Multiple subnets on one physical LAN interface
-
I am not the most skilled with PfSense, and I have been working for the past 3 days trying to figure this issue out. I have a DMZ switch which is connected to the WAN interface on my PfSense box. The WAN interface has already been configured with a static public IP and a public gateway. The LAN interface has already been configured with the interface ip being 192.168.5.1/24. This was configured using the default setup wizard. I have upgraded all my switches to layer 3 switches (Alcatel-Lucent OS6850). I have multiple VLANs created on the switch with IP interfaces assigned to each vlan. All the VLANs are currently "forwarding" meaning there is inner-VLAN routing.
Here is the configurations on my switch:
"Servers" VLAN 1001:
192.168.1.1/24"Users" VLAN 1002:
192.168.2.1/23"Main-Internet" VLAN 1005:
192.168.5.1/24
–--------------------------------------Configuration on my PfSense box:
"WAN" :
Static IPv4: 99.x.y.z
Gateway: 99.x.y.z"LAN":
Static IPv4: 192.168.5.2
If I put a computer for example on the 192.168.5.0/24 network, I can ping it from the 192.168.2.0/23 network just fine. However, if I try to ping the PfSense Box (192.168.5.2) from the 192.168.2.0/23 network, it fails. I did this test to ensure inner-vlan routing was working properly.
Here's methods I tried so far:
I created a virtual IP on PfSense for each ip interface that is on the switch:
VIP Address: 192.168.2.1/24. Interface: LAN. Type: IP Alias
I then made a firewall rule on the LAN interface to allow all IPv4 traffic to any source and destination (Yes, I realize this is unsecure, but I did this just to get some sign of routing from the firewall to my other subnets):
Protocol: IPv4*. Source: *. Destination: *. Port: *. Gateway: *.
I also tried making a specific firewall rule on the LAN interface:
Protocol: IPv4*. Soruce: 192.168.2.0/23. Destination: *. Port: *. Gateway: *
From there, I went into my NAT settings and set the outbound rules to manual mode. I created the following rule:
Interface: WAN. Source: 192.168.2.0/23. Source Port: *. Destination Port *. NAT Address: WAN Address. NAT Port: *.
On the switch, I made a default static route to the PfSense address (192.168.5.2):
Ip static-route 0.0.0.0/0 gateway 192.168.5.2 metric 1
Here was the results:
On the 192.168.2.0/23 network, clients could not ping the PfSense address (192.168.5.2) and clients could not ping a public address from the internet (8.8.8.8).
I from here tried a new method:
I went to System >> Routing and in the "Gateway" tab I added the following:
Name: Users. Interface: LAN. Gateway: 192.168.2.1
Then I made a static route in the "Static Routes" tab:
Network: 192.168.2.0/23. Gateway: 192.168.2.1. Interface: LAN
I again made the same firewall and NAT rules from my previous method and was presented the same results as before. At this point, I have no idea what the issue is. I have been reading other PfSense Forum Topics about this and documents and nothing seems to work for me. I don't know if I am missing a critical setting or rule, or if I am configuring PfSense wrong? If anyone could please give me advice or help to solve this issue, that would be deeply appreciated!
-
So out of the box pfsense lan rules would allow any any if your on the lan network.. So if you want to ping it from some other network you would have to allow it.
Also out of the box pfsense would only nat to the internet the network on its lan - if your ging to have downstream networks you would have to add them to outbound nat.
So 192.168.5/24 is your transit network - do you have hosts on this network?? That would want to talk to your downstream networks, or your downstream networks would want to talk too? There should be no hosts on a transit network.. If you have them they all need host routing on where to go for what networks, etc. Or you will have asymmetrical problems. And a /24 is large for a transit - typical transit would be /30 or /29..
-
Thanks for your response. I figured out what the problem was. I already configured NAT rules, virtual IPs, and firewall rules for my other networks. I did not create a static route in the routing page on PfSense. Once I made static routes to my networks and declared 192.168.5.1 as my upstream gateway, everything started to work just fine. And yes I agree, a transit network should be a /29 or /30 network. I created that /24 network just for testing purposes and then once I got everything working, I re-applied strict firewall rules and changed my transit network to a /30 and also applied QoS policies on my switch. Glad everything is working now! :D
-
Good to hear you got it sorted!!
-
Hi, i am facing the same issue. May I know is the NAT configuration giving me issue?
