Manage multi Lan with one Lan interface and one WAn
-
Hello Everyone!
I need help for my new installation of PFSENSE.
The question is simple : it's possible with only one interface LAN and one WAN interface manges more than one LAN?
As you can view on the attachment, I have one LAN (10.160.99.X) where i installed
pfsense and all the client in this LAN surf perfectly on the web through PFSENSE.But my company has other LAN that communicates all together and each lan has
a router, in a configuration "STAR". And at this point begins the problem -__-If i changed the setting for the proxy(10.160.99.36 Pfsense) on the client in others LAN, i discovered
that can't surf in the web. But the client can ping the ip of PfsenseAnyone can suggest me where i can proceed? I have to create VLAN, static route, firewall rules?
Please, help me i'm stuck with this… :'(
-
This one is a bit confusing. I'm going to make assumptions here and hope they are right based on your diagram.
Assuming YellowRouter has 2 interfaces. One plugged into 10.160.99/24 net at .200. And another interface that is trunked for the 10.160.[2,3,4].0/24 clients.
Assuming the PFsense has 2 interfaces, one that the YellowRouter and 10.160.99/24 clients plug into (We'll call LAN). And The WAN interface for the internet.Assuming all that, the YellowRouter needs it's default route (GW) changed to 10.160.99.36 (The PFesnse LAN)
The clients on 10.160.99/24 need their GW changed to 10.160.99.36.
You will need 1 or 3 static routes added to the PFSense (depending on how wide you want it.
The 1 static route can be used to send any traffic for 10.160.0.0/21 to 10.160.99.200. The YellowRouter will handle it from there.
That /21 is 10.160.0-7 in range and encompasses what you have there. If you don't want a route "that wide" use 3 individual route entries for:
10.160.2.0/24, 10.160.3.0/24, and 10.160.4.0/24 and point them at 10.160.99.200 (YellowRouter)Once those routes are in place all clients should be able to talk to the internet and the other clients.
I am banking on one major thing being true in this, PFSense can do hairpin routes. I've never tried it, but I know cisco firewalls cannot but many other firewalls can (palo alto, fortinet, etc) so I'm banking on this being true for PFSense.
A hairpin route is when a packet enters an interface and is routed back out the same interface. If PFSense is not capable of hairpin routing, then some other changes will need to happen first to make it all work. -
Hello everyone,
thank you for your support!
Now i try to explain better that situation. Yesterday i found, maybe, a good idea that causes this block.
Yes, the explanations were not very clear, but the reason is that I do not know my network very well.
Anyway, yesterday from various pc i launched the tracert command and, yes, my diagram isn't correct!For example :
from a LAN 10.160.3.1 the result is this :
1 1 ms 1 ms 1 ms 10.160.3.201
2 3 ms 2 ms 2 ms 10.10.0.10
3 4 ms 4 ms 4 ms 10.10.0.2
4 4 ms 4 ms 7 ms 10.10.0.1
5 4 ms 9 ms 3 ms 10.160.99.36so there are many other passages before the packet get to the PFSENSE
and above all it is no longer the network that I imagined at the last step…From this LAN pfsense doesn't work and the pc can't surf on internet.
And i believe i have to work in pfsense for make it work, but I do not know how to do it.
Instead, from this other LAN, 10.160.2.0,
the tracert result is this :1 4 ms 6 ms 1 ms 10.160.2.201
2 <1 ms <1 ms <1 ms 10.160.99.36and PFSENSE works like a charm.
and obviously from the network, 10.160.99.0,
the tracert command shows that there is only one passage
from my pc to PFSENSE, and yes it works.Summing up, when I try to connect at pfsense from the networks that pass
on this way doesn't work.10.160.3.201 or 10.160.4.201 or 10.160.5.201 = there are the gateway of the LAN
10.10.0.10
10.10.0.2
10.10.0.1
10.160.99.36 = PFSENSEI hope i was clear. Thanks a lot!