Second Lan network same interface



  • I currently have a LAN network that uses the 10.1/16 range and I want to setup another that is 10.3/16 on the same interface.

    Whats the best way of doing this ?

    was looking at adding an IP alias https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses but it looks like I can't add a range with that.


  • Rebel Alliance Global Moderator

    You would do a vlan simple enough.. Do you have a vlan capable switch?  Get 1!



  • So I add a new VLAN on my LAN interface and assign it my new network range.

    I then configure the switch port that the lan interface is using to be tagged /trunked for all the vlans I want it to communicate to ?


  • Rebel Alliance Global Moderator

    Correct..



  • I was going to set this up by creating a new VLAN and giving it an ID of 10 and attach it to the same interface my LAN is on. This is currently connected to my switch into VLAN ID 1 but is all untagged traffic. (image attached)

    If I change the port on the switch to tagged will my LAN continue to work?

    If I change some other ports in the Switch to tagged for both VLAN 1 and 10 should the devices on the other end continue work? I'm currently running Xenserver which does seem to understand Vlans and lets me split out traffic to specific VM's based on it so i'm hoping this will work.

    I'm Assuming a machine that does not understand tagged traffic defaults to 1 which would be my LAN in this case.



  • Rebel Alliance Global Moderator

    So heres the thing.. Normally interface on pfsense would not have any tag.. Does not have to be 1, its just whatever untagged vlan you setup on your switch that is connected to.. I have one that is vlan 20 on my switch for the untagged network.  On top of that interface their are tagged vlans.

    What ever vlan in your switch you want your lan to be on this would be untagged to pfsense lan port.  Any vlans have setup on pfsense you want would be tagged on this port.  IF your going to tag both vlans then you would need to change your lan to a vlan..

    All your other ports that are going to connect to devices would normally be untagged in that vlan.  Ports that are going to be uplinked to other switches or devices that will understand the tags would then tag all the vlans you want to send to that device.

    Vlan 1 nothing more than the default untagged vlan on a switch.. But pfsense normal interface doesn't know or care about what vlan the switch calls it - its just the untagged traffic.  You only ever have one vlan on any port or interface as untagged.  Since if not tagged the device/switch has no way to know which traffic is on which vlan, etc.



  • One other question on this is routing between interfaces.  I have the same configuration as the OP, with a LAN & VLAN on the same interface.  While I can ping the pfSense VLAN interface from my notebook computer, I can't ping VLAN address on my desktop computer.  I do see RAs on that VLAN though.  When I ping from the desktop computer, that has the VLAN enabled, I can see the pings going out, but no response from pfSense.

    Just to clarify, on the pfSense router, the main LAN is 172.16.0.1/24, VLAN3 is 172.16.3.1/24  My desktop system has both LAN (172.16.0.10) and VLAN (172.16.3.10) enabled, but my notebook computer LAN  (172.16.0.40) only.  From the notebook, I can ping 172.16.3.1, but not 172.16.3.10.  From the desktop, when I ping 172.16.3.1, I get no response.

    I'll worry about IPv6 later.


  • Rebel Alliance Global Moderator

    what are you rules on these interfaces?



  • At the moment, I don't have any rules.  I had tried setting up rules to allow everything from one interface to the other, with one rule for each direction on each interface, but that didn't work.  That's why I'm asking what is supposed to be used.  Documentation on this appears to be very scarce.



  • I just created a single rule for VLAN3, based on what's on LAN.  I've attached both.





  • Rebel Alliance Global Moderator

    well with those rules.. Then yes anything on lan should be able to ping anything on vlan3..  And vlan3 should be able to ping anything on lan

    For sure the interface on pfsense be it lan or vlan3.

    If you can not ping some client on the other network then is either that client has firewall or maybe it doesn't have pfsense set as its gateway.

    are you saying a device on lan can ping the pfsense lan IP, but it can not ping the vlan3 pfsense interface IP?  I would check your masks on your client and pfsense for your interface IPs.



