separate lans

  • My current setup is as follows 2 servers at and that need to be accessible to all clients. I have the pfsense box with 2 interfaces wan and lan. Lan is connected to a switch then the switch connected to a wap along with other devices. Everyone can see everyone and it all works.

    What I would like to do is separate some devices to there own network where they cant access the devices on the other network, but everyone on both networks need to be able to access those server ips and also the internet. I thought of just creating firewall rules but that wouldnt work since the lan traffic would never reach the pfsense box

    I first tried simply creating firewall rules blocking specific ips from accessing others, but this wouldnt work since that traffic never reaches the pfsense box and is handled by the switch.

    I thought of creating a separate subnet, dhcp would assign to one default network. The other network, devices would have to manually assign static ips. Or would static dhcp reservations work for another subnet on the dhcp server ? How would I go about accomplishing this? Thanks

  • LAYER 8 Netgate

    You need two inside interfaces. and two LAN subnets.

    These can be physical interfaces into two switches or VLAN interfaces into a managed switch.

    Then you pass the traffic to the servers, block everything else to that subnet, then pass everything (the internet).

    The clients you want to firewall will have to be on a separate interface from the servers so they can be regulated with firewall rules.

  • thanks for the quick response
    I would like to add that devices from both networks are connected to the same wap and the switch is an unmanaged switch. Could this still be done using vlans? The pfsense box does have an unused ethernet port so if needed I could add another physical interface, but it would be connected to the same switch.

    Would something like this work:
    -keep existing interfaces lan at
    -add second interface at opt1
    -on lan dhcp server check "Deny unknown clients" and manually add all dhcp static mappings
    -on opt1 leave dhcp enabled normally (would all new devices or devices not mapped to lan dhcp get an ip from this subnet?)
    -firewall rules would now work since traffic between interfaces must pass through pfsense, so I can just block everything between lan and opt1 except the server ips
    -and both interfaces would use the same gateway

    Am I missing something, this wouldnt require vlans either right?

  • LAYER 8 Netgate

    Nope if you want to play you have to pay. Get a managed switch and an AP that speaks 802.1q.

  • also if you want to segregate the wireless users, you will need a WAP which supports VLAN-based SSID's as well.

Log in to reply