Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Use opt interface as LAN port

    Scheduled Pinned Locked Moved General pfSense Questions
    27 Posts 5 Posters 24.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      wallabybob
      last edited by

      A very common pfSense basic configuration is to have two interfaces: WAN and LAN with LAN allowed unlimited access to the internet and the firewall blocking unsolicited access from the internet to LAN. Thats the default pfSense configuration. Once you add additional interfaces its less clear there is a sensible default: should OPT1 be allowed to access LAN? should LAN be allowed to access OPT1? etc. Because pfSense is a firewall and is generally used by people with a concern for security, the default firewall configuration for additional interfaces is to block all access from the additional interfaces (default configuration is "secure"). pfSense should then be configured to allow appropriate access from the additional interfaces.

      What access do you want to allow to systems on OPT1? Decide that, then add firewall rules to the OPT1 interface to allow that access: from the web GUI: Firewall -> Rules, click on the OPT1 (or whatever alias you have used for OPT1) tab. Since you apparently have firewall rules for your server, I'm a little surprised you apparently don't seem to know how to add firewall rules for OPT1. Note that the firewall rules specified for an interface apply to packets received on the interface.

      Your IP address and mask for LAN and OPT1 are fine, provided they don't conflict with any other assignments in your network.

      1 Reply Last reply Reply Quote 0
      • M Offline
        mgc6288
        last edited by

        @wallabybob:

        A very common pfSense basic configuration is to have two interfaces: WAN and LAN with LAN allowed unlimited access to the internet and the firewall blocking unsolicited access from the internet to LAN. Thats the default pfSense configuration. Once you add additional interfaces its less clear there is a sensible default: should OPT1 be allowed to access LAN? should LAN be allowed to access OPT1? etc. Because pfSense is a firewall and is generally used by people with a concern for security, the default firewall configuration for additional interfaces is to block all access from the additional interfaces (default configuration is "secure"). pfSense should then be configured to allow appropriate access from the additional interfaces.

        What access do you want to allow to systems on OPT1? Decide that, then add firewall rules to the OPT1 interface to allow that access: from the web GUI: Firewall -> Rules, click on the OPT1 (or whatever alias you have used for OPT1) tab. Since you apparently have firewall rules for your server, I'm a little surprised you apparently don't seem to know how to add firewall rules for OPT1. Note that the firewall rules specified for an interface apply to packets received on the interface.

        Your IP address and mask for LAN and OPT1 are fine, provided they don't conflict with any other assignments in your network.

        Not that I don't know how to add rules but rather how to add rules in pfSense as I recently switched from a Linksys.  This has been a fun adventure and quite educational.  The OPT1 is only supposed to have WIFI and VoIP.  LAN and OPT1 are on different subnets and can ping each other but so far cannot access each other.  For the OPT1 rule all I did was copy the LAN rule.  Is this too open for the two (LAN and OPT1) to interact with each other?  Yes my knowledge is limited but hey I'm all self taught.

        1 Reply Last reply Reply Quote 0
        • W Offline
          wallabybob
          last edited by

          The OPT1 is only supposed to have WIFI and VoIP.  LAN and OPT1 are on different subnets and can ping each other but so far cannot access each other.  For the OPT1 rule all I did was copy the LAN rule.

          But did you change the source IP address from LANnet to OPT1net? If not, packets received on OPT1 won't match your rule.

          Is this too open for the two (LAN and OPT1) to interact with each other?

          Depends on what access restrictions you want to impose.

          1 Reply Last reply Reply Quote 1
          • M Offline
            mgc6288
            last edited by

            @wallabybob:

            But did you change the source IP address from LANnet to OPT1net? If not, packets received on OPT1 won't match your rule.

            Under Firewall –> Rules --> OPT1 I copied over the Rule from Firewall --> Rules --> LAN with the minor change of the Source being OPT1 net, i.e. Pass, Interface: OPT1, Protocol: any, Source: OPT1 subnet, Destination: any.

            Depends on what access restrictions you want to impose.

            Well really there isn't any need for the two LANs to talk to each other at all.  The whole purpose of OPT1 is to have the VoIP and "guest" wifi (WPA2) on a separate LAN from the server and workstations so any communication isn't shared except the internet usage itself.  I just ask because there is "any" (*) in a lot of spaces that maybe it should be a little tighter.

            I could ping each other but couldn't file access and just wanted to confirm that at my limited "hacking" abilities there wasn't something that I may be over looking.  Thank you for the follow-up.

            1 Reply Last reply Reply Quote 0
            • W Offline
              wallabybob
              last edited by

              @mgc6288:

              Well really there isn't any need for the two LANs to talk to each other at all.