  • A bit of change.  After creating that single rule, I can now ping the firewall from the desktop via VLAN3 and the desktop from the firewall, but couldn't earlier.  However, when I ping from the notebook to the desktop VLAN interface, I can the incoming ping, with Wireshark, but no response.  However, the source of the incoming ping, from the notebook, is from 172.16.0.40.  Yet I don't see a response on either VLAN or LAN.  Not sure what's happening.  Perhaps the desktop system is getting confused about having 2 routes to the notebook.  I'll have to try creating a separate interface, instead of VLAN3, to see if that eliminates the problem.

    There is a firewall, but turning it off doesn't make any difference.  Both the desktop and notebook are running openSUSE 42.3.


  • Netgate

    Just to clarify, on the pfSense router, the main LAN is 172.16.0.1/24, VLAN3 is 172.16.3.1/24  My desktop system has both LAN (172.16.0.10) and VLAN (172.16.3.10) enabled, but my notebook computer LAN  (172.16.0.40) only.  From the notebook, I can ping 172.16.3.1, but not 172.16.3.10.  From the desktop, when I ping 172.16.3.1, I get no response.

    You will have asymmetry in that case.

    When 172.16.0.40 has traffic for 172.16.3.10 it will send it to the default gateway and it will be routed out the 172.16.3.0 interface.

    That traffic will arrive at 172.16.3.10 sourced from 172.16.0.40.

    When 172.16.3.10 has reply traffic, the proper thing to happen would be for it to be sent back to the 172.16.3.1 for routing but that will not happen. 172.16.3.10 also has an interface in the laptop's local subnet so 172.16.0.10 will ARP for 172.16.0.40 (if necessary) and send the reply traffic directly. I wouldn't say it is confused. It is just doing as it has been told.

    I generally have a few VLAN interfaces on my workstation, too, but I only use them to source connections from there to something else on the local subnet. That way reply traffic is always same-subnet and it works. I never expect it to be routed.



  • You will have asymmetry in that case.

    That what I suspected and mentioned in the post above yours.  I'll have to create another interface that I can experiment with.  I just plugged in another NIC, but it doesn't seem to come up.  I'll have to investigate why.  I'm not sure if it's good or not, as it was given to me by a friend years ago.  If not, I'll have to connect my Cisco router and use VLAN3 on it to experiment with.

    Incidentally, that NIC, while listed in the dashboard, doesn't show a MAC or IP address.  The ifconfig command shows a MAC but not IP address.

    You will have asymmetry in that case.

    That what I suspected and mentioned in the post above yours.  I'll have to create another interface that I can experiment with.  I just plugged in another NIC, but it doesn't seem to come up.  I'll have to investigate why.  I'm not sure if it's good or not, as it was given to me by a friend years ago.  If not, I'll have to connect my Cisco router and use VLAN3 on it to experiment with.

    Incidentally, that NIC, while listed in the dashboard, doesn't show a MAC or IP address.  The ifconfig command shows a MAC but not IP address.

    Here's what ifconfig shows.

    em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 90:e2:ba:4d:d6:b3
            hwaddr 90:e2:ba:4d:d6:b3
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active

    And on Status > Interfaces I see this, which I find curious.


    </full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></broadcast,simplex,multicast>


  • Netgate

    No idea what you are showing us there. that is em0 and bge0.

    A parent interface of a VLAN will show like that if it is not assigned to an interface and numbered.

    igb1 is not assigned in interfaces > assignments:

    igb1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:08:a2:0a:59:42
    hwaddr 00:08:a2:0a:59:42
    inet6 fe80::208:a2ff:fe0a:5942%igb1 prefixlen 64 scopeid 0x2
    nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active

    VLAN 223 is…

    igb1_vlan223: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    options=3 <rxcsum,txcsum>ether 00:08:a2:0a:59:42
    inet 192.168.223.1 netmask 0xffffff00 broadcast 192.168.223.255
    inet6 2600:dead:beef:cafe:208:a2ff:fe0a:5942 prefixlen 64
    inet6 fe80::1:1%igb1_vlan223 prefixlen 64 scopeid 0xb
    nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    vlan: 223 vlanpcp: 0 parent interface: igb1</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast>



  • I was showing the LAN4 interface, which doesn't appear to have a MAC address, though it does in ifconfig.  I also don't know why it shows opvpns1 on it.
    Curious.


