Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two WAN connections and 3 VLAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 277 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      broadcastbeat
      last edited by broadcastbeat

      Hi!

      I haven't used pfsense in about three years and need to replace a Meraki system.

      Here's what I'm hoping to do:

      1. I have 8 gigabit Ethernet ports and pfsense sees all of them (so I'm good there.

      2. I have (2) public internet connections. Both are fiber. One of them is 1 GB/1 GB and the other is 100/100. The 1GB connection is only a dynamic IP and doesn't have a static. The 100/100 has about 5 static IPs.

      3. I need to make the 1GB connection primary for everything with the 100/100 on failover (or for things that need static IPs to use with port forwarding. There are SOME instances that I need to port forward with the dynamic IP on the 1GB connection - Is this possible as well and at the same time I'm doing port forwarding for the IPs on the 100/100?

      4. On the LAN side I need (3) Ethernet ports to act as separate DHCP servers. I'm plugging each port into a switch for different functions. This is mostly for organizational purposes, but also to separate some traffic. One of the networks shouldn't see any of the others (it's a tenant that rents office space from me, so I only want them on their own network). I also need to limit them to maybe 100/100 so they don't eat all my bandwidth. The other two networks would need to see each other and ping each other.

      5. In the end, I'd like to keep my Meraki access point (which I have at my house) and instruct it to connect it to the office via VPN for file server access. I'm assuming the Meraki can connect to pfsense.

      If anyone is interested in assisting me with tackling this.....please reach out to me. Otherwise, some guidance is greatly appreciated as I haven't used pfsense in a long time.

      Thanks!

      Ryan
      954 - 826 - 6011

      DerelictD 1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @broadcastbeat
        last edited by

        @broadcastbeat said in Two WAN connections and 3 VLAN:

        Hi!

        I haven't used pfsense in about three years and need to replace a Meraki system.

        Here's what I'm hoping to do:

        1. I have 8 gigabit Ethernet ports and pfsense sees all of them (so I'm good there.

        2. I have (2) public internet connections. Both are fiber. One of them is 1 GB/1 GB and the other is 100/100. The 1GB connection is only a dynamic IP and doesn't have a static. The 100/100 has about 5 static IPs.

        3. I need to make the 1GB connection primary for everything with the 100/100 on failover (or for things that need static IPs to use with port forwarding. There are SOME instances that I need to port forward with the dynamic IP on the 1GB connection - Is this possible as well and at the same time I'm doing port forwarding for the IPs on the 100/100?

        You need to distinguish between outbound and inbound connections.

        For outbound connections you make a Multi-WAN failover group with the gig connection Tier 1 and the 100/100 connection Tier 2 and policy route outbound traffic to the gateway group.

        Inbound connections are determined by what address outside connections come in on. This is generally determined by DNS. pfSense does not care what WAN a connection comes in on. If there is a port forward and rule on that address/WAN it will be forwarded.

        1. On the LAN side I need (3) Ethernet ports to act as separate DHCP servers. I'm plugging each port into a switch for different functions. This is mostly for organizational purposes, but also to separate some traffic. One of the networks shouldn't see any of the others (it's a tenant that rents office space from me, so I only want them on their own network). I also need to limit them to maybe 100/100 so they don't eat all my bandwidth. The other two networks would need to see each other and ping each other.

        Proper firewall rules and limiters/shaping can accomplish that.

        1. In the end, I'd like to keep my Meraki access point (which I have at my house) and instruct it to connect it to the office via VPN for file server access. I'm assuming the Meraki can connect to pfsense.

        pfSense does not care what access point you use. Just like it doesn't care which switch you use. That's all layer 2.

        If anyone is interested in assisting me with tackling this.....please reach out to me. Otherwise, some guidance is greatly appreciated as I haven't used pfsense in a long time.

        Thanks!

        Ryan
        954 - 826 - 6011

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          broadcastbeat
          last edited by

          @Derelict said in Two WAN connections and 3 VLAN:

          gateway group.

          Okay, thanks! One additional note. I did the "first time" startup after the initial install and in what appeared to be BSD, it had me go through the exercise of finding the WAN and LAN interfaces. I successfully identified the WAN and LAN. I even saw the IP (on the lan side showing 192.168.1.1), but oddly enough....the computer plugged into the LAN side wasn't getting a DHCP address. Is it off be default? I can't imagine. I even tried to manually set the IP to the client machine and still couldn't access 192.168.1.1 which I assume is the web interface at port 80. Any ideas? Once I can get to the interface I can try to do what you mentioned.

          Much appreciated - Thanks! :)

          Ryan

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            No. DHCP on LAN is enabled by default and all traffic from LAN clients is passed by default. Hard to say what you might have done wrong with the information available.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.