1 WAN and 2 LAN - Into one switch?



  • Hi

    I'm struggling to sort out this setup and I thought it was going to be relatively simple.  But I've been doing a lot of reading on here and I'm not sure its even possible anymore.  Really hope someone can help - would really appreciate it. :)

    Here's a diagram of what I'm after…

    I want two subnets.
    One is private ips: 192.168.1.2 / 255.255.255.128
    One is public ips from the ISP: 213.55.66.211 / 255.255.255.240 (not the actual IPs)

    Any ideas?

    I've managed to get the 213 network to speak to the 192 and vice versa.  But I can't seem to get the internet on either of the subnets.



  • What are you using for your gateway on the internal 213 clients? It looks like you need to pick another internal private network for those clients (172.16.0.0 etc.) and then have the pfSense take your public IP addresses as virtual IP's on its external interface and perform 1:1 NAT or port forwarding to the internal computers you want accessible from the internet.

    The only way it will work with your current diagram is if your ISP has a route that points to 213.55.66.210 for the 213.55.66.211/28 network. If they do have that route, then it can work. Just change to advanced outbound NAT and only have it enabled for the clients on the 192 network as it leaves the WAN interface.



  • The 213 block was assigned by the ISP so I want that to be able to access the net directly through the router/pfSense.



  • I'm starting to wonder if that single switch can handle two different subnets going throug hit.

    Is that possible?

    Its not a layer-3 but I can't imagine us doing it this way unless it was possible.



  • It is possible, but it will lead to problems.  Far better to buy a second switch and keep them separate.



  • If the switch supports VLANS you can do this, otherwise you'll need two switches.



  • Its just a basic switch.  No vLANs supported.  Does that mean I need two switches for each subnet?



  • You need one per subnet.



  • Multiple subnets on a single switch is rarely a problem (even in a single VLAN)… we've been doing that for years on a myriad of different switches.
    I suspect the issue is likely to be in the NAT config in this case.



  • You really don't want to mix subnets on a single switch. It's possible, may require a little manual oubound NAT configuration in this case, but it's MUCH better to just run one subnet per interface.



  • @roosterdude

    Sharing a switch messes up clients that attempt to get address using DHCP if there are DHCP servers on each subnet. There also can't be any control over which network someone decides to put their computer in rendering strict firewall rules on one interface pointless because a client can change their address to the other network.



  • If your switch supports "port based" VLANs (as distinct from "TAG" based VLANs) you could set up two distinct LANs: one for your "red" clients, one for the "green" clients. That should keep the DHCP broadcast traffic separate.

    But basic switches are "small change" nowadays.



  • @blak111:

    @roosterdude

    Sharing a switch messes up clients that attempt to get address using DHCP if there are DHCP servers on each subnet. There also can't be any control over which network someone decides to put their computer in rendering strict firewall rules on one interface pointless because a client can change their address to the other network.

    Sure, but if you don't use DHCP then it isn't an issue.  I was mainly pointing out that running more than one subnet on a single VLAN technically isn't an issue.  Running it behind pfSense using NAT, DHCP etc is where there are issues.  It is of course difficult to put more than one IP on an interface with pfSense but we've had FreeBSD firewalls running IPFW with up to six different IP ranges behind them, so technically I can swear that it works if you use firewalls and firewalling methods that support it.



  • I agree that it works. I'm just pointing out that you lose the security gained from separate subnets because clients can easily roam between them. We do it for certain pieces of the campus; however, when you do it correctly with VLANs, it creates more security and network segmentation possibilities for hosts based on their purpose.
    If a VLAN capable switch isn't available, just be aware of the security concerns and aggregation of the broadcast domains.


Log in to reply