  • Netgate

    Because it is assigned to an OpenVPN instance. Look in Interfaces > (assign).



  • Openvpn was assigned, but I have absolutely no idea how that wound up on there.  I deleted that assignment and created a new one as em0 and it came up.



  • I just came across something curious.  I've set up the new interface for LAN4 and enabled both IPv4 and IPv6.  The IPv6 prefix is within my /56.  When I ping my desktop computer, on it global IPv6 address, it's successful.  When I try on it's ULA, I get a "Destination unreachable: No route" error.  Traceroute show the path ending at 2607:f798:10:10ac:0:690:6325:5193.  I have no idea where that is, but it's certainly not on my network.  Host lookup doesn't provide a host name.  Why is pfSense trying to route a ULA off my network?  Neither "Block private networks and loopback addresses" nor "Block bogon networks" are selected for this interface or main LAN, but both are on the WAN interface.


  • Netgate

    Does pfSense know that interface has that ULA subnet on it? In other words, is that ULA subnet in the routing table with a destination of that interface?

    Neither "Block private networks and loopback addresses" nor "Block bogon networks" are selected for this interface or main LAN, but both are on the WAN interface.

    Those block inbound connections, not outbound. You have to specifically block RFC1918 and ULA from egressing outbound using floating rules on WAN out. At least that's how I like to do it.



  • @Derelict:

    Does pfSense know that interface has that ULA subnet on it? In other words, is that ULA subnet in the routing table with a destination of that interface?

    Does it require a specific route to be added?  In Cisco & Linux routers, the interface networks are added automatically, so it's not necessary to specify the route.  The prefix is correct in RA subnets and the computer gets the correct address.

    Netstat -r doesn't show the ULA route for the LAN or LAN4.  However, the first column, showing networks, is truncated, so the full address is not shown for all networks, but I think all interfaces show the global address routes.


  • Rebel Alliance Global Moderator

    You wouldn't need to add a route for anything directly connected via pfsense.  But pfsense has to have a ULA address in that prefix on the interface connected to the network your using the ULA on.

    If you just setup the RA to hand out the ula prefix, pfsense wouldn't have to have an actual ULA address that interface.. So yeah it  would try routing it out its default IPv6 gateway..



  • I tried adding a virtual IPv6 address to the LAN interface and it shows in ifconfig.  I can ping it from the pfSense command shell, but not from another computer.  The RAs advertise the ULA network, but not the pfSense interface address.



  • I tried setting up a static route, but the only choices for gateway were the WAN or loopback interfaces.  I couldn't select the actual interface.  When I select the loopback ::1, traceroute shows multiple lines of the firewall address.

    Is it not possible to get pfSense to route ULA networks?  If not, that is a serious fault, as ULAs are just like RFC1918 IPv4 addresses, in that they can be routed, but not onto the Internet.  I have no problem routing IPv4 RFC1918 addresses properly.



  • I set up the LAN interface as a gateway for the ULA address.  I can ping the interface ULA from my notebook, but pinging the desktop ULA displays "Time Exceeded: Hop limit" and traceroute6 shows the firewall repeatedly and not going beyond it.


  • Netgate

    Just assign an interface address to the interface. It will be connected and therefore in the routing table. No gateways or static routes necessary. pfSense doesn't care if it is routable or ULA. It's just a subnet.



  • @Derelict:

    Just assign an interface address to the interface. It will be connected and therefore in the routing table. No gateways or static routes necessary. pfSense doesn't care if it is routable or ULA. It's just a subnet.

