2 WANs to different vlans
-
Hello,
After spending a day googeling and trying different things, I'm now here to ask for help.
I have pfsense 2.5.2-RELEASE.
In this I have 3 NICs
WAN1 90.x.x.x
LAN1 192.x.x.x
WAN2 80.x.x.xI want to host a website on WAN2 to separate this completely from my own network on WAN1 and LAN1.
So I created a new VLAN with called WEBSITE with a IP adress 10.x.x.x.
However it only works if I have a rule that allow that VLAN WEBSITE to have access to LAN.If I set a firewall rule to block access to LAN, then it seems to loose contact to gateway.
Can I set another gateway for the WEBSITE VLAN 10.x.x.x?Or is there an easier way and I'm complicating things?
Thanks in advance.
-
@sintei, I need more information about firewall rules and firewall logs.
-
@silence
Ill try to write it all out:
Under gateways I have:WAN_DHCP Default (IPv4) WAN 78.82.x.x 78.82.x.x Interface WAN_DHCP Gateway LANGW LAN dynamic dynamic Interface lan Gateway WEBSITESGW WEBSITES dynamic dynamic Interface lan Gateway WAN2_DHCP WAN2 78.82.x.x 78.82.x.x Interface WAN2_DHCP GatewayInterface assignments:
WAN vtnet0 (xx.xx.xx.xx.xx) LAN vtnet1 (xx.xx.xx.xx.xx) WAN2 vtnet2 (xx.xx.xx.xx.xx) Websites VLAN xx on vtnet1 - lan (WebsiteVLAN)WAN2 rules:
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions * RFC 1918 networks * * * * * Block private networks * Reserved Not assigned by IANA * * * * * Block bogon networks IPv4 TCP/UDP * * WAN2 net 443 (HTTPS) * none Any_incoming_wan2_443 IPv4 TCP/UDP * * WAN2 net 80 (HTTP) * none Any_incoming_wan2_80 IPv4 * * * WEBSITES net * * none port80allowWEBSITES rules:
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions IPv4 * * * LAN net * * none Block LAN IPv4 TCP/UDP WEBSITES net * * * * none Default allow VLAN77 to anyI have one wordpress site. Its reachable on WAN2. But when I close down access from VLAN WEBSITES to LAN, the wordpress site looses access to gateway and can't perform checkups. It seems the gateway is located in LAN net. How do I utilize the second gateway and keep it in my subnet/VLAN?
-
@sintei said in 2 WANs to different vlans:
LANGW LAN dynamic dynamic Interface lan Gateway
WEBSITESGW WEBSITES dynamic dynamic Interface lan GatewayWhat are these gateways for?
Cannot think of any reason to have a gateway on LAN in your setup. -
@viragomann I don't understand its configuration either, but if what you need is to access a host from the internet through your wan 2, why simply don't you configure a porfowaring? and in the wan rule 2 allows access!
-
@silence said in 2 WANs to different vlans:
and in the wan rule 2 allows access!
With this you don't have to create the rule yourself.
-
@silence said in 2 WANs to different vlans:
@viragomann I don't understand its configuration either, but if what you need is to access a host from the internet through your wan 2, why simply don't you configure a porfowaring? and in the wan rule 2 allows access!
What I'm trying to do is secure so that someone coming in via WAN2 only has access to my VLAN WEBSITES.
And that VLAN should be isolated from my LAN and other VLANs.
The VLAN WEBSITES is on the LAN NIC so it's somewhat tied?
Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc).
But I can access it FROM the internet.
Error in chrome says: gateway timed out when trying to update SEO, Themes etc . So that's why I'm investigating this direction.@viragomann said in 2 WANs to different vlans:
@sintei said in 2 WANs to different vlans:
LANGW LAN dynamic dynamic Interface lan Gateway
WEBSITESGW WEBSITES dynamic dynamic Interface lan GatewayWhat are these gateways for?
Cannot think of any reason to have a gateway on LAN in your setup.I think I created these to try to resolve the issue. Since you say they are not needed then I will delete them.
-
@silence
Just to clarify:
I can access my website via domain name in chrome.
It resolves and also is secured with lets encrypt certificate using HAproxy -
@sintei, Ok now we are understanding each other then the question is that your website needs to go online? to be able to update certain?
In this case you should check your nat rules
-
@silence said in 2 WANs to different vlans:
@sintei, Ok now we are understanding each other then the question is that your website needs to go online? to be able to update certain?
In this case you should check your nat rules
Yes, exactly. The website needs to online.
So I checked and created some rules in NAT (tried both 1:1 and outbound) but can't get it to work either way.
Surely, an outbound rule should suffice? -
@sintei, publish the nat rules of your firewall.
and your firewall records the moment it receives the error.
-
@sintei said in 2 WANs to different vlans:
Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc).
But I can access it FROM the internet.The only reason for this, I can think of is that on the web server you are using a DNS server in the LAN subnet.
If that's not the case enable logging in the block rule and check the firewall log to see, which access from the web server to LAN is blocked.
-
@viragomann said in 2 WANs to different vlans:
@sintei said in 2 WANs to different vlans:
Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc).
But I can access it FROM the internet.The only reason for this, I can think of is that on the web server you are using a DNS server in the LAN subnet.
If that's not the case enable logging in the block rule and check the firewall log to see, which access from the web server to LAN is blocked.
You my dear sir are correct!
I could find some DNS settings and changed them manually and it worked!
Thanks.Also, big thanks to @Silence for helping me troubleshooting this. Have a good night!