Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two firewalls on the same network

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 5 Posters 8.2k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      SteveITS Galactic Empire @stephenw10
      last edited by

      @stephenw10 said in Two firewalls on the same network:

      2x 1G drops

      I realized that at some point after posting. :) Or maybe two ISP connections. Either way pfSense can load balance.

      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
      Upvote ๐Ÿ‘ helpful posts!

      1 Reply Last reply Reply Quote 0
      • L Offline
        lewis
        last edited by

        Doing that is more likely to introduce problems IMO. If anything in that network segment was set to a /16 subnet mask which would enable them to send traffic directly that would cause asymmetry for anything that isn't using /16. You need to have the same subnet mask set for everything in the segment.

        In this scenario, there is only one single LAN, no additional interfaces to add to a firewall, only another machine could be installed which has also two interfaces. Also, would like to avoid using VLAN as that would separate the devices which is not the goal.

        If I understand correctly, using different subnet masks in the same network segment is what could cause asymmetric routing.

        If devices on the same network segment have different subnet masks, some devices may be able to send traffic directly to other devices without going through the firewall, leading to inconsistent routing and potential security issues.

        I would have thought the other way, that with their own masks, they could not communicate with any other device with another mask.

        Then to make this work, all devices on the same network segment should have the same subnet mask, to ensure that traffic is routed symmetrically through the firewalls.

        As I said, if I understand the comments, the next thing that's not clear to me in how the firewalls would be configured.

        The /16 on the clients would allow them to communicate together and with their respective firewall for their GW and Internet access.

        Would the firewalls be using what I mentioned above for their own networks 10.0.0.0/24 and 10.0.1.0/24 but still with a /24 or a /16?

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          SteveITS Galactic Empire @lewis
          last edited by

          @lewis said in Two firewalls on the same network:

          with their own masks, they could not communicate with any other device with another mask

          They can't but someone could enter the wrong mask. If you set them up with two /24 masks then in theory you should be fine. If someone uses a /16 on one, traffic from that device will not go through the router to get to the other subnet, because the device thinks it is already in that subnet.

          Also DHCP can only be set up on one router. IPv6 is another layer of complexity.

          Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
          Upvote ๐Ÿ‘ helpful posts!

          L 1 Reply Last reply Reply Quote 0
          • L Offline
            lewis @SteveITS
            last edited by

            @steveits

            Yes, only one would have DHCP. The devices that would need access via the second firewall would be manually configured.

            What then would the LAN masks be on the firewalls?
            Say one is 10.0.0.0 and the new one is 10.0.1.0.

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              SteveITS Galactic Empire @lewis
              last edited by

              @lewis Ok let me back up and reread....if you have two routers it will work for Internet access if they are both in 10.0.0.0/24, you just need to set some PCs with a different gateway.

              If you put them in separate subnets 10.0.0.0/24 and 10.0.1.0/24 then you'll need to make sure PCs have the correct /24 mask.

              Let's say at some point in the future you add another interface to both routers. PC10 may connect to 10.0.0.1 to get to PC300 on the third network, while the reply from PC300 comes back through 10.0.0.2, and that's the asymmetric issue.

              Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
              Upvote ๐Ÿ‘ helpful posts!

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                This is the same installation we looked at some time ago yes? There's quite a bit of history there!

                You can put two subnets on the same layer 2 segment and it can work fine as long as you're careful. The reasons to not do that are that it's all too easy to get it wrong and that there is no separation between the subnets. The latter is usually a security issue but I'm guessing it isn't for you.

                You say you don't want to use a VLAN but doing so would make things a lot clearer and safer. And without a VLAN but devices in separate subnets that traffic still has to go through both routers to reach hosts in the other subnet.

                Steve

                1 Reply Last reply Reply Quote 0
                • Dobby_D Offline
                  Dobby_
                  last edited by

                  @lewis

                  in some rarely special cases it might be making sense to
                  go this way, but only in some;

                  • Testing out something Hardware/Software/Service based
                  • Testing throughput, VPN and other things perhaps
                  • Lab network for try out and config out things

                  But let being fair and say it not common what you where setting up! And how much more you set up things in your
                  own manner, thinking, "love to do it your way",......