    The LAN interface has both global and ULA addresses on it.  Global addresses work fine.  How do I assign a 2nd address?  I created the subnet on the RA page and even created an alias on the Virtual IPs page.  Ifconfig shows the virtual IP and I can ping it from the pfSense computer, but not from the desktop computer, which has both global and ULA addresses.  The virtual address on the pfSense computer is fd48:1a37:2160::1 and the desktop has fd48:1a37:2160:0:61af:b555:ad10:3fd2

    When I ping from pfSense to the desktop, this is what I see.
    ping6 fd48:1a37:2160:0:61af:b555:ad10:3fd2
    PING6(56=40+8+8 bytes) fd48:1a37:2160::1 –> fd48:1a37:2160:0:61af:b555:ad10:3fd2

    There is no response from the desktop.  If I have a static route configured, traceroute keeps cycling through the pfSense computer.  If I don't have a static route configured, it tries to go out to the 'net.

    Also, Wireshark does not show any pings, in either direction.  However, the RA contains "ICMPv6 Option (Prefix information : fd48:1a37:2160::1/128)" and "ICMPv6 Option (Prefix information : fd48:1a37:2160::/64)" , so the router ULA address is being advertised.

    Either I'm missing something, or ULA routing isn't working properly.  As I mentioned, IPv4 RFC1918 addresses route properly.

    The desktop system is running openSUSE 42.3.



  • Just to update, I have 3 interfaces as follows
    LAN global and ULA
    VLAN3 ULA only
    LAN4 global only.

    From the pfSense computer or a computer on LAN4, I cannot ping the ULA on the desktop on either LAN or VLAN3.  On the pfSense computer, I can ping it's own ULA on both LAN and VLAN3.



  • Assigning a virtual IP on the LAN interface caused it to lose the global address.  There's definitely something wrong with the way pfSense handles ULA.


  • Netgate

    IDK, man. I just did it and it worked fine.

    DHCP WAN, Track Interface LAN, ULA IP Alias VIP /64 on LAN, Added ULA /64 as a subnet for RA on LAN, firewall rule passing all traffic from ULA::/64 on LAN, booted test VM:

    pfSense LAN:
    re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=80098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate>ether fe:e0:54:6e:79:49
    hwaddr fe:e0:54:6e:79:49
    inet 172.25.233.1 netmask 0xffffff00 broadcast 172.25.233.255
    inet6 2001:dead:beef:fd01:fce0:54ff:fe6e:7949 prefixlen 64
    inet6 fe80::1:1%re0 prefixlen 64 scopeid 0x1
    inet6 fd08:1e26:8fea:525b::1 prefixlen 64
    nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active

    Test host interface:
    derelict@Host-B1:~$ ifconfig
    eth0      Link encap:Ethernet  HWaddr 9a:b3:de:87:fa:4b 
              inet addr:172.25.233.100  Bcast:172.25.233.255  Mask:255.255.255.0
              inet6 addr: fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b/64 Scope:Global
              inet6 addr: fe80::98b3:deff:fe87:fa4b/64 Scope:Link
              inet6 addr: 2001:dead:beef:fd01:98b3:deff:fe87:fa4b/64 Scope:Global
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:205 errors:0 dropped:0 overruns:0 frame:0
              TX packets:122 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:34081 (34.0 KB)  TX bytes:15844 (15.8 KB)

    To pfSense LAN VIP:
    derelict@Host-B1:~$ ping6 -c 3 -I fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b fd08:1e26:8fea:525b::1
    PING fd08:1e26:8fea:525b::1(fd08:1e26:8fea:525b::1) from fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b : 56 data bytes
    64 bytes from fd08:1e26:8fea:525b::1: icmp_seq=1 ttl=64 time=0.518 ms
    64 bytes from fd08:1e26:8fea:525b::1: icmp_seq=2 ttl=64 time=0.294 ms
    64 bytes from fd08:1e26:8fea:525b::1: icmp_seq=3 ttl=64 time=0.684 ms

    –- fd08:1e26:8fea:525b::1 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 1998ms
    rtt min/avg/max/mdev = 0.294/0.498/0.684/0.161 ms

    To the WAN address of upstream pfSense:
    derelict@Host-B1:~$ ping6 -c 3 -I fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b 2001:dead:beef:7fff::ed96:eec5
    PING 2001:dead:beef:7fff::ed96:eec5(2001:dead:beef:7fff::ed96:eec5) from fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b : 56 data bytes
    64 bytes from 2001:dead:beef:7fff::ed96:eec5: icmp_seq=1 ttl=64 time=0.524 ms
    64 bytes from 2001:dead:beef:7fff::ed96:eec5: icmp_seq=2 ttl=64 time=0.287 ms
    64 bytes from 2001:dead:beef:7fff::ed96:eec5: icmp_seq=3 ttl=64 time=0.320 ms

    –- 2001:dead:beef:7fff::ed96:eec5 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2000ms
    rtt min/avg/max/mdev = 0.287/0.377/0.524/0.104 ms

    I don't have routing for that ULA from anything else.

