Hi,

Generally speaking, your pfSense box is placed in between your work (1.x) and other (2.x) networks which appears to be acting as a firewall/router.

If you want to continue with a configuration like this, you'll need to do some NAT/Port forwarding AND firewall rules to allow the 1.x network to be able to talk to the specific 2.x network hosts in terms of what ports (i.e.: 443, 80, 22, etc) and protocols (icmp, tcp, udp, etc).

You'd then access the pfSense box's WAN address on the 1.x network and define which port you want to access, which translates over to the proper host on the 2.x via NAT/port forward with some configuration on the pfSense box.

As a side note, you may be able to disable NAT on the WAN interface (1.x) of the pfSense box and then you'd only need to do firewalling. I have never done this before but seems simple in concept.

A cleaner configuration would be to have the pfsense box with multiple network adapters (minimum of 3 in your configuration) which segregates these networks using pfSense, (but using a single box for LAN1, LAN2, WAN, etc),  LAN1 could be the 1.x and LAN2 could be the 2.x. Then you would only need fire walling rules and not also inbound NAT rules/port forwarding. There's some other settings to be applied with outbound NAT i believe but the auto-generated outbound NAT should suffice out of the box in this scenario.

Hope this helps give you some direction on how you want to approach the problem without writing a book.

@WillieBeamen:

Hi.

I need some help, and I think the answer is simple, but I'm not very experienced with routing and networking, so I need some noob-friendly help, or pointers to some threads that might help.

I use an internet anonymizing service (PIA (Private Internet Access) if that helps).  I have 8 PCs (towers and some laptops) in my home, some for work, some for leisure, some just for Netflix, streaming.  I am trying to set up a system so that 1-3 devices stay fully anon (behind the PIA servers) when surfing the internet, but can still share folders / files between the other PCs in my home network (which are not utilizing any anonymizing services at all).

Following the guides provided by PIA I was able to successfully install pfsense to a single tower PC (1 Realtek NIC (embedded) + 1 4-port HP gigabit NIC (PIC-e slot))  and configure OpvenVP services for PIA access.  Amazingly, I got it up and running, but now I have a problem.

Here's my situation at the moment.

My 'work' PCs are all plugged straight into my home router and are using
192.168.1.xxx
These do not (nor will ever) use or need to access PIA's services.

My pfsense Box (which is configured with PIA/OpenVPN (anonymizing traffic)  is configured to use the 192.168.1.xxx gateway, but the LAN address is 192.168.2.xxx

so here's my problem.

Any PC on 192.168.1.x
can't see / share files with any PC on the 192.168.2.x domain.

Is there a way to get devices on 192.168.1.x  to see the devices on 192.168.2.x ?

Or am I going about this all wrong?

apologies in advance, I'm a noob at this, I'm honestly surprised that I was able to even get my pfsense box setup and working with PIA.

Everything would be great, except I can no longer share files between the two domains.

Any (noob friendly) help would be very greatly appreciated.

edited to add:

on the box running OpenVPN:

pfsense:  running 2.3.4-Release-p1 (amd64)
WAN:  is being assigned a gateway from 192.168.1.xxx
LAN:  192.168.2.xxx

He changed his post from his original question..  Yes what he asked now is easy peasy..

Like the Chinese say: those who say it cannot be done should not interrupt the one already doing it.

Bump, I am having the same problem, one PPPoE via VLAN works, adding two or more using VLAN fails.

Thanks for your reply,

Lan rules image has been attached,

Lan-RULE.jpg_thumb
Lan-RULE.jpg

Same fetch, but our pf ruleset has some tricks with route-to that make it work.

I have the same issue. i think there is a bug in "policy base routing".

when you add a rule to "any" destination to change the gateway, it will not work. if you set a specific destination for that rule, it will works.

you can add your rule with "!1.2.4.5" destination to change your client GW till pfsense team fix it.

Thanks for help, I just wanted extra connection to boost large multi-session downloads, Steam, torrent etc.

I managed to get it all working, for anyone else who is in this position:

Follow the PIA guide on how to setup Pfsense for VPN.

Make a copy of the VPN so you have one for each connection (in my case two), make sure each one is set to face the corresponding WAN.

Assign each VPN to an interface.

