pfSense for 2 LANs
-
So the LAN1 device's default gateway is the CentOS, I assume.
With this setup you will need a static route on that device for LAN2 pointing to pfSense, otherwise it sends packets destined for LAN2 to the CentOS. -
@viragomann said in pfSense for 2 LANs:
So the LAN1 device's default gateway is the CentOS, I assume.
Yes.
@viragomann said in pfSense for 2 LANs:
With this setup you will need a static route on that device for LAN2 pointing to pfSense, otherwise it sends packets destined for LAN2 to the CentOS.
Set the default gateway for LAN2 devices to the pfSense server?
-
If you change the default gateway you cannot access other subnets anymore.
You have to set a static route, a route for LAN2 with a specific gateway.But best practice would be to connect pfSense to the switch and remove the server. Then you can use pfSense as default gateway for both LAN1 and LAN2.
However, you will need three NICs on pfSense. -
@viragomann said in pfSense for 2 LANs:
If you change the default gateway you cannot access other subnets anymore.
You have to set a static route, a route for LAN2 with a specific gateway.Set static route on CentOS?
@viragomann said in pfSense for 2 LANs:
But best practice would be to connect pfSense to the switch and remove the server. Then you can use pfSense as default gateway for both LAN1 and LAN2.
However, you will need three NICs on pfSense.I know, but I can't remove CentOS. Because is the firewall, web server, database server, VPN server, Zabbix server, grafana... and the proxy transparent auth. with AD is great (without prompt for username and password).
-
@guile said in pfSense for 2 LANs:
Set static route on CentOS?
No, to all LAN1 devices.
I know, that may be cumbersome.@guile said in pfSense for 2 LANs:
I know, but I can't remove CentOS. Because is the firewall, web server, database server, VPN server, Zabbix server, grafana... and the proxy transparent auth. with AD is great (without prompt for username and password).
Not removing CentOS, but put pfSense between it the the LANs.
If your switch is VLAN capable, you can simply put pfSense between the CentOS host and the switch and go with a trunk to the switch. -
@viragomann said in pfSense for 2 LANs:
No, to all LAN1 devices.
I know, that may be cumbersome.damn... :(
ill see tomorrow some GPO to deploy to all machines.
@viragomann said in pfSense for 2 LANs:
Not removing CentOS, but put pfSense between it the the LANs.
If your switch is VLAN capable, you can simply put pfSense between the CentOS host and the switch and go with a trunk to the switch.Our current switch is not VLAN capable. But we can buy one. What u saying is:
CentOS -> pfSense -> Switch (VLAN capable) ?
-
@guile said in pfSense for 2 LANs:
CentOS -> pfSense -> Switch (VLAN capable) ?
Exactly. So you can configure both LANs on pfSense as VLANs. All your LAN devices get the pfSense IP as default gateway and pfSense use the CentOS as default gateway. So the LANs can communicate over pfSense without routes on the LAN devices.
Or if you have enough NICs on pfSense and a second switch, you can do the same without VLANs.
Another approach, I would do is using pfSense as default router and firewall for your whole network, connecting it to WAN and also to the webserver over pfSense. But that is your decision.
-
@viragomann said in pfSense for 2 LANs:
Exactly. So you can configure both LANs on pfSense as VLANs. All your LAN devices get the pfSense IP as default gateway and pfSense use the CentOS as default gateway. So the LANs can communicate over pfSense without routes on the LAN devices.
I'm kinda new to networking (im dev.)... so ill ask... why do I need a switch VLAN capable if I can create VLANS on pfSense?
-
@guile said in pfSense for 2 LANs:
why do I need a switch VLAN capable if I can create VLANS on pfSense?
My assumption was that your pfSense device has only two NICs. I've asked above, but you didn't respond.
To route the traffic between LAN1 and LAN2 both LANs must be connected separately to pfSense. So you have to configure both VLANs on a single NIC and connect this to the switch (packets on this line are VLAN-tagged). On the switch you have to separate the VLANs, i.e. you assign certain ports to a specific VLAN, where the packets go out untagged, while incoming packets have to be tagged for forwarding them to pfSense.
So the switch has to be VLAN capable. -
@viragomann said in pfSense for 2 LANs:
My assumption was that your pfSense device has only two NICs. I've asked above, but you didn't respond.
Yes, my pfSense has only 2 NICs.
I have a switch VLAN capable at home, but is basic. The model is TP Link TL-SG108E. I'm going to take it to work tomorrow and do some tests with it.
Thanks for now.
TL-SG108E admin print screen:
https://prnt.sc/vqw1jg -
I mean really you are duplicating the same function here, you could just create the VLAN interfaces in CentOS and route/firewall between them.
Adding pfSense here may only complicate things.Steve
-
@stephenw10 said in pfSense for 2 LANs:
I mean really you are duplicating the same function here, you could just create the VLAN interfaces in CentOS and route/firewall between them.
Adding pfSense here may only complicate things.I know.. but my CentOS is command line only. And I want to have some nice dashboard like pfSense and use some features like "Ntopng", that shows me a graph with the traffic consumption per host. And I want to create a new wifi with captive portal for guests.
But the biggest problem for me is the squid.. with CentOS I have transparent auth. with AD without prompt for username/password.
-
Yup, you can't do that in pfSense.
Then I would setup pfSense between the switch and CentOS and configure is as routed only, no NAT, so CentOS can see the real source IP of clients. And to avoid double NAT which is bad in general.
Steve
-
@stephenw10 said in pfSense for 2 LANs:
Yup, you can't do that in pfSense.
Then I would setup pfSense between the switch and CentOS and configure is as routed only, no NAT, do CentOS can see the real source IP of clients. And to avoid double NAT which is bad in general.
Steve
Yea, that's what @viragomann suggested me. Next week I'll buy a new switch VLAN capable and do this.
Thanks for now.
