Multi LAN problem
-
First and foremost…I am new to pfSense. I have some experience with routing, firewalls, etc.
Here's my problem:
I have pfSense installed with three NICs. One is for the WAN connection, the other two for local LAN connections. The WAN is setup to obtain an address from the ISP. My two internal NICs are designated as Lan1 and Lan2, 10.2.0.200 and 10.1.0.100 respectively. I can connect computers to the LAN1 connection and everything works just fine, e.g. Internet connection, everything. I can access it from outside too, RDP, HTTP, etc.
My problem is in getting the second LAN to work. When I plug a cable into that adapter, it indicates that it is active, but I can't connect to anything. I've connected a laptop directly to that port and I can't even ping it. I've verified that all the hardware is good. replaced the NIC for the second LAN, etc. My question is...is there anything I have to do in pfSense to make that second LAN work? As best as I can tell, it is configured exactly like the first one, but nothing seems to work.
DHCP is being handled by a system on my local network, so pfSense is not involved in that. I disabled it.
Any suggestions would be greatly appreciated.
riversr54
-
I assume DHCP is on LAN 1 side? If so you need firewall rules in place to allow DHCP requests to pass to that server. You will need firewall rules in place in general anyway for ANY traffic to leave LAN 2 (everything is explicitly blocked by default). Why not use the local DHCP server so it assigns addresses to the devices on the respective interfaces without needing to allow communication between the two segments? Otherwise you will need to rely on static addressing on LAN 2 for any communication.
-
Yea thats a good point. Whats the IP address of Lan 2? Make sure that is the gateway on your NIC and your IP is within the same subnet and try and ping the address. Should be fine. With pfsense everything is run by rules. By default the LAN can speak to anything, when you sart adding other Nics and calling it LAN2 no rules get applied. So try adding rules in.
-
Actually I'll be running DHCP in both of the attached LANs. My plan is to use pfSense as a central point of connection to the outside world, but the two LAN segments should have no need to talk to each other. I'm setting this up for a training environment so my requirements are a bit strange I'm sure. Each of the two LANs will contain a complete Microsoft Active Directory configuration with all that goes with that, DNS, DHCP, etc. I'm hoping that pfSense can just be the central point that allows me to share the single Internet connection and maybe some outside access via RDP, HTTP, FTP, etc.
Thanks for your replies.
-
That's cool! That's exactly what i do, and pfsense is brilliant!
-
So what kind of rules do I need to add to my LAN2 to make it work. I think I would like to make it wide-open for starters, just to make sure it works, then I can limit access with additional rules.
The one thing that has me stumped though is why I can't even ping it…does that make sense for the default configuration for the second LAN default settings?
riversr54
-
Create an any and any rule so lan2 can speak to all other interfaces. Then once you get the hang of it start restricting then rules. Remember the rules are in order, starting from the top to bottom, so make sure its not conflicting.
when you add a 3rd interface by default there are no rules, so you must add them in manually.
-
Use the "not" checkbox option on rules for this sort of thing. You probably want:
a) Rule on LAN1 to pass source LAN1 subnet, destination !LAN2 subnet
b) Rule on LAN2 to pass source LAN2 subnet, destination !LAN1 subnet
(and remove the default pass all rule that is put on LAN1 in the default config)
with something like the above, each LAN can talk to rest of the world, but not to each other. -
The one thing that has me stumped though is why I can't even ping it…does that make sense for the default configuration for the second LAN default settings?
That's normal. By default everything is blocked. That includes ICMP. The only exception to this is DHCP traffic if you have it enabled on the interface.
Steve