2 WAN 2 LAN Setup

  • Hi,

    This will be my first install of PFSENSE.

    Currently one of my clients receives a Static and DHCP IP from their provider and would like the following

    WAN 1 ( static IP ) - LAN 1 192.168.1.x  (Comp Network)

    WAN 2 ( DHCP )    - LAN 2 192.168.10.x (Guest Network)

    LAN 1 & 2 shouldn't be able to talk to each other at all.
    WAN 1 and WAN 2 will have different in/out rules/filters.

    I'm assuming that this is this possible….
    or should I be approaching this differently?

  • Truthfully you can segregate the two LAN networks on one WAN just fine.

    Using one modem (which I believe Im reading here) you will not see any benefit for the client machines to use both WAN addresses. Set the static address aside for now.

    Set up your two LAN's on their respective interfaces and then use the LAN firewall rules to block access from one LAN to the other and make sure that rule is above any other rules such as the default "allow all" rule.

    You need to make sure your new second LAN is in the NAT table.  You probably want to set up DHCP on the DHCP server page for that interface as well.

    Unless Im reading wrong and you have two modems..

  • Hi thanks for the quick reply

    There are no modems. It's ftth… all there is is a cat5e cable coming from the building telco room.
    I connect a switch and one will get an IP via dhcp the other will have static IP set. Also a static IP is required for some services.

    I could allow them to share the same external IP but I don't want the IP to be blacklisted because of rogue guest Computers with a virus, which caused a lot of problems before.
    Also there are  some web services that are accessible via IP whitelist. so giving the guests one of the multiple factor authentications is a security risk.

    Anyway I'd like to keep them separate.
    This shouldn't be an issue right?

  • Makes sense!  :)

    I would set up your first "DHCP" Wan on your system pretty much default with your LAN left alone for now.  I wouldn't bother blocking LAN from seeing the second LAN  unless you have a good reason. You might want to reach a device there sometime.

    Set up your second interface "opt2" and rename it to whatever you choose.  Ill call it Opt2 for now.

    Make "Opt2 rules-

    Visit the "Outbound NAT" page and hit save for good measure.  (no arguments from the peanut gallery. It doesn't hurt.)

    Block rule-  source "opt2 net"  destination  "LAN net".    This will keep anything on opt2 from seeing LAN.

    Allow rules-  Tighten these up as you see fit.  source "opt2 net" destination "any" port 80-88  ect…  or "all" for right now for testing.

    Visit the DHCP server page.  Make "opt2" (tab)  DHCP as you want.

    You should now be able to access the world from the opt2 port.


    Create a VIP.    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

    Use your static IP for this.  I use IP Alias here.  YMMV

    Depending on which LAN you want to use with the static-  Create a 1:1 NAT using your static IP as the "External subnet IP".

    "Internal IP" should be either "LAN Net" or "opt2 net".

    There may be an "Official" way to do this but this method works here. Anything initiated from my servers goes out the static address.

  • I appreciate the walk through, I'll give this a shot…

    when the DUAL gigabit nic arrives....  :(

  • So,
    The method you described did not work unfortunately. I tried it a few different ways and i was unsuccessful.

    I was able to do what I wanted to do by fiddling the outbound rules, by changing to manual outbound NAT rule generation.
    I matched all the autocreated rules so WAN1/LAN1 and WAN2/LAN2 were paired and there was no cross between the two.
    Not sure if this is the proper way to do it, but it's working.

    Thank you!

    Now to get L2TP working…

Log in to reply