Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Adding a second lan (not sure what to call it)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    10 Posts 3 Posters 798 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spittlbm
      last edited by

      In the diagram below, there is a working pfsense setup for a web server (and other LAN clients that are not shown). Everything comes through the public IP.

      I need to add a separated WIFI for public use, but I want them to be able to hit our web server. I have added a second WAN interface to the pfsense box that uses an internal IP.

      Pfsense can ping the wifi router and vice versa, but traffic won't pass through in either direction.

      
      +---------------------------------------+
      |					|
      |	CABLE MODEM (10.1.10.1)		|
      |					|
      +---------------------------------------+
         |	    	  |		   |
         |Public IP	  |		   |
         |(Static)   	  |10.1.10.30	   |10.1.10.20
         |	   	  |		   |
         |	   	  |		   |
      +-------------------+	+----------------+
      |		    |	|		 |
      |   PFSENSE	    |	|   WIFI	 |
      |		    |	|		 |
      +-------------------+	+----------------+
      	|			|
      	|			|
      +-------------------+	+-----------------+
      |		    |	|		  |
      |   WWW Server	    |	|   WIFI CLIENT	  |
      |   192.168.1.9     |	|   192.168.2.11  |
      |   255.255.255.0   |   |   255.255.255.0 |
      +-------------------+	+-----------------+
      

      Effectively I need 192.168.2.11 to ping 192.168.1.9. It should not be difficult to do, but I just can't seem to get it. Any thoughts would be appreciated!

      1 Reply Last reply Reply Quote 0
      • pfrickrollP
        pfrickroll
        last edited by

        If you have only 1 static IP, 2nd WAN interface is not needed. Everything will still go out by the same IP.
        So, you have some kind of AP or wireless router that is connected directly to your ISP modem, and that AP or wireless router has 2 subnets one for company's use and second for guests/employee cellphones?

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          This can be done with either VLANs or an OPT1 interface. We would need to know more about your hardware. What does your pfSense box have for interfaces? Do you have a managed switch available? Is your wifi an all-in-one wifi router, or just an AP?

          S 1 Reply Last reply Reply Quote 0
          • S
            spittlbm
            last edited by

            @pfrickroll
            I agree - we only added the 2nd WAN interface because of this project. I think the second external interface is necessary. I'm pretty sure the cable modem won't allow internal IP's (that it assigns by DHCP). To put it differently, I couldn't ping the wifi router from pfsense over the public IP, but plugging in another network interface with DHCP let's it ping. Unnecessary - maybe.

            The wifi router (with AP's and various guest cellphones mainly) has only one subnet. I can change those settings as needed.
            Wifi is not used for company purposes out of a distrust of wireless networks and the sensitivity of our LAN traffic (healthcare).

            pfrickrollP 1 Reply Last reply Reply Quote 0
            • S
              spittlbm @KOM
              last edited by

              @kom
              Wifi router is an openwrt router with a couple of unifi-pro AP's.

              pfsense is on a pc with a WAN, LAN , and an OPT1 that I just added (USB nic.. gag ... 10.1.10.30 in the image above)

              I don't have any managed switches.

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by KOM

                OK, so get a dumb switch for $10, put it on OPT1, get rid of the openwrt router and put the APs on the switch. Then you have pfSense doing everything, and you can use firewall rules to control access from OPT1 to LAN. If you go this route, you might want to replace the USB NIC with something better.

                S 1 Reply Last reply Reply Quote 1
                • pfrickrollP
                  pfrickroll @spittlbm
                  last edited by

                  In a current physical setup you won't be able to achieve it without managed switch. You could plug all your WiFi network into OPT1 interface on pfSense and then through firewall rules achieve results of one LAN reaching the other.

                  1 Reply Last reply Reply Quote 0
                  • S
                    spittlbm @KOM
                    last edited by

                    @kom Boss won't go for the AP on the lan-side of the firewall

                    1 Reply Last reply Reply Quote 1
                    • KOMK
                      KOM
                      last edited by

                      It's not on the LAN side, it's on the OPT1 side. Totally different networks. You can easily isolate them.

                      S 1 Reply Last reply Reply Quote 1
                      • S
                        spittlbm @KOM
                        last edited by spittlbm

                        @kom face palm

                        