Pfsense WAN port plugged into office LAN with same IP subnet..?
-
I installed Pfsense on a PC with two interfaces, to test some things on our network. The WAN port is attached to the office network. The LAN port is attached to a switch and my laptop. Both the office LAN and the Pfsense LAN have the same subnet 192.168.0.1/24. For the test, neither of these can change.
I would like to connect my laptop to a printer on the office LAN, on the other side of the WAN port. Of course, Pfsense and my laptop think it's in the same subnet, so no NAT takes place. But my true destination is on the other side of the WAN port.
Can this connection be made..? If so, how..? Thanks.
I do understand it may be that IP addresses that are passed to the other subnet cannot be used in the local one any more. But that's ok because the testing I'm doing is for some manufacturing equipment, and really has nothing to do with Pfsense or the networking involved.
-
You are going to have to change something. You can't have two router interfaces on the same subnet. If the router has a packet for 192.168.1.100, what is it supposed to do with it?
-
But physically they're different. Yes, the subnet numbering is the same, BUT physically they're on different network segments. The WAN port is on the office network, and the LAN port is on a small switch and my laptop. My laptop is anle to access the internet fine, but because both subnets are 192.168.0.1/24, it's causing the problem that my laptop cannot connect to the printer on the other side of the WAN port. And of course…duh...this is obviously as it should be. BUT...is there any way to make it work, just for the one IP the printer is on..? A route, a firewall entry, anything..? Something where Pfsense forwards packets for an IP that's dead on the closer network, to the corresponding IP on the other one..?
-
Dude. No. Again - if the router has a packet for 192.168.1.100 which interface is it supposed to send it on? Both?
Renumber one of the subnets.
-
"Can this connection be made..? If so, how..? Thanks."
Sure it can, if you want to use the same network - then put them on the same network. Just use pfsense as a bridge.. For what possible reason I don't know. But if you want to use the same network on 2 different interfaces of pfsense then that is a bridge not a router. So bridge them.. Now your machine behind pfsense can get IP from the same dhcp server as stuff in front of pfsense. Or static, etc.
Pfsense can be a bridge firewall, or transparent if you want, etc. But what is the point really? Why can you not just put a different network segment on pfsense lan? This make it some much simpler and less complex, especially for person that has to come here and ask why it doesn't work when you put the same network on multiple interfaces on a router ;) KISS is the way to go!! That way would be just change the pfsense lan to be something other than what is on its wan network.
-
And of course…duh...this is obviously as it should be. BUT...is there any way to make it work, just for the one IP the printer is on..?
I guess you don't know about subnet masks etc. What happens when a computer has a packet to send is it checks to see if the address is on the same subnet or not. It determines this using it's address, the destination address and subnet mask. If it determines the destination is on the same subnet, it sends out an arp request, containing the destination address over the local LAN. This request is NOT passed by pfSense or any other router. So, that attempt will fail. If the computer determines the destination is on a different subnet, it will forward it via the router, using the routers MAC (not IP) address and the router will then forward as needed. So, there is no way you can do what you want.
! am assuming you've got psSense configured as a router, as is typically the case
-
Ok, thanks. I do know about subnets, at least enough to choose masks properly to set up a 10.x.x.x network, with different kinds of devices on the different subnets (we had four at a broadcast facility I worked at). I thought perhaps Pfsense might had some sort of exception handling mechanism to treat specific requests differently.
The purpose of this project is to duplicate a manufacturing system we have (for testing purposes), with many unusual sensors and process controllers on one subnet, and the office LAN on the other. It's been proving to have some difficult lessons for me.
