Connecting two networks without sharing internet access

  • ok so we have two sites, each with their own internet connection site 1 and site 2
    site 1 is my place and my ip range is
    site 2 is my cousins house range is

    we will be putting a wireless network bridge between our houses i am the one running pfsense with a quad gigabit intel nic.

    we dont want to share internet access or have dhcp issues so we will have to block ports 67-68 on what ever kind of bridge we do.

    will our networks talk to each other or do we have to setup some kind of static routes?

    the thought i had was to connect the bridge to opt1 on my pfsense machine, bridge that to my lan then create a firewall rule to allow all traffic to pass to opt1 then create another rule that blocks udp 67-68. then on his end plug it into the "lan" port on his netgear router.

    ive seriously been scratching my head and googling for a good 2 days in my spare time at work and for the life of me i cant figure out how to connect two network with different network addresses lik that.

  • LAYER 8 Global Moderator

    Why would you bridge this?  You are using 2 different networks so you would not bridge your networks.

    What sort of router is your cousin using?

    The proper way to do this would be with a site to site connection over your wireless bridge between the locations.  This then allows you to firewall what you want, while allowing what you want, etc.

    You could also use ipsec for your site to site.

    What exactly are you using to bridge between your houses?  So routers running dd-wrt and pringle can antenna's or something like a real wireless bridge, say a unifi loco M2 or M5?

  • we are using engenius enstation5's to act as the physical bridge, what we are looking to do is be able to share eachothers nas's and basically share a complete network

    guess the reason i was thinking bridge was i didnt realize you could do a vpn between two networks over a physical connection, our internet sucks which is why we are going for a physical link between them our uploads are 2mbs and 1mbs respectively.

    thanks for the tip on using vpn, guess i will do some reading on how to configure that correctly

    edit: ok so all the guides im looking at show using the WAN interface, would i simply switch that over to the LAN or would i want to use something like OPT1 to plug the bridge into.

  • LAYER 8 Global Moderator

    Don't try and use tap or bridge your 2 networks… Use a typical site to 2 site sort of setup...

    What router does your cousin have?  If you do not do it correctly and try and have say a host on his network do the vpn then you more than likely will end up with asymmetrical routing..  What you should end up with is something like attached.

  • yeah that drawing is exactly point on

    im running pfsense hes running DDWRT im not 100% on his router exactly i do know its pretty new

    im researching site to site vpn's currently, all the setups ive seen thus far involve setting the WAN as the interface for the connection as though it was a remote site to site, guess i need to work on my google skills a little more lol

  • LAYER 8 Global Moderator

    No don't need to use your wan… Just create a new interface in pfsense as transit, could be vlan even on one of your current physical interfaces if switch supports vlans.

    As to dd-wrt, while it slick and makes nice use of shitty soho hardware.. Its still very very very limited in features and power compared to anything running pfsense.  But if it can isolate one of its switch ports as different vlan you should able to do it no problem..

    You don't really even need to setup any sort of vpn or site to site for this since you have a private connection.  This is just a simple transit network with simple routes.. No need for ipsec or openvpn even..  Since your wireless connection would be already encrypted.

    So really all your doing is connecting 2 routers with a transit network.  So as long as his dd-wrt supports the ability to create a vlan and route you should have no issues.

  • ok, so his router couldnt do vlan on a seperate nic so what we did was set opt1 to his subnet, and allowed all traffic to pass via rules to LAN and vice versa, we blocked dhcp so we didnt have any ip issues, the issue we are having is i i have full access to all his stuff but he can just see my router on either interface or he can pin either or and login to the system on either or. i attached screenshots of all the things, my arp table shows all of his devices fine enough.

    the random routes in his router are just because we have been trying just about everything, if we remove the top one he loses ping to my router on the 1.1, so its doing something but the route of 1.5 doesnt allow him to my server

    ![opt1 rules.png](/public/imported_attachments/1/opt1 rules.png)
    ![opt1 rules.png_thumb](/public/imported_attachments/1/opt1 rules.png_thumb)
    ![opt1 device.png](/public/imported_attachments/1/opt1 device.png)
    ![opt1 device.png_thumb](/public/imported_attachments/1/opt1 device.png_thumb)
    ![lan rules.png](/public/imported_attachments/1/lan rules.png)
    ![lan rules.png_thumb](/public/imported_attachments/1/lan rules.png_thumb)
    ![arp table.png](/public/imported_attachments/1/arp table.png)
    ![arp table.png_thumb](/public/imported_attachments/1/arp table.png_thumb)
    ![network map.png](/public/imported_attachments/1/network map.png)
    ![network map.png_thumb](/public/imported_attachments/1/network map.png_thumb)

  • LAYER 8 Global Moderator

    In such a setup your going to be asymmetrical.

