Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi LAN Subnets

    Scheduled Pinned Locked Moved NAT
    7 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      uk26
      last edited by

      Hi

      I need to setup a network as below

      Lan 1 - 192.168.1.1  / 30
      Lan 1 - 192.168.1.4 / 30
      Lan 1 - 192.168.1.8 / 30

      I have setup using Virtual IPs, and can ping PFsense

      Example:  PF Sense 192.168.1.1  (Server on 192.168.1.2)

      Server on 192.168.1.2 can ping 192.168.1.1 but does not have any internet access.

      any ideas?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Lan 1 - 192.168.1.1  / 30
        Lan 1 - 192.168.1.4 / 30
        Lan 1 - 192.168.1.8 / 30

        You probably want:

        Lan 1 - 192.168.1.1 / 30
        Lan 1 - 192.168.1.5 / 30
        Lan 1 - 192.168.1.9 / 30

        What, exactly, are you trying to accomplish?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          Subnets aside, only the default LAN has the required firewall rules to access WAN.  For your other LANs, you will need to add the rule for each.  As Derelict asked, more detail about your WAN/LAN configuration and what you are trying to do would be helpful.

          1 Reply Last reply Reply Quote 0
          • U
            uk26
            last edited by

            this is being used in a data centre with servers protected by the nat firewall with only the required open ports.

            as pfsense will serve more then the one user, the idea of splitting the subnets up is so customers are not able to see each other.

            You probably want:

            Lan 1 - 192.168.1.1 / 30
            Lan 1 - 192.168.1.5 / 30
            Lan 1 - 192.168.1.9 / 30

            What, exactly, are you trying to accomplish?

            Why is that?

            192.168.1.0 Network Address:
            192.168.1.1 and 192.168.1.2 Usable
            192.168.1.3 Broadcast Address:

            next range is 192.168.1.4 to 192.168.1.7 with  5 and 6 being usable

            @KOM:

            Subnets aside, only the default LAN has the required firewall rules to access WAN.  For your other LANs, you will need to add the rule for each.  As Derelict asked, more detail about your WAN/LAN configuration and what you are trying to do would be helpful.

            Yes i done this for Firewall Lan and NAT(Outbound)

            IPv4 Routes
            Destination Gateway Flags Refs Use Mtu Netif Expire
            default 212.38.169.225 UGS 0 5176455 1500 em0
            83.218.155.72 212.38.169.225 UGHS 0 1431782 1500 em0
            83.218.156.134 212.38.169.225 UGHS 0 1124710 1500 em0
            86.160.186.80 212.38.169.225 UGHS 0 21194 1500 em0
            127.0.0.1 link#6 UH 0 73 16384 lo0
            192.168.99.0/24 link#2 U 0 5207451 1500 em1
            192.168.99.254 link#2 UHS 0 0 16384 lo0
            192.168.100.0/30 link#2 U 0 134 1500 em1
            192.168.100.1 link#2 UHS 0 0 16384 lo0
            212.38.169.224/27 link#1 U 0 130325 1500 em0
            212.38.169.230 link#1 UHS 0 0 16384 lo0
            212.38.169.239 link#1 UHS 0 0 16384 lo0

            looking at the firewall logs, i can see an entry for lan with a Pass trying to go to google.co.uk however the pc is not able to browse the internet still.

            DNS from the Lan server s working i can do nslookup and it resolves ok, cant ping any external networks, however i can ping the wan ips of pfsense.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              There are FAR better ways of providing isolation without convoluted layer 3 schemes like you're trying to do.

              A Cisco Small Business switch with your customer ports set to "protected" and the port to pfSense (Or other servers on the LAN like DNS) not set to protected would enable you to provide such service without jumping through these hoops.

              One subnet, one DHCP server, all your clients can see devices on unprotected ports and all beyond yet cannot see each other.  The Cisco feature is called "Private VLAN Edge."

              Even cheaper switches can do this on a smaller scale but with a bit more difficult config.  Look for "Asymmetric VLAN."

              A Layer 2 feature called "Private VLAN" enables you to set ports to promiscuous (for servers, pfSense, etc, can see all promiscuous, community, or isolated ports),  community (All ports in the same community VLAN can see promiscuous ports and other community ports) or isolated (Can only see promiscuous ports).  This feature gets pretty complicated as soon as you have to trunk the VLANs to another switch.  It can be found on Cisco, Brocade, and some D-link that I know of.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • U
                uk26
                last edited by

                Sounds good, however these customer servers are all on our High Availability VMware Infrastructure.

                @Derelict:

                There are FAR better ways of providing isolation without convoluted layer 3 schemes like you're trying to do.

                A Cisco Small Business switch with your customer ports set to "protected" and the port to pfSense (Or other servers on the LAN like DNS) not set to protected would enable you to provide such service without jumping through these hoops.

                One subnet, one DHCP server, all your clients can see devices on unprotected ports and all beyond yet cannot see each other.  The Cisco feature is called "Private VLAN Edge."

                Even cheaper switches can do this on a smaller scale but with a bit more difficult config.  Look for "Asymmetric VLAN."

                A Layer 2 feature called "Private VLAN" enables you to set ports to promiscuous (for servers, pfSense, etc, can see all promiscuous, community, or isolated ports),  community (All ports in the same community VLAN can see promiscuous ports and other community ports) or isolated (Can only see promiscuous ports).  This feature gets pretty complicated as soon as you have to trunk the VLANs to another switch.  It can be found on Cisco, Brocade, and some D-link that I know of.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.networking.doc%2FGUID-A9287D46-FDE0-4D64-9348-3905FEAC7FAE.html

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.