Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple Lan one WAn

    Scheduled Pinned Locked Moved
    DHCP and DNS
    3
    5
    5.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tech4Life
      last edited by

      Hi.  Thank you to everyone supporting this board.  I have 1.2.3 Release running for a couple months and this board has been very helpful.  With this excecption….

      I have seen older posts about only 2 physical networks.  Is that still true?

      I have three nics- 1 Wan, 1 Lan and 1 Opt.  I have one internet connection on Wan. I want to have 2 physical LANs with one doing DHCP and the other utilizing my Server. 
      I also have a web server at 192.168.2.2/24 (that I used the "mutliple Subnets on One Interface in PFsense" document to configure) that is sharing the LAN interface.

      I have tried endlessly to get the Opt1 interface to act as a LAN doing DHCP with no joy.  I alway end up able to get a good DHCP address on the lan I spec with proper gateway and DNS info but can never, ever get out to the Internet.  I assume this is me as I am not an expert router.  However I have followed several rule examples on here and duplicated the current LAN rules unsuccessfully.  So I am thinking this may be an OPT1 interface challenge I can't solve?

      Background info - LAN port is 192.168.1.1, OPT1 currently is 10.10.20.1, Pfsense is 192.168.1.2 
      On the WAN port I am routing from 10.10.20.0/24 to WAN Address and have tried the IP address.  On the OPT1 interface am opening everything out to the WAN address.  This will be a public network so just want to go directly from OPT1 out the WAN to the internet. ARRRG.

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        @Tech4Life:

        Background info - LAN port is 192.168.1.1, OPT1 currently is 10.10.20.1, Pfsense is 192.168.1.2 
        On the WAN port I am routing from 10.10.20.0/24 to WAN Address and have tried the IP address.  On the OPT1 interface am opening everything out to the WAN address.  This will be a public network so just want to go directly from OPT1 out the WAN to the internet. ARRRG.

        I don't understand most of this paragraph. In particular, does On the OPT1 interface am opening everything out to the WAN address mean you have a firewall rule on the OPT1 interface allowing traffic to the IP address of the pfSense WAN interface. If so, thats a problem because none of the traffic coming in on the OPT1 interface and destined for the internet will have a destination address = the IP address of the pfSense WAN interface. Your rule should be something like (depends on exactly what you want to open) destination address = "*" OR destination address = !Lan subnet (Not an IP address on your LAN subnet.) The second option will allow traffic from OPT1 to the internet but allow blocking traffic from OPT1 to the LAN subnet (depending on the following rules).

        Also, are you aware you generally need to reset firewall states after rule changes to make the rule changes take effect.

        1 Reply Last reply Reply Quote 0
        • T
          Tech4Life
          last edited by

          Sorry, yes I need to be more technically specific.  The rule has been * to WAN address.  Also used * to 192.168.2.2 which is PFSense and out of desperation tried * to just about everything else.  I tried the specific LAN address to WAN address as well which you are saying won't work.

          This is for public computers using direct access to the internet only (we are a non-profit library).    I have also tried setting up Nat rules for incoming.

          Yes, I have setup routes to my web server and NT server that serve the office successfully and generally restart PFSense after rule changes since it reboots so quickly and I'm doing this in off hours.  Currently my public PC's are sharing a network and I need to get them off of there.

          So it seems it is possible for Opt1 interface to be used as a phyical LAN segment with Internet access, I'm just not gettng the rules correct?

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            My pfSense at home has WAN, LAN, OPT1 (wireless LAN bridged to LAN) and OPT2 (wired LAN segment). OPT2 has a single server with Internet access. So, yes, it is possible for your OPT1 to to be used as a physical LAN segment with Internet access.

            pfSense comes with predefined firewall rules on non-LAN interfaces to block all access from those interfaces. At the very least you need to add a firewall rule to allow access to the internet (or part thereof) from OPT1. Any rules you add on OPT1 will get looked at before the predefined rules.

            Lets look at what happens when a PC on OPT1 attempts to open the web page http://66.102.11.104 (www.google.com). The PC will create a request in an IP packet with destination address 66.102.11.104. When (if) that gets to pfSense it will fail any of the pass rules you have mentioned because the destination address won't match.

            I deliberately wrote if above because I haven't seen any evidence your PCs on OPT1 are correctly configured. If the OPT1 PCs use DHCP for configuration and the pfSense box is their DHCP server then they should be correctly configured. Otherwise the default gateway in the OPT1 PCs should be the IP address of the OPT1 interface.

            1 Reply Last reply Reply Quote 0
            • chpalmerC
              chpalmer
              last edited by

              LAN port is 192.168.1.1, OPT1 currently is 10.10.20.1, Pfsense is 192.168.1.2

              By "pfSense is you mean the WAN is??

              If your LAN port is 192.168.1.1 then you would access the web gui by that address…  Where does the 192.168.1.2 come from?

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post