    You are going to want to create a transit network.. Use a router on his so you can create an actual transit network.

    device on 192.168.50/24 wanting to go to 192.168.1 is going to hit its gateway Which will just send traffic back down the wifi link, but when you answer you are not going to send the traffic back to since pfsense is directly connected to 192.168.50 so it would just send the traffic direct to those devices.

    if you want to do it that way, you would need to create host routes on the devices in the 192.168.50 telling them to get to 192.168.1/24 talk to pfsense opt1 interface

    Also - if you ping ping, but can not get into a server on that device could have a firewall not allowing access from 192.168.50.. Keep in mind even if you allow that on the firewall of the devices in 192.168.1 your still asymmetrical which can cause other issues.

    if your going to have devices on a transit network, then you need to do host routing on those devices in the transit network.

  • yeah we have static routes on his router telling it to send 192.168.0/24 traffic to opt1 at which is letting him ping and access my pfsense router on but he cant access nothing else on my network, on opt1 i have his router set as the gateway which is what let me communicate with all his devices in every way.

    him being able to ping and login to my router ( from his desktop ( would make me think he should not have an issue getting through to other devices on my end which is why im thinking it has something to do with my config.

    i posted screenshots of both our configs in my last post not sure if i did it right though.

    do you have a link do some good documentation on how a transit network works and how to set one up? ive been googling it but nothing really comes up within the realm of what we are trying to do at all.

    i think we might have to get him setup on a pfsense machine at some point and get that setup but for now his simple asus router doesn't have what we need to do what i think you are suggesting.

  • LAYER 8 Global Moderator

    a transit or transfer network is networking 101..  It would be any network that connects "routers"

    yes you created a route on his router, but the traffic is asymmetrical in flow since pfsense will not send the traffic back to his router since its interface is directly connected to that network and can see all the hosts directly via arp.

    On one of his pc create a route that points 192.168.1/24 to your address  - that would remove the asymmetrical routing..  if still having issues and you can ping then most likely the device in your trying to talk to has a firewall that doesn't all whatever your trying to do from this 192.168.50 network.

  • ok so for the transit network, id have  mypc->lan on pfsense>opt1>wireless connection ->wan on router A ( -> lan port on router B -> his devices ?

  • LAYER 8 Global Moderator

    It wouldn't be WAN on his router, it would just be another interface… He his another interface on that router for wan that would go to internet.

    See my drawing I first posted, that is a transit network.  The 172.16.0/30

    Box in 192.168.1 wants to get to 192.168.50.x - So hits his gateway, router says oh to get to 192.168.50/20 I send the traffic to  That router says oh this traffic want to go to 192.168.50.x... I have that network attached let me send it to him..

    On the way back follow the exact same path back... Symmetrical vs Asymmetrical ;)

    No concerns with dhcp since your not on the same layer 2.. And you wouldn't run dhcp on the transit interfaces.  You may need to run something larger than /30 if you want to be able to get to your wireless bridge devices to manage them which would also have IPs on this 172.16 network.  Or maybe they have a management vlan or interface?

  • yeah they have a management interface.

    just wanted to update the whole issue we were having was his asus router did not like my soon as i changed to he was getting packets all the way through. thanks for all the help guy, i think i know what we need to do in the future to get it symmetrical now! need to get him on a better router, but i don't think he wants to lol.

    me pfsense
    opt1 "transit network"
    static route ->

    him pfsense
    opt2 "transit network"
    static route ->

  • one last update, i figured out the main issue we were having, we had the antennas setup with one as a wifi access point and one as a wifi bridge, that was causing the issues we were having, hes now on pfsense as well, but setting the antennas up both as WDS bridge solved all issues 100% since it makes the connection 100% transparent it acts just as an ethernet cable bridging the gap. guess it had something to do with showing the requests coming from a different mac address than the other or something idk.

  • LAYER 8 Netgate

    As an aside I would still be tempted to IPsec the traffic even though the wireless might be encrypted.

    You could use IPsec transport mode for that.

Log in to reply