NAT rules
4. Configuration of firewall rules

Suppose our ISP has provided several IPs. One is an IP for their router, which is directly connected to the internet. Another is an IP for the WAN interface of pfSense. Finally, there is a block of eight IP addresses used by an interface that is part of our internal network. The following table illustrates these assignments:

First, we set up the WAN interface:

1. Navigate to Interfaces | WAN.
2. Since our ISP assigned an IP address for the WAN interface, we choose Static IPv4 in the Configuration type drop-down box, and enter the assigned IP address (192.0.10.11) in the appropriate edit box.
3. In the IPv4 Upstream gateway field, we enter the IP address of the ISP's router.
4. We haven't yet added the upstream router as a gateway. Therefore, we click on the Add new gateway button and enter the ISP router's IP address and a description, then click on the Add button.
5. When we are done, we click on the Save button and then on Apply Changes.

If we haven't added the internal interface yet, we need to do that as follows:

1. Navigate to Interfaces | (assign).
2. Add an interface by selecting an available one from the Available network ports drop-down box and clicking on the Add button. Then, click on the name of the interface (for example, OPT1) and begin configuration.
3. On the interface's configuration page, click on the Enable checkbox.
4. You can change the name of the interface in the Description field.
5. The Configuration type should be set to Static IPv4.
6. For IPv4 Address, we enter one of the public IP addresses assigned by our ISP. It might as well be the first usable address, so we enter 192.0.20.1/29. One IP address is assigned to the interface, and five IP addresses are available for internal hosts that require public IP addresses.
7. When we are done, we click on the Save button and then Apply Changes.

Next, we must complete outbound NAT configuration. By default, outbound traffic on internal interfaces is translated to the WAN IP. Obviously, we will want to disable this behavior on the new interface. Doing so requires us to perform the following steps:

1. Navigate to Firewall | NAT and click on the Outbound tab.
2. Under General Logging Options, select the Manual Outbound NAT rule generation radio button.

3. Click on the Save button. You should now be able to add, edit, and delete outbound NAT mappings.
4. In the Mappings section, there should be an autocreated rule for the internal interface to which a public IP address has been assigned (for example, Auto created rule – OPT1 to WAN). We don't want to map outbound traffic on this interface to the WAN IP, so this rule should be deleted.
5. Once you have deleted the autocreated rule for the new interface, click on the Apply Changes button on the NAT page.

The last step in setting up the public IP addresses is firewall rule configuration. Users on the internet trying to reach the public IPs on the internal interface will be coming through the WAN interface. Therefore, at a minimum, we will have to create a rule on the WAN interface to allow traffic to pass to one or more of the public IPs. We will walk through one such example for setting up a web server, which is as follows:

1. Navigate to Firewall | Rules. The WAN tab is the default tab.
2. Click on one of the Add buttons.
3. On the rule Edit page, keep Action set to Pass and Protocol set to TCP. The Source should remain set to any.
4. Set Destination to Single Host or alias using the Destination drop-down box, and set the destination address to 192.0.20.2. Set the Port to 80.
5. Click on Save when done, and on the main Rules page, click on Apply Changes.

You may want to create other rules for the internal interface. For example, you'll probably want to block access to local networks, and perhaps create a rule allowing access to the WAN interface so that access to the internet is possible.