PfSense 2.3 - LAN in same Subnet with different IP for different kind of Users



  • Hi,
    I have a problem with PFSense 2.3.x and multi LAN on same Subnet.

    My Reality is so constituted:

    ____________________                                                                                _______________________________
    |                                |                                                                                |        PFSENSE                                  |
    |                                |                                                192.168.100.253/24  |                                                      |
    |                                |                                                | LAN –---- no CP                              |
    |                                |          _____________              |                                |                no squid+ no squidguard    |    WAN -----> Internet
    |        LAN                  |        |                      |
    |                                |                                                      |
    |    SUBNET                -------|      SWITCH    |
                                    |                                                        |
    | 192.168.100.x/24      |      |
    |            |_______  | OPT1 ------ CP with auth                    |
    |                                  |                                                192.168.100.254/24  |                  squid+squidguard            |
    |                                  |                                                                                  ____________|
    |
    |

    Pcs with the correct Default Gateway can go to Internet with no restriction or, instead, blocked with Captive Portal and tracked/filtered with squid
    With older version of Pfsense (2.1.x and 2.2.x) i could create two interface with two different IP on the same subnet and all run as aspected.

    With 2.3.x i can't configure this two NIC on the same subnet

    Does anyone know how I can solve the problem ?

    Thanks



  • Unfortunately I have no answer, but I am looking to achieve almost the exact same thing as you have described.  So if I figure it out I'll post it here!



  • i'd suggest you just work around the "problem". imho it was a bug that allowed it to work in the past.

    why not just run a different subnet? since you seem to be overriding dhcp by manually setting the gateway, you might aswell specify the ip/subnet of the clients
    –> running multiple layer3 over a single layer2 is bad practise / but generally works

    personally i think it would be better to configure some vlans on them switches and pfsense (one with cp/squid & one without).



  • I managed to get mine working.  The trick was the shell interface (ssh in as admin) allows you to set the IP address of the second LAN without warning.

    However this didn't work for me due to routing trickery.  I couldn't get all traffic hitting Gateway 2 to go out on WAN2.  The external IP returned correct, but any traffic ended up going over WAN1.

    So my solution was to assign clients from .1 to .30 (using a mask of 27) to WAN2 as a rule, and all network clients to WAN1.  I will be putting in a DHCP static assignment for all clients I want in the 1-30 range.

    I unfortunately can't use vlans or different subnets/ranges as suggested due to internal servers and such requiring too much changeover so this will do for now.


  • Netgate

    If pfSense needs to communicate with 192.168.100.100 which interface should it use?

    That is generally a bad design.

    A better way might be to use one interface and bypass certain LAN ranges from CP and squid.

    An even better way might be to use two interfaces on two subnets.


  • Rebel Alliance Global Moderator

    I am with Derelict there that is a HORRIBLE just HORRIBLE setup.. Its BROKEN!!  That is not how it should be done..

    Just going to be blunt here, please don't take offense but if I came into a setup like that my first question would be "what idiot" set this up??

    If you have desire to treat different clients differently for networking rules, proxy, captive portal, etc. etc.. Why would you not just put them on their own network via a vlan or even just physical network?



  • @Derelict:

    If pfSense needs to communicate with 192.168.100.100 which interface should it use?

    That is generally a bad design.

    A better way might be to use one interface and bypass certain LAN ranges from CP and squid.

    An even better way might be to use two interfaces on two subnets.

    It has always run.i think because the 2 interface were on the same Subnet so if the packet came out from one interface instead another,trought the switch it can arrived to destination.

    @johnpoz:

    I am with Derelict there that is a HORRIBLE just HORRIBLE setup.. Its BROKEN!!  That is not how it should be done..

    Just going to be blunt here, please don't take offense but if I came into a setup like that my first question would be "what idiot" set this up??

    If you have desire to treat different clients differently for networking rules, proxy, captive portal, etc. etc.. Why would you not just put them on their own network via a vlan or even just physical network?

    The configuration came from the pre-existens devices and the complexity of the building. Not all the Switches were vlan capable and the privileged PCs are scattered with those filtered…so this is what i can do.
    The filtered gateway is the default gw that I pass with dhcp.
    For the priviledged PCs we have a static addressing.

    But...Anyway...
    We took the chance and we have changed the filtering policies...so now there is only one gateway filtered and with cp.
    The priviledged PC are managed with CP and squid exclusion/bypass. (Now i have the problem that CP and squid not use the pfsense alias to use instead the IP)...

    Thanks to all!


  • Rebel Alliance Global Moderator

    "so this is what i can do"

    How is that..  If you know the network is subpar, why not fix it the right way.  Just redo the setup..  What is the roadblock to correcting the flaws in the network?

    You can get switches that support vlans on the lowest of lowest budgets..  What switches are you using now?