Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtualize pfSense, two WAN, one switch, possible?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 833 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      testcb00
      last edited by

      Hi everyone,

      I am considering to combine my pfSense and my NAS into a rack server. The pfSense will have a 2-port Mellanox ConnectX-2 10GbE LAN Card from PCIe Passthrough. One of the port will be used for PC connection, another will be connected to CSS610-8G-2S+IN 10Gbe Switch.

      The configuration is like:
      1438.png

      For the LAN Part, I can set the Port-based VLAN ID xx in switch, set the Port to receive untagged VLAN and create and assign VLAN mlxen1.xx as LAN interface with static IP in pfSense.

      However, I have no idea how to connect the two WAN to the pfSense. In my knowledge, the two WAN have no VLAN tag. Then I suppose both WAN are in VLAN ID 1, which means that I can only connect one WAN to the pfSense mlxen1.

      Any suggestion are welcome. Thank you.

      Cool_CoronaC 1 Reply Last reply Reply Quote 0
      • Cool_CoronaC Offline
        Cool_Corona @testcb00
        last edited by

        @testcb00 Put the ISP modem in bridgemode and use IP Alias as the second WAN address.

        Then you can forward the traffic as usual.

        One thing.... use the second port on the Mellanox as the connection to LAN. Much more secure.

        Then you dont need VLANS on the internal network unless you need it for seperating the networks.

        T 1 Reply Last reply Reply Quote 0
        • T Offline
          testcb00 @Cool_Corona
          last edited by

          @cool_corona Thank for your reply, cool_corona.
          For the IP Alias, do you mean the settings in Firewall -> Virtual IPs?
          In normal setting, I have to set WAN interface's IPv4 Configuration Type to DHCP for getting IP, and the two WAN are from different modem, I am not sure I can use the IP Alias...

          Besides, the ConnectX-2 just has two ports so I have to use one Port for both LAN and WAN and another Port for PC connection. I will use Port Isolation and make sure that the WAN Port cannot access to Switch Management.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Why not just put the two WANs on different VLANs in the switch?

            I'm not really seeing the problem here. If you are passing through the NIC to the VM you can do whatever you want.

            Steve

            T 1 Reply Last reply Reply Quote 0
            • T Offline
              testcb00 @stephenw10
              last edited by

              @stephenw10 Thank for your reply, but I am not familiar with VLAN.

              In my understanding, the WAN from modem should be VLAN 1. Assume the Modem A to Switch Port is Port 1 and the Modem B to Switch Port is Port 2. If I set Port 1's Default VLAN ID as VLAN 50 and Port 2's Default VLAN ID as VLAN 51, how do I get the VLAN 1 data?

              Or the VLAN is only work in switch? Do it mean that I could set the Port 1 and Port 2 to receive only untagged packet as the untagged traffic do not contain VLAN information?

              stephenw10S 1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator @testcb00
                last edited by stephenw10

                @testcb00 said in Virtualize pfSense, two WAN, one switch, possible?:

                I am not familiar with VLAN

                Here's your chance to get familiar! 😄

                Traffic from the modems is almost certainly untagged. Which is very much not the same thing as VLAN1 but is a surprising common misconception.
                https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan1

                Port based VLANs is probably not what you want here. That is typically used for separating switch ports into groups but not for trunking tagged traffic which is what you need to do here.
                You need to use 802.1Q based VLANs to tag the traffic and trunk it to pfSense.

                So, yes, set the PVID / Default VLAN ID (whatever it's named on that switch) on the WAN ports to 50 and 51. Then set the port connected to pfSense to trunk those VLANs. The traffic from each will arrive tagged to the pfSense NIC.
                In pfSense setup VLAN interfaces for 50 and 51 on the parent Mellanox NIC. Assign those interfaces as WAN1 and WAN2. Done!

                You can the same with other VLANs. You only actually need one NIC there, all the interfaces could be VLANs on it.

                Steve

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.