Two firewalls on the same network
- 
 Doing that is more likely to introduce problems IMO. If anything in that network segment was set to a /16 subnet mask which would enable them to send traffic directly that would cause asymmetry for anything that isn't using /16. You need to have the same subnet mask set for everything in the segment. In this scenario, there is only one single LAN, no additional interfaces to add to a firewall, only another machine could be installed which has also two interfaces. Also, would like to avoid using VLAN as that would separate the devices which is not the goal. If I understand correctly, using different subnet masks in the same network segment is what could cause asymmetric routing. If devices on the same network segment have different subnet masks, some devices may be able to send traffic directly to other devices without going through the firewall, leading to inconsistent routing and potential security issues. I would have thought the other way, that with their own masks, they could not communicate with any other device with another mask. Then to make this work, all devices on the same network segment should have the same subnet mask, to ensure that traffic is routed symmetrically through the firewalls. As I said, if I understand the comments, the next thing that's not clear to me in how the firewalls would be configured. The /16 on the clients would allow them to communicate together and with their respective firewall for their GW and Internet access. Would the firewalls be using what I mentioned above for their own networks 10.0.0.0/24 and 10.0.1.0/24 but still with a /24 or a /16? 
- 
 @lewis said in Two firewalls on the same network: with their own masks, they could not communicate with any other device with another mask They can't but someone could enter the wrong mask. If you set them up with two /24 masks then in theory you should be fine. If someone uses a /16 on one, traffic from that device will not go through the router to get to the other subnet, because the device thinks it is already in that subnet. Also DHCP can only be set up on one router. IPv6 is another layer of complexity. 
- 
 Yes, only one would have DHCP. The devices that would need access via the second firewall would be manually configured. What then would the LAN masks be on the firewalls? 
 Say one is 10.0.0.0 and the new one is 10.0.1.0.
- 
 @lewis Ok let me back up and reread....if you have two routers it will work for Internet access if they are both in 10.0.0.0/24, you just need to set some PCs with a different gateway. If you put them in separate subnets 10.0.0.0/24 and 10.0.1.0/24 then you'll need to make sure PCs have the correct /24 mask. Let's say at some point in the future you add another interface to both routers. PC10 may connect to 10.0.0.1 to get to PC300 on the third network, while the reply from PC300 comes back through 10.0.0.2, and that's the asymmetric issue. 
- 
 This is the same installation we looked at some time ago yes? There's quite a bit of history there! You can put two subnets on the same layer 2 segment and it can work fine as long as you're careful. The reasons to not do that are that it's all too easy to get it wrong and that there is no separation between the subnets. The latter is usually a security issue but I'm guessing it isn't for you. You say you don't want to use a VLAN but doing so would make things a lot clearer and safer. And without a VLAN but devices in separate subnets that traffic still has to go through both routers to reach hosts in the other subnet. Steve 
- 
 in some rarely special cases it might be making sense to 
 go this way, but only in some;- Testing out something Hardware/Software/Service based
- Testing throughput, VPN and other things perhaps
- Lab network for try out and config out things
 But let being fair and say it not common what you where setting up! And how much more you set up things in your 
 own manner, thinking, "love to do it your way",......You will be ending earlier or later in a more or less massively problems glued situation or plain said 
 the workaround are growing more and more
 based on that not common setup.If you have the ability to set up two vlans and give each another subnet like 192..... and 172..... you may be better sorted. If it is then even your wish, that the devices must be able 
 "to talk" each to another you may be better going with;- setting up a WiFi bridge between the both networks
- setting up a network cable from port to port from
 the pfSense units
- setup from both units a port to a switch that they will be able to share data through that communication.
 But all in all you may be not running then later, into this or that behaviour or problem and even and even again you set up something like a workaround again and again, 
 and later no one knows if a problems is occurring,
 from what it comes and how to solve it.
- 
 @steveits said in Two firewalls on the same network: 
 if you have two routers it will work for Internet access if they are both in 10.0.0.0/24, you just need to set some PCs with a different gateway.Right. Just not clear on where the /16 is then because we were talking about using /16 across all LAN devices. stephenw10 
 This is the same installation we looked at some time ago yes? There's quite a bit of history there!Great memory but no, this is different. The other was two separate networks needing to communicate together. It was accomplished using routing between the firewalls. 
 In this case, it's two firewalls on the same network because of some limitations that can't be changed. Have servers but only two interfaces.You say you don't want to use a VLAN but doing so would make things a lot clearer and safer. And without a VLAN but devices in separate subnets that traffic still has to go through both routers to reach hosts in the other subnet. Being honest, VLAN's make me nervous. A lot of the stuff I've been doing and asking for help on are new things to me. It's easy to set up simple networks and firewalls but I seem to come across a bit more complex (to me) stuff regularly. Dobby_ 
 You will be ending earlier or later in a more or less massively problems glued situation or plain said the workaround are growing more and more
 based on that not common setup.Yes, agreed, patchy things lead to more patches and eventually things break. Really, I decided to post here looking for thoughts on what I was seeing but it's turned into a lot of useful information that could become a longer term solution than the kludge it is now, even if it's working. There is no option to add WiFi. Mentioning VLANs again... maybe the second firewall could be just that, the VLAN firewall instead of a full out firewall. However, doesn't that add up to the same thing? No matter if it's a VLAN or a new subnet, isn't that about the same? 
- 
 Really the simplest thing here is probably what you have already. Just set some hosts to use a different gateway within the same subnet. That will work fine as long as you don't accidentally forward traffic through one router to a host that is using the other router as it's gateway. Or otherwise create asymmetry in the route. 
- 
 So keep the 10.0.0.2/24 on the second firewall and just point those servers that need that route to it? So long as the first firewall never references any of the devices using the second firewall as their GW, then that should prevent problems. It would be nice to keep it as he set it up, it seems to work ok. 
- 
 If it was misconfigured somewhere I'd expect the issues to be pretty obvious! Just be aware of the potential asymmetry issues with two routers in one subnet and avoid them if you're making changes there. The problems we see with networks like that are usually when admins change or are forced to do things they wouldn't usually attempt. If it's not documented it's easy to introduce asymmetry and if you're not expecting that it can be difficult to diagnose. 
- 
 Seems to be working fine so far. As you said, just making sure that specific devices have their gateway set to the correct firewall for I/O to Internet. Devices are able to communicate internally so it's kind of a nice simple setup for adding bandwidth in an environment with a number of limitations. 

