Trouble Routing traffic between servers on two physical LANs(Interfaces)



  • *I will note I run a number of clubs like this,all are identical.

    Heres what I want to do:
    I have a number of nightclubs with a client server Point of Sale system that bookmarks transactions in the surveillance DVR
    To meet compliance the POS system must be on a separate network.
    I want to keep my surveillance on it's own lan (read below) but I want to open the firewall (NAT?) to allow data to pass from one physical interface (lan) to another. (DVR to POS server)
    I also need to allow the managers PC to access the DVR, but I'm guessing it uses the same method.

    Heres What I have:
    SuperMicro based PFSense (currently 2.3.1)
    dual onboard for WAN (two tier gateway group for failover based on member down, works fine)
    -Static for the main WAN
    –DHCP to the 4G gateway.

    add in intel i350-t4
    POS LAN with POS server 192.168.140.1/24
    Security network mostly IP cams 192.168.141.1/24
    Club network (DJ and managers use this) 192.168.142.1/24
    Guest LAN (unsecured WLAN) 192.168.143.1/24

    The important boxes are all setup with aliases

    Ive tried all kinds of firewall rules even all to all.
    I've tried NAT, but dont think I was doing that right...

    Here's an example of what I've tried, this was on LAN1 and LAN2

    Rules (Drag to Change Order)
    States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
    0 /0 B
    IPv4 * 192.168.140.0/24 * 192.168.141.0/24 * * none TEST  
    0 /17 KiB
    IPv4 * 192.168.141.0/24 * 192.168.140.0/24 * * none TEST  
    0 /0 B
    IPv4 * POS Server * DVR3VR * * none  
    0 /0 B
    IPv4 * Manager * DVR3VR * * none  
    0 /0 B
    IPv4 * DVR3VR * POS Server * * none  
    0 /0 B
    IPv4 * DVR3VR * Manager * * none  
    0 /0 B
    IPv6 * OFFICE_DVR_LAN_141 net * * * * none Default allow LAN IPv6 to any rule  
    49 /157.78 GiB
    IPv4 * OFFICE_DVR_LAN_141 net



  • Do I need to setup a Static Route?

    https://doc.pfsense.org/index.php/Static_Routes


  • LAYER 8 Global Moderator

    Pfsense will automatically route between networks be physical interfaces or vlans..  The only thing you have to do is create firewall rules on the optX interfaces you bring up..

    You seem to be creating rules on your lan for these other networks??  What rules did you put on the other networks interfaces?

    Post pictures btw of your rules - so much easy to read ;)

    Rules are evaluated as the traffic enters and interface from the network towards pfsense.
    First rule to trigger wins
    No other rules are evaluated.
    If no rules trigger then deny (default not shown deny rule).

    I would suggest while you test you just create any any rule on your new network interfaces.  Then start restricting traffic, etc.

    Keep in mind that hosts can be running their own local firewall.. Windows out of the box for example if on 192.168.1/24 would not allow access from 192.168.2/24… So while you can route and allow the traffic on pfsense - you still may need to config any local firewall rules your running to allow the access from these other networks.

    Your IP cameras -- do they have gateway set?  Are they dhcp or static?  If a device does not talk back to pfsense as its gateway to get off its local network, then no you would not be able to talk to it from another network - it would not have internet access, etc.


Log in to reply