    Note this is a recent 2.4-RC since that's what my test environment is currently running.</full-duplex></performnud,auto_linklocal></vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate></up,broadcast,running,simplex,multicast>


  • Netgate

    And with NPt to an unused /64 on pfSense WAN:
    derelict@Host-B1:~$ ping6 -n -c 3 -I fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b www.google.com
    PING www.google.com(2607:f8b0:400e:c05::63) from fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b : 56 data bytes
    64 bytes from 2607:f8b0:400e:c05::63: icmp_seq=1 ttl=46 time=59.6 ms
    64 bytes from 2607:f8b0:400e:c05::63: icmp_seq=2 ttl=46 time=83.8 ms
    64 bytes from 2607:f8b0:400e:c05::63: icmp_seq=3 ttl=46 time=58.7 ms

    –- www.google.com ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2003ms
    rtt min/avg/max/mdev = 58.704/67.398/83.847/11.640 ms



  • I'll have to go through the stuff you provided, howerver I made some changes and did some more testing.  At the moment, the configuration is as follows:

    LAN global & ULA
    LAN4 ULA only
    VLAN3 ULA only

    The desktop computer has both LAN and VLAN3 configured and the notebook is on LAN4 only.

    If I ping the laptop by forcing ping over VLAN3, it works.  However, when via LAN, no response.  Wireshark on the notebook shows both request and reply, but on the desktop, only the request.  From the pfSense computer, I can ping the notebook and the VLAN3 address of the desktop, but not the LAN address.  Wireshark does not show any ping requests from pfSense to the LAN interface  So, there is still something about the LAN interface that's causing problems.

    I see you have a ULA address fd08:1e26:8fea:525b::1 on the LAN interface.  How did you put it there?  I do not have one.  I used a virtual IP last night, but this morning, the virtual IP was there, but the global address was gone.

    The network ULA addresses are as follows:
    LAN  fd48:1a37:2160:0::
    VLAN3  fd48:1a37:2160:3::
    LAN4  fd48:1a37:2160:4::

    Netstat -r on pfSense shows:

    fd48:1a37:2160:3:: link#8            U      bge0_vla
    fd48:1a37:2160:3:: link#8            UHS        lo0
    fd48:1a37:2160:4:: link#2            U          em0
    fd48:1a37:2160:4:: link#2            UHS        lo0

    Note there is no line for fd48:1a37:2160:0::.

    There is also this on the WAN interface:

    fd07:f798:3:16e::  link#3            U          re0
    fd07:f798:3:4172:: link#3            U          re0

    There are no other ULA addresses listed.  So, pfSense doesn't have a route to fd48:1a37:2160:0::.



  • I think I found it.  I had to set the VIP prefix to /64.  Also, curious that the pfSense graphical admin doesn't show the 2nd address on either the dashboard or interface status.  Netstat -r does though.


  • Rebel Alliance Global Moderator

    "I had to set the VIP prefix to /64"

    what else would you have set it too?



  • The default is /128, so if you forget to change it…

    Now I can add gazillions of security cameras to that network!  ;)



  • I just tried pinging ipv6.google.com from a computer with a ULA and I see the requests heading out of the WAN port.  I guess I should create a rule to block ULA addresses.


  • Netgate

    Yup. Just like RFC1918.



  • I just created a floating rule to block fc::/7 in both directions, but the pings are still leaving the firewall.



  • Netgate

    Did you kill the existing states?

    Or at least stop and restart the ping?


  • Netgate

    You should also check quick there.