              You could add a rule to OPT1 to block access to LANnet and a rule to LAN to block access to OPT1net. Since the rule processing starts at the top and stops on the first match these rules should go before your existing rules. If it was my network I'd probably allow access to OPT1net from at least one station on LANnet in case I needed to do some kind of "management" operation.

              I could ping each other but couldn't file access.

              What sort of file access and what error was reported?

              1 Reply Last reply Reply Quote 0
              • M Offline
                mgc6288
                last edited by

                @wallabybob:

                You could add a rule to OPT1 to block access to LANnet and a rule to LAN to block access to OPT1net. Since the rule processing starts at the top and stops on the first match these rules should go before your existing rules. If it was my network I'd probably allow access to OPT1net from at least one station on LANnet in case I needed to do some kind of "management" operation.

                Ok, I think I'm wrong but maybe on the write track.  Under LAN I did the following:

                Rule1: PASS, Protocol TCP, Source: Workstation IP, Port: any, Destination: OPT1 subnet, Port: any

                Rule2: BLOCK, Protocol: any, Source: Lan subnet, Port: any, Destination: OPT1 subnet, Port: any

                Rule3: PASS, Protocol: any, Source: Lan subnet, Port: any, Destination: any, Port: any

                Under OPT1:

                Rule1: BLOCK, Protocol: any, Source: OPT1 subnet, Port: any, Destination: LAN subnet, Port: any

                Rule2: PASS, Protocol: any, Source: OPT1 subnet, Port: any, Destination: any, Port: any

                I just tried to access the Linksys VoIP router on the OPT1 and wasn't able to from the workstation on LAN.  Would this be because of two different subnets?  Remember LAN is 192.168.1.1 and OPT1 is 192.168.2.1

                What sort of file access and what error was reported?

                No specific error - just could ping but I couldn't access the files…different subnet?

                1 Reply Last reply Reply Quote 0
                • W Offline
                  wallabybob
                  last edited by

                  @mgc6288:

                  I just tried to access the Linksys VoIP router on the OPT1 and wasn't able to from the workstation on LAN.  Would this be because of two different subnets?

                  No.

                  What kind of access? (ping? ssh? web? etc) Is the VoIP router configured to respond to that sort of access? Does the VoIP router have a route to tell it which interface to use to return a response?

                  Sometimes it is necessary to reset firewall states after modifying firewall rules. See Diagnostics -> States and click on the Reset States tab. If it doesn't come good after that then welcome to the world of network debugging: a good start would be to look at the firewall log to see if the access was blocked by a firewall rule. (But record the time you reset the states so you don't get distracted by log entries before the states reset.)

                  What sort of file access and what error was reported?

                  No specific error - just could ping but I couldn't access the files…different subnet?

                  But what method did you use to access the files: NFS? FTP? WinSCP? Windows Explorer? … It can make a difference.

                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    mgc6288
                    last edited by

                    @wallabybob:

                    What kind of access? (ping? ssh? web? etc) Is the VoIP router configured to respond to that sort of access? Does the VoIP router have a route to tell it which interface to use to return a response?

                    Sometimes it is necessary to reset firewall states after modifying firewall rules. See Diagnostics -> States and click on the Reset States tab. If it doesn't come good after that then welcome to the world of network debugging: a good start would be to look at the firewall log to see if the access was blocked by a firewall rule. (But record the time you reset the states so you don't get distracted by log entries before the states reset.)

                    But what method did you use to access the files: NFS? FTP? WinSCP? Windows Explorer? … It can make a difference.

                    I did try and ping, no dice.  I also tried the router IP within FF and it didn't work either so web.  Before locking down to specific ports I had them set to "any" and it didn't work.

                    Well I did the "state reset" and for some weird reason the states don't all go away and in fact while I refresh the number of them changes.  I'm not familiar with "states" as to why that would happen.  It isn't the worst thing if I can't get access to the other from one computer - be nice - but not essential.  My main thing is making sure it is locked down.

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      mgc6288
                      last edited by

                      A new upgrade I'm thinking of.  My gigabit 8-port switch has been outgrown with my home server now with an additional 4 needed.  My pfsense box has 6 pci slots plus a built in one which effectively gives me a 6 port router after I get the cards.  My question is will they all be able to work together?  I had problems getting my VoIP to communicate as it shared my wireless but I'm not so worried about that.  What I'd like to do is directly hook up 5 PCs with twisted pair cables and then the sixth go to my 8-port switch.  I still would like them all on the same IP range, i.e. 192.168.1.x.  How would I go about configuring this and would it be advisable?

