PFSENSE with 1 wan and multiple LAN
-
Hello everyone, i am newbie to networking and stuff but i have a few questions.
I have setup pfsense running as VM. I have a physical server running proxmox, 1 intergrated NIC used as proxmox management port and a pcie card with 4 nics used for pfsense. I have created 4 bridges one by one with each physical NIC. Inside pfsense i got 1 WAN and 1 LAN interface(remain 2 unused ports). I use a modem and a ppoe setup at wan port.
At the lan port i have plugged in an unmanaged switch. Everything works fine, i have dhcp and internet to all devices connected at the switch.
My question is about an access point i got. I would like to isolate this access point.
My main lan network with the switch is 192.168.1.0/24.
I would like to isolate the access point to a network like 192.168.2.0/24 and have internet access.
Also i would like to isolate another test pc to a network like 192.168.3.0/24 and have internet access.
How i can do that and how the wiring goes?
-
Cable lan port on access point to the unused port on quad nic.
Try creating a new interface and assign an unused port for your access point. Configure the new interface opt1 for 192.168.2.0/24 subnet. Enable dhcp server on opt1 if needed. Add allow firewall rule in opt1 to access wan. Test.
-
well i tried the following:
Created new interface OPT1
set interface ipv4 192.168.2.1/24
setup dhcp for OPT1add firewall rule allow ipv4 * opt1 net wan net
My client gets an ip automatically 192.168.2.25, gateway 192.168.2.1, dns 192.168.2.1
I don't have internet access, also i cant ping from client to 192.168.2.1.
The client is connected via powerline.
any ideas?
-
add firewall rule allow ipv4 * opt1 net wan net
wan net is that the destination, it should be any.
Above this rule you should also block opt1 net to the subnets that you want to be blocked, i.e. 192.168.1.0/24
-
after a little experiment i did the following at the attachment.
I can ping 8.8.8.8 from a client connected to opt1 but it seems cant resolve addresses. ping google.com got as result unreachable host.
-
What is 192.168.1.21, is it your DNS server, if it is you'll never hit that firewall rule as the traffic is blocked by the first rule to 192.168.1.0/24.
Firewall rules are read from the top down.
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
-
I changed the rules like above and everything works like a charm.
Is that a recommended config or it works just from luck?
-
Maybe you also want to allow NTP.
It's sort of how I do it, but I have an alias that contain the subnets I don't want to be accessed and use that in the block rule and have it log.
I also just use "This Firewall" rather than a specific interface and I also have a block any any at the bottom and have that set to log.
-
How i will allow the ntp?
can you help with the rule?
-
-
i did this, is that correct?
Also something more tricky, at the same physical server where the pfsense VM runs i have a several more VMs that i would like to join them at my network (LAN or OPT1 depending on the VM)
How i can do that?
thanks again for the help
-
i did this, is that correct?
Also something more tricky, at the same physical server where the pfsense VM runs i have a several more VMs that i would like to join them at my network (LAN or OPT1 depending on the VM)
How i can do that?
thanks again for the help
The destination is any which will work.
I run NTP on my router and allow NTP only to This Firewall.
Re "Also something more tricky, at the same physical server where the pfsense VM runs i have a several more VMs that i would like to join them at my network (LAN or OPT1 depending on the VM)" not got a clue sorry I don't run proxmox.
-
ok and a final question. I would like to access the lan network when i am not at home.(office or vacations)
How i will achive that? i guess with VPN, can you give me some resources to read how to do that?
also can i allow a specific device from OPT1 to have full access at LAN and pfsense? I have an ipad connected via wifi from opt1 and i would like to manage some of my servers that are currently at lan.
The ipad gets an address frop OPT1 dhcp, can i create a MAC address rule to access LAN only from my ipad regardless the ip it has?
-
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
"also can i allow a specific device from OPT1 to have full access at LAN and pfsense? I have an ipad connected via wifi from opt1 and i would like to manage some of my servers that are currently at lan.
The ipad gets an address frop OPT1 dhcp, can i create a MAC address rule to access LAN only from my ipad regardless the ip it has?"
You'll need to do a mac address reservation in the dhcp settings for the iPad and allow that IP address, you can't do firewall rules with mac addresses.
-
Thank you very much for the info!
I forgot to mention that my isp does not provide me a static ip, if I use a ddns service will I be able to do a vpn? At the certificate creation can I use the ddns domain instead of an ip?
Do I have to consider something else with a ddns configuration?
Thanks again!
-
Yes. Use the exact hostname the remote users will be connecting to as the CN and an FQDN or Hostname SAN in the certificate you create for the VPN Server.
Set My Identifier in the VPN Phase 1 to Distinguished name and use the exact hostname there too.
-
Thank you very much sir!
I have a few connectivity issues with the internet. a couple times everyday for several minutes i don't have internet access. I don't know if it is a down dsl service, a rule or something else, i just don't have internet at my devices for a few minutes. How i can troubleshoot this problem? where do i search in order to figure out whats happening?
Thanks in advance again!
-
https://doc.pfsense.org/index.php/Connectivity_Troubleshooting
