2 WANs and 2 LANs

cyberlocc

I need 2 networks, 1 for internal business and a second for our "Hotel Wifi", so I need 2 fully isolated WANs and LANS. Right now both WANs will be DHCP, though that will quickly change, as the Internal business needs a Static Internet address.

I have a quad port Intel NIC, and have been trying to set this up but keep hitting snags, and trying to google different setups for this and hit walls in finding Info.

So is there anyway to set this up? I am getting mixed answers and very unclear workarounds.

So what I have and want.

My modem is split with a switch into 2 different IPs right now, then it goes to 2 separate routers, though I would like to consolidate to 1 PFsense box.

I then want WAN 1 tied to LAN 1, with Internal IP range of 192.168.15.X - 192.168.15.X, and then WAN 2 tied to LAN 2 with Internal IP range of 192.168.1.X - 192.168.1.X.

Is this possible and how can I achieve it?

DeLorean

Is it a problem if the "Hotel Wifi" use the same WAN adress, but on a separate LAN ,
isolated from the "Business" ?

Or is it necessary for both using different WAN adresses ?

Based on that answer, i can provide you a solution, because there are multiple setups possible
to achieve what you want.

Grtz
DeLorean

cyberlocc

@DeLorean:

Is it a problem if the "Hotel Wifi" use the same WAN adress, but on a separate LAN ,
isolated from the "Business" ?

Or is it necessary for both using different WAN adresses ?

Based on that answer, i can provide you a solution, because there are multiple setups possible
to achieve what you want.

Grtz
DeLorean

Hey thanks for the fast reply. Yes it necessary to have them on different IPs. For a few reasons, security for one keeping them isolated from my web server, and also we will have a static IP for business and dont want them on that IP as it will be used for auth.

More so, the way the laws for hotel wifi are setup they have to be on a completely different IP, or we are liable for any illegal activity's they commit (Due to us using the same IP, silly but it is what we are being told.)

I have what I think it is almost there, I have 2 lans setup, with DHCP, and I have 2 Wans both getting their own IPs. When I connect to the second lan, it shows me the second Wans IP in Trace route, however I am having a DNS issue, that stops net access.

I just changed the outbound rules to match up, so WAN 1 is connected to LAN 1, and W2 to L2, and separated Lan 1 and Lan 2 in the firewall rules.

starshooter10

I've been working on a similar setup but with 2 WAN

So far I've setup both LAN interface, but under firewall - rules I changed the gateway and made block rules to keep them separate.

Disable the guest webUI page(and ssh) , you done want them playing with that device!

cyberlocc

@starshooter10:

I've been working on a similar setup but with 2 WAN

So far I've setup both LAN interface, but under firewall - rules I changed the gateway and made block rules to keep them separate.

Disable the guest webUI page(and ssh) , you done want them playing with that device!

I have 2 wans as well lol. And done everything you have, however the issue comes when you try to route traffic from lan 2 to wan 2, the status monitor for me shows wan 1 and wan 2 being used, with traffic only on lan 1. However lan 2, trys to go through WAN 2, it hits a block and cant see the Gateway.

Derelict

Just policy route that LAN out WAN2 and be sure it has outbound NAT.

cyberlocc

@Derelict:

Just policy route that LAN out WAN2 and be sure it has outbound NAT.

Ya that is what I was doing, however I think my issue was that, I had the same gateway on both WANs, however jusr got off the phone with ISP they are going to give me another Static IP, with a Separate Gateway and Subnet, so hopefully that will work now.

Its provisioning now, so we will see in a few hours.

Do you think I would be better off, using a VIP? Since they are both coming from the same modem, I could eliminate a switch in between.

Derelict

So it is really one service and all you want to do is make one LAN egress out one IP address and the other out another?

Yes, a VIP is much easier for that than two different WANs. Especially if it's not really two different WANs.

Just get a /29 from them instead and outbound NAT one subnet source out the interface address and the other subnet source out a VIP.

cyberlocc

@Derelict:

So it is really one service and all you want to do is make one LAN egress out one IP address and the other out another?

Yes, a VIP is much easier for that than two different WANs. Especially if it's not really two different WANs.

Just get a /29 from them instead and outbound NAT one subnet source out the interface address and the other subnet source out a VIP.

Ya I think that is what I am going to do, especially because then I can have some extra IPs for DMZ's. The sales department was closed to have to get with them tomorrow, he told me we can provision this for now, and then if you want we can just up it to a /29 tomorrow.