                      1 Reply Last reply Reply Quote 0
                      • W Offline
                        wallabybob
                        last edited by

                        I suspect you could purchase another 8 port Gigagbit switch for barely more than you would pay for an additional 4 or more cards.

                        If you connect those additional PCs to your pfSense box any communication between them or between them and the PCs on the switch will have to get processed by the pfSense box. If you use another switch (one port on the new switch connected to a port on your current switch) any communication between the PCs can stay within the switches.

                        PCs with PCI slots generally have all the PCI slots on the one PCI bus. A standard PCI bus has a throughput of something less than about 1 gigabit/sec. In contrast, a reasonable quality 8 port gigabit switch will have a backplane capable of supporting 16gigabits/sec meaning all 8 ports could be involved in two way conversations of 1Gb/s each direction.

                        If all the new PCs are independent of the PC's on the switch and just want to access the Internet then it might make sense to get more cards for the pfSense box. But if you want substantial communication between the new PCs and your current PCs (e.g. for backups) it makes more sense to get an additional switch.

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          mgc6288
                          last edited by

                          Very informative, thanks!  There will be communication between them.

                          Any good recommendations for a good 8 or 16 port gigabit switch with jumbo frames?

                          1 Reply Last reply Reply Quote 0
                          • W Offline
                            wallabybob
                            last edited by

                            HP/Procurve switches are well regarded in these forums. TP-Link would probably give you a fair run at the low end of the price range. You would need to pay a bit for a VLAN capable switch.

                            1 Reply Last reply Reply Quote 0
                            • M Offline
                              mgc6288
                              last edited by

                              Ok, now with all my equipment in I am back to my original dilemma.  How would I get LAN to talk to OPT1?  Under Firewall –> Rules I have the following:

                              LAN:

                              Rule1: PASS, Protocol: any, Source: Lan subnet, Port: any, Destination: OPT1 subnet, Port: any, Description: Grant Access to OPT1

                              Rule2: PASS, Protocol: any, Source: Lan subnet, Port: any, Destination: any, Port: any, Description: Default LAN --> any

                              Under OPT1:

                              Rule1: PASS, Protocol: any, Source: OPT1 subnet, Port: any, Destination: LAN subnet, Port: any, Description: Grant Access to LAN

                              Rule2: PASS, Protocol: any, Source: OPT1 subnet, Port: any, Destination: any, Port: any, Description: Internet Access

                              Some of these rules may be redundant and unnecessary but I tried with and without and it doesn't ping or anything.  My goal is to have file access between LAN and OPT1.

                              1 Reply Last reply Reply Quote 0
                              • W Offline
                                wallabybob
                                last edited by

                                It looks to me that rule1 is not needed on either interface but maybe you just have them there as placeholders and you'll tweak them when you get your current configuration working.

                                @mgc6288:

                                it doesn't ping or anything.

                                ping by IP address? ping by hostname? what does ping tell you? do you know the ping target actually has the address you think it should have?

                                There are a lot of things that could have gone wrong. It would be helpful to have a few more clues about what you have done and what you saw.

                                Did you remember to reset firewall states after changing the firewall rules?

                                1 Reply Last reply Reply Quote 0
                                • M Offline
                                  mgc6288
                                  last edited by

                                  @wallabybob:

                                  It looks to me that rule1 is not needed on either interface but maybe you just have them there as placeholders and you'll tweak them when you get your current configuration working.

                                  ping by IP address? ping by hostname? what does ping tell you? do you know the ping target actually has the address you think it should have?

                                  There are a lot of things that could have gone wrong. It would be helpful to have a few more clues about what you have done and what you saw.

                                  Did you remember to reset firewall states after changing the firewall rules?

                                  Ok, Rule1 on both has been removed.  I then reset the states (thanks for the reminder).

                                  ASSUME: LAN has IP 192.168.0.1 and PC1 resides
                                  ASSUME: OPT1 has IP 192.168.1.1 and PC2 resides

                                  From PC1 (and vice versa):

                                  When I ping PC2's assigned IP address I receive a reply and vice versa.  Good.

                                  When I ping the computer name pc2 (i.e. ping pc2) from pc1 I receive "Pinging pc2.domain [oddball ext. ip] request timed out.

                                  Now when I map, i.e. \pc2\c$ I got a time out however when I map to the IP, i.e. \192.168.1.x\c$ it works just fine.

                                  A DNS issue???

                                  1 Reply Last reply Reply Quote 0
                                  • W Offline
                                    wallabybob
                                    last edited by

                                    @mgc6288:

                                    A DNS issue???

                                    Yes.