Under Firewall NAT Outbound where you created rules from PIA guide, you need to duplicate all of them and set the duplicates to the second WAN (if you have more than two connections you'll need a 3rd set of duplicates etc.)

Under gateways add one for each VPN interface.

Under gateway groups add one with all the VPN gateways you just created with Tiers set to 1 (if you want load balancing like I do).

Under Firewall Rules LAN set the IPv4 LAN any rules gateway (under Display Advanced section) to the gateway group you just created, for privacy VPN's it's recommened to disable IPv6, so I set that one to block instead, however if you need this also it to that gateway.

8 ) Reboot Pfsense and check your IP at whatismyipaddress, refresh a few times to double check.

Changed the switch and the problem is gone.

Uh… reported/suggested moving this to Routing forum, and quickly outta here.

True - other than being latest kool thing to play with..  But don't have any clients anyway :(  Or I would prob get one to play with ;)

This is a simple policy route.
https://doc.pfsense.org/index.php/What_is_policy_routing

Make sure that you do not pull routes from your vpn client you setup on pfsense, or it most likely will set your default route out the vpn.  Then the IP of the devices you want to go out your vpn just create a firewall rule saying these IPs (could use aliases to have them all in 1 rule) use the vpn as its gateway.

if these devices need access to other local segments then you would have to put a rule above this routing rule so that they could get access to those networks.

When you talk about a switching device you mean a L3 switch doing routing?

Your transit network would be an interface on pfsense in its own network, and then another interface on your mx100 which is a firewall/router.. While it might have "switch" ports on it its an actual router/firewall just like pfsense.

The transit network would be from an interface on your pfsense router to an interface on your mx100.  How that gets switch would be at L2.. So you could either have a connection going from pfsense directly to the mx100 or over switch (with nothing else on it dumb switch) or over a L2 switch via a vlan (smart/managed switch).

@johnpoz:

pfsense does PBR just fine.. you can create your specific host route to specific IP /32.. You do not need to route to the whole network, what you have is asymmetrical setup..  And no without a route its not going to work..

or create host routes on your DMZ that you want to access via your downstream router when they have default gateway.  If you remove asymmetrical routing then you no longer have a problem, that your trying to overcome with amounts to a hack vs doing it correctly.

I think we just discuss about a question of faith already. PBR is no hack, its designed for this. OK, if you don't use it correctly you create asymetrical routing and screw the route, but if you know what you're doing, it fits perfectly. So PBR works not completly fine IMHO, because I can't set an other gateway on the packets that come back. Thats a hard fact. And because of this it is implemented on routing level and not on a firewall level, so that the changed gateway affecteds all packets, not only outgoing.

@Derelict:

You cannot spoof the MAC to different MAC addresses for each VLAN on an interface. The interface itself sets the MAC address and the VLANs just use that. I think the problem might be that the ISP is seeing the same MAC address on all three interfaces. It is perfectly "legal" and the expected way to behave, but cable modems/ISPs might care about that.

If it worked on three physical interfaces and doesn't work now, there is not much else it could be.

A call to them and an attempt to get someone who might know what you're talking about is probably in order.

OK. I'll do that. I'll also try using another switch some other time.

@Derelict:

Remove all of the IP addresses from the VLANs on the switch. With those in place the switch will be layer 3 on those VLANs and will route traffic between them. You only need one management IP address on the switch.

Done.

@johnpoz:

Your setup on your sg300 for the port that connects to lan (eth1) on your sg300 would be simple trunk port.

Example
interface gigabitethernet3
description "esxi wlan trunk"
switchport trunk allowed vlan add 100,200,300,500,600
switchport trunk native vlan 20

I am not using vlan 1 to this vlan interface in pfsense.  I am using vlan 20 as the native untagged vlan in my setup.  But you can use 1 there vs the 20 I have.

You also have ports unused on your pfsense, you could leverage them for vlans without having to tag.. As long as you have more ports open on your sg300 you could use for the uplinks to pfsense for those vlans/networks.

What are you going to use vlan 1 for exactly?  Is this going to be the vlan you use to manage your switch?  Why do you have 10/24 stated as being management?

No idea…so if I get rid of VLAN 1, what IP address will I use to connect to the switch?  10/24 ins't the preferred method?  I'm going into this pretty much dumb as a mule. How do you have yours setup?