Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why does this actually work? 2 LANs with 2 DHCP servers

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      Wim
      last edited by

      I was using a Dlink router, but there's more vulnerabilities than options in those things… so I thought I'd search for better solutions and ended up discovering PfSense. However I'm a total network newbie. So far I managed to setup a "testlab" by running PFSense on an old laptop, one WAn and one LAN connection:-)

      My setup:

      WAN to internet
                |
      [isp cable modem/router incl. wifi] <–-> [ip camera via wifi due to no cable]
      LAN 1: 192.168.0.x
                |
                |
            [PfSense]
            LAN 2: 192.168.1.x
            Gateway set to 192.168.0.1, isp router
                |
                |
                | (one utp cable to livingroom available only)
                |
          [unmanaged switch]
                |
                |
                |–-> [2nd router set as Wifi access point only] <–---> [wireless clients]
                |
                |–-> [wired clients]

      • I don't have any control over the ISP router. Only port forwarding is possible, but DHCP/NAT is always on and cannot be turned off
      • that's why I want ot have PfSense right after the ISP router with DHCP/NAT to have more control… I know I know, double NAT is not great, but I have no option on the isp side
      • the wifi camera needs to be connected with the Isp router, because the other wifi ap is too far away.

      I'm not 100% sure why the following works:
      When I go from a wireless client on the 2nd LAN, I'm able to login into the wifi camera which is on LAN 1 and also receive the stream from it.

      Does this work, because they all have 192.168.0.1 as the gateway? Is my setup ok?

      1 Reply Last reply Reply Quote 0
      • N Offline
        Nullity
        last edited by

        Double-NAT is bad.

        Your scenerio works because LAN2 clients are part of LAN1 via LAN2's NAT.

        The opposite (LAN1 accessing LAN2 clients) requires port-forwarding.

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • W Offline
          Wim
          last edited by

          I know, double NAT is not a perfect thing, but I cannot turn of DHCP/NAT on the ISP router and I want more control in my own LAN.

          I have no portforwarding from LAN1 to LAN2, but still the videostream can be viewed… This could perhaps be the Upnp feature that is enabled on the wifi camera?

          1 Reply Last reply Reply Quote 0
          • N Offline
            Nullity
            last edited by

            @Wim:

            I know, double NAT is not a perfect thing, but I cannot turn of DHCP/NAT on the ISP router and I want more control in my own LAN.

            I have no portforwarding from LAN1 to LAN2, but still the videostream can be viewed… This could perhaps be the Upnp feature that is enabled on the wifi camera?

            I'm kinda unclear about your topology but with NAT all downstream clients can access upstream clients.

            Isn't your wifi camera upstream?

            Please correct any obvious misinformation in my posts.
            -Not a professional; an arrogant ignoramous.

            1 Reply Last reply Reply Quote 0
            • W Offline
              Wim
              last edited by

              Sorry for not being fully clear on the topology. The wifi camera is connected to the isp router (LAN1) and has an ip in the range of 192.168.0.x

              The client that I use is connected to LAN2 and has an ip in the range of 192.168.1.x

              I can understand that I can connect from LAN2 to LAN1, but I actually expected not to be able to get a videostream from the camera, since that travels from LAN1 to LAN2.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                "but I actually expected not to be able to get a videostream from the camera, since that travels from LAN1 to LAN2."

                But your client that is viewing the video stream created the connection.. Client said hey camera send me your stream.. It sends the SYN, that starts the conversation since your behind a double nat you look like to the camera you came from 192.168.1.x

                Why would you not do it this way?  If your forced to use nat on your isp device and can not disable it and actually get public on pfsense wan?

                Or better yet actually isolate your iot devices like camera's from the rest of your network using pfsense and then firewall the traffic you want/need to allow between your vlans/network segments.

                lessbetterway.png_thumb
                lessbetterway.png
                betterwaypng.png
                betterwaypng.png_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • W Offline
                  Wim
                  last edited by

                  Ok that makes sense to me. Makes me think it would be a good exercise to try and find this kind of communication back in the logs.

                  Thanks for the topology picture. This would be better even, but the one camera is closest to the Isp wifi access point. I haven't tested if it can reach my own 2dn wireless accesspoint. If it can handle it, I can defintely switch it over and pull everything behind PfSense  :)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    I forgot to add the even better way.  I just added it to the previous post.

                    Using AP with vlan support and proper placed for best cover (you may need more than 1) and smart switch gives you the most flexibility in your network.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.