                                    For PC1, who is its name server? Does it have a name - address mapping for PC2? (It will have to be a "local" system because a public name server won't know about names on your private network,) If pfSense is the name server how does it know the name - address mapping for PC2? Does DNS forwarder have a registration or (if you are using DHCP static assignments) do you have Register DHCP static mappings in DNS forwarder set?

                                    1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      mgc6288
                                      last edited by

                                      @wallabybob:

                                      For PC1, who is its name server? Does it have a name - address mapping for PC2? (It will have to be a "local" system because a public name server won't know about names on your private network,) If pfSense is the name server how does it know the name - address mapping for PC2? Does DNS forwarder have a registration or (if you are using DHCP static assignments) do you have Register DHCP static mappings in DNS forwarder set?

                                      Lots of good questions.  I use my ISP's Name Servers however pfsense assigns the dns and gateway it's own, i.e. 192.168.x.x.  Under System –> General Setup --> Domain is domain.local however both LAN and OPT1 are on workgroup networks (not domain access).  My systems were static however even checking the DHCP static mappings didn't work and so I set them to DHCP and same outcome.

                                      I can ping pc2.domain (which shows an ext. IP) but no other combination works, i.e. pc2.domain.local , pc2.local , domain.local

                                      1 Reply Last reply Reply Quote 0
                                      • W Offline
                                        wallabybob
                                        last edited by

                                        If pc1 has domain domain.local and pc2 is known to the name server as host pc2 in domain domain.local then pc1 should be able to access pc2 as pc2 or pc2.domain.local.

                                        What does pc1 think its name server is?  (In windows open a command prompt and type command ipconfig. In Unix or Linux give the shell command dig or nslookup pc2 to see what is reported as the name server.)  If you aren't sure how to interpret the output post the command and its output in a reply.

                                        @mgc6288:

                                        My systems were static however even checking the DHCP static mappings didn't work and so I set them to DHCP and same outcome.

                                        I'm not sure what you mean by this. How are pc1 and pc2 getting their IP address? If its set as static IP address then you should also be setting the IP addresses of the default gateway and DNS. If pc1 and pc2 get their IP addresses from DHCP then they should also get default gateway and DNS from DHCP. If you switched pc1 and/or pc2 from static IP address to DHCP then you might need to disable then enable the corresponding interface (on pc1 or pc2) or even reboot to get them to issue the DHCP request.

                                        1 Reply Last reply Reply Quote 0
                                        • M Offline
                                          mgc6288
                                          last edited by

                                          @wallabybob:

                                          If pc1 has domain domain.local and pc2 is known to the name server as host pc2 in domain domain.local then pc1 should be able to access pc2 as pc2 or pc2.domain.local.

                                          What does pc1 think its name server is?  (In windows open a command prompt and type command ipconfig. In Unix or Linux give the shell command dig or nslookup pc2 to see what is reported as the name server.)  If you aren't sure how to interpret the output post the command and its output in a reply.

                                          Finally…I swapped out my pfsense box for a different one and had probs with a different package and ended up redoing that one.  Now I'm addicted to pfsense.  Never meant to leave you hanging but since rebuilding I had to place this on hold.

                                          From where I stand now, PC1 on LAN cannot ping PC2 on OPT1 by the command "ping PC2" as it just gets timed out.  However, PC1 can ping the ip address of PC2 and receive a reply.

                                          PC1 also cannot map to PC2 via \PC2\c$ however \192.168.x.x\c$ works.  Is there some pfsense switch I'm missing that would allow mapping by the computer name PC2?

                                          1 Reply Last reply Reply Quote 0
                                          • W Offline
                                            wallabybob
                                            last edited by

                                            Its been a while since this was last discussed so lets verify the configuration you are currently using.

                                            PC1 seems to be a windows system. In a command prompt window give the command ipconfig and verify that the pfSense box is the DHCP server and the DNS server. If thats not the case then the rest of this reply doesn't apply.

                                            In pfSense Services -> DNS forwarder check the boxes Register DHCP leases in DNS forwarder and Register DHCP static mappings in DNS forwarder then click Save. This is probably not sufficient to get the DNS forwarder to notice the new settings so clear the Enable box then click Save and then tick the Enable box then click Save.  Now try your access to PC2 by name.

                                            If it didn't work, does PC2 have a DHCP lease from the pfSense box? If so, maybe DNS forwarder only notices "new" DHCP leases. So, restart PC2 so it gets a new DHCP lease. Then try the access by name from PC1.  But did PC2 get its DHCP lease from pfSense?

                                            On my home network al the systems get their IP address from DHCP. If that doesn't apply to your network a different solution will be required.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.