Routing between two LANs
-
Hello,
My pfSense installation has LAN interface configured as 10.0.0.0/24. Generally it works ok providing internet access for all LAN computers.
But there is also a second network (192.168.1.0/24) connected to the same physical infrastructure (i.e. both networks are sharing switches, cables etc.).
Is it possible to connect both networks with my current pfSense installation ?
How I should define routing between both networks. Should I bought another NIC to pfSense comp, or maybe it can be done with current one?What I need to achieve is connectivity between both networks, but it would be nice if pfSense could serve also as a internet gateway for 192.168.1.0/24.
Best regards,
motzel
-
Do you have a VLAN capable switch? with it you could solve it with a single interface.
Also of interrest might be the following file:
http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdfHowever the "more proper" approach to this is a second interface and separate switches for the different ubnets.
Usually you should NOT mix subnets on the same physical hardware unless you're using tagged VLAN's. -
Do you have a VLAN capable switch?
No, I haven't.
Also of interrest might be the following file:
http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdfThanks for a great document! I follow it and configure my network but I have one problem.
I've added alias for 192.168.1.0/24 on pfSense box and when I've ssh to it I can ping any 192.168.1.0/24 computer without any problem. After adding a static route to a 192.168.1.0/24 comp (with gateway set to created alias) I can ping any 10.0.0.0/24 comp. BUT I can not ping a 192.168.1.0/24 from my LAN (10.0.0.0/24). Where the problem lies?Best Regards,
motzel
-
Wy did you create a static route?
You dont need a static route.
Basically as long as you use the pfSense as default gateway in both subnets you should not have a problem.
Just make sure the firewall rule allows access FROM both subnets TO both subnet. -
Why did you create a static route?
You dont need a static route.
Basically as long as you use the pfSense as default gateway in both subnets you should not have a problem.Because 192.168.1.0/24 network using it's own gateway (providing internet access for it).
What I'm trying to do is to force both networks to see each other. pfSense should provide internet access to it's LAN (10.0.0.1/24) only.
Just make sure the firewall rule allows access FROM both subnets TO both subnet.
I've created rules for both networks to reach all destinations on any port, but it did not worked as expected (one way only communication, ie. 192=>10). Then I checked "Bypass firewall rules for traffic on the same interface" in System/Advanced, but it didn't worked also.
Best Regards,
motzel
-
Ah you have a different gateway for the 192.168.1.0/24 subnet.
You have to create a static route on this other router which is gateway.
Of course you cannot ping anything in the 192.168.1.0/24 subnet if all these computers dont know that the 10.0.0.0 subnet exists.
Otherwise you would have to create a static route on each of these computers. -
Of course you cannot ping anything in the 192.168.1.0/24 subnet if all these computers dont know that the 10.0.0.0 subnet exists.Otherwise you would have to create a static route on each of these computers.
Yeah. That's obvious for me.
pfSense LAN interface has alias created (so two IPs are assigned to it: 10.0.0.1 and 192.168.1.248). As I wrote earlier from 192.168.1.0/24 network I can ping any 10.0.0.0/24 comp without any problem - on 192.168.1.0/24 gateway I've created static route to 10.0.0.0/24 (with 192.168.1.248 as a gateway).
Problem is with communication in opposite direction. So when I'm on 10.0.0.104 box and try to ping 192.168.1.1 then it doesn't work. BUT the same ping works from pfSense box. So problem lies in pfSense router - transmission from LAN is blocked/not routed to 192.168.1.0/24 network.
So again, with diagram:
| pfSense LAN interface |
192.168.1.0/24 –->|192.168.1.248 X 10.0.0.1 | ----- LAN (10.0.0.0/24)
| |With "X" I've marked place when transmission is broken.
Best Regards,
motzel
-
On pfSense an alias is a name that stands for a network/multiple IP's/multipl ports
It took me a while until i figured out that with alias you mean alias-type virtual IPWhen you can ping from 192.168.1.0/24 to 10.0.0.0/24 then the traffic is able to flow into both directions.
Otherwise you'd never get a response to your ping.Do you see anything in the firewall log as blocked?
Can you show a screenshot of your firewallrules for this interface? -
When you can ping from 192.168.1.0/24 to 10.0.0.0/24 the the traffic is able to flow into both directions.
Otherwise you'd never get a response to your ping.Oh, you right. I don't even think about it like this :-)
Do you see anything in the firewall log as blocked?
No, firewall log is empty (not counting some port checking from internet of course).
My current firewall rules for LAN looks like that:
Proto Source Port Destination Port Gateway
- * * * * *
So it basically should allow for all transmision in both directions.
I've played around with this in meanwhile and after I checked "Bypass firewall rules for traffic on the same interface" in System/Advanced, situation reverses, i.e. now from pfSense LAN (10.0.0.0/24) I can ping 192.168.1.0/24 hosts, but from 192.168.1.0/24 then only 10.0.0.0/24 address I can ping is 10.0.0.1 (pfSense Box). When I try to ping 10.0.0.3 there is no response. Traceroute from 192.168.1.104 to 10.0.0.3 looks like this:
1 192.168.1.1 (192.168.1.0/24 gateway)
2 192.168.1.248 (pfSense alias-type virtual IP for LAN interface )
3 * * *and tcpdump running on pfSense box
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
10:27:51.208662 IP (tos 0x0, ttl 127, id 27839, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.1.104 > 10.0.0.3: ICMP echo request, id 512, seq 47625, length 40
10:27:51.208734 arp who-has 10.0.0.3 tell 10.0.0.1So transmission reaches pfSense box, but it's not forwarded to 10.0.0.0/24 subnet…
Best Regards,
motzel