Multiple subnets on same physical nic
-
you have no napkins or crayons available? ;)
gliffy is freeonline tool you can use to draw up a diagram.
So your saying the 87 is your transit, and 80 and 188 are routed to that.. But you stated that the 87 was routed and where using that behind on your tmg.. So you have a bridge/layer 2 from this 87 to your tmg interface.. Or tmg has actual interface connected to this transit network?
Drawing leave less open to interpretation..
-
Haha. I promise I will provide a drawing at some point
yes. 87.x.x.90 is my transit and the 80 and 188 networks are routet to that. I then tell the TMG that the 80 and 188 are bridged and then im using the public ips from those two subnets on my DMZ
Maybe i did not explain it right but the 87 /29 subnet is available on the Cisco router from my ISP.
Regards
Jacob -
Well if the 87 is your transit, you can put any routed networks via that transit on interfaces behind pfsense. You can then firewall them from the public internet or any other networks on pfsense, etc..
That is a pretty common setup.. Nice to see you actually have a transit and routed networks.. What most questions are if how too use a isp segment that pfsense is part of and using some of those IPs on the wan as well as on a segment behind.. Which is not really possible.
But a routed network is how it should be setup and very easy to do..
-
Perfect!
Im pretty new to PFsense. Assigning IPs to the WAN and the LAN interface is easy, but where do i setup the 2 routed subnets? I bought an official SG-2440 and have OPT1 and OPT2 available. I guess I will be using OPT1 as my DMZ. I feel that i know the TMG pretty well and understand how its setup but this is an entire new world to me :)
I really appreciate your help!
Regards
Jacob -
you set it up just like you would any rfc1918 segment on an interface..
Just so we are clear on you have an actual routed network via a transit network.
So you have 87.x.x.90/29 on your wan interface of pfsense.. with gateway being 87.x.x.89… When someone wants to go to say 80.x.x.2 they would end up at 87.x.x.90 as a hop to get to that network... Pfsense would see that traffic is trying to go to 80.x.x.2 and say oh yeah I have that on my opt1 interface via my IP of 80.x.x.1 so I will send that traffic out that interface.
Really the only difference is you wouldn't be natting that to your wan IP like you do when the network is a rfc1918 address accessed via your public IP on the wan. So you assign 80.x.x1/28 on your opt1 there you go... And make sure your not natting it.
-
Perfect. That makes sense, but how about my 188 subnet? Can I put that on opt1 also or do I have to use opt2 for that? It's seem you can only put one up address per interface.
Regards
Jacob -
do you have switch that supports vlans? You could put them all on the lan interface… If you don't have a switch that supports vlans then yes you would need to put then on a physical interface.
-
I do have support for Vlans. I already use a Vlan to get from the DMZ nic on my TMG to my Hyper-v cluster.
How would i go about using Vlans on the LAN interface? That would have to hold both 192.x.x.x and 80.x.x.x and 188.x.x.x then? And what would you recommend in my scenario. A physical nic per subnet or multiple VLANs (subnets) on one physical interface (LAN).
Regards
Jacob -
Well depends on traffic speed to be honest.. When vlans are all on the same physical interface.. vlan to vlan traffic is hairpinned.. Your going in and out the same interface so if its 100mbps connection you now can move 50 between devices on different vlans, not 100, if gig same thing.. The more vlans you put on an interface the more sharing the speed of that interface if there is intervlan traffic.
If your talking to and from the wan, and your wan is only 100 say, and your lan interface is gig prob not going to matter much..
If you have the physical interfaces, I would just use the physical.. As to creating the vlan.. Just create it and assign it to the physical nic you want to use..
-
Thank you so much John. I will play around with it and update this thread (probably looking for more help) with my finding.
Regards
Jacob