                  You will be ending earlier or later in a more or less massively problems glued situation or plain said
                  the workaround are growing more and more
                  based on that not common setup.

                  If you have the ability to set up two vlans and give each another subnet like 192..... and 172..... you may be better sorted.

                  If it is then even your wish, that the devices must be able
                  "to talk" each to another you may be better going with;

                  • setting up a WiFi bridge between the both networks
                  • setting up a network cable from port to port from
                    the pfSense units
                  • setup from both units a port to a switch that they will be able to share data through that communication.

                  But all in all you may be not running then later, into this or that behaviour or problem and even and even again you set up something like a workaround again and again,
                  and later no one knows if a problems is occurring,
                  from what it comes and how to solve it.

                  #~. @Dobby

                  Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
                  PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
                  PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

                  1 Reply Last reply Reply Quote 0
                  • L Offline
                    lewis
                    last edited by

                    @steveits said in Two firewalls on the same network:
                    if you have two routers it will work for Internet access if they are both in 10.0.0.0/24, you just need to set some PCs with a different gateway.

                    Right. Just not clear on where the /16 is then because we were talking about using /16 across all LAN devices.

                    stephenw10
                    This is the same installation we looked at some time ago yes? There's quite a bit of history there!

                    Great memory but no, this is different. The other was two separate networks needing to communicate together. It was accomplished using routing between the firewalls.
                    In this case, it's two firewalls on the same network because of some limitations that can't be changed. Have servers but only two interfaces.

                    You say you don't want to use a VLAN but doing so would make things a lot clearer and safer. And without a VLAN but devices in separate subnets that traffic still has to go through both routers to reach hosts in the other subnet.

                    Being honest, VLAN's make me nervous. A lot of the stuff I've been doing and asking for help on are new things to me. It's easy to set up simple networks and firewalls but I seem to come across a bit more complex (to me) stuff regularly.

                    Dobby_
                    You will be ending earlier or later in a more or less massively problems glued situation or plain said the workaround are growing more and more
                    based on that not common setup.

                    Yes, agreed, patchy things lead to more patches and eventually things break.

                    Really, I decided to post here looking for thoughts on what I was seeing but it's turned into a lot of useful information that could become a longer term solution than the kludge it is now, even if it's working.

                    There is no option to add WiFi. Mentioning VLANs again... maybe the second firewall could be just that, the VLAN firewall instead of a full out firewall. However, doesn't that add up to the same thing? No matter if it's a VLAN or a new subnet, isn't that about the same?

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      Really the simplest thing here is probably what you have already. Just set some hosts to use a different gateway within the same subnet. That will work fine as long as you don't accidentally forward traffic through one router to a host that is using the other router as it's gateway. Or otherwise create asymmetry in the route.

                      L 1 Reply Last reply Reply Quote 0
                      • L Offline
                        lewis @stephenw10
                        last edited by

                        @stephenw10

                        So keep the 10.0.0.2/24 on the second firewall and just point those servers that need that route to it?

                        So long as the first firewall never references any of the devices using the second firewall as their GW, then that should prevent problems.

                        It would be nice to keep it as he set it up, it seems to work ok.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          If it was misconfigured somewhere I'd expect the issues to be pretty obvious!

                          Just be aware of the potential asymmetry issues with two routers in one subnet and avoid them if you're making changes there.

                          The problems we see with networks like that are usually when admins change or are forced to do things they wouldn't usually attempt. If it's not documented it's easy to introduce asymmetry and if you're not expecting that it can be difficult to diagnose.

                          L 1 Reply Last reply Reply Quote 1
                          • L Offline
                            lewis @stephenw10
                            last edited by

                            @stephenw10

                            Seems to be working fine so far. As you said, just making sure that specific devices have their gateway set to the correct firewall for I/O to Internet.

                            Devices are able to communicate internally so it's kind of a nice simple setup for adding bandwidth in an environment with a number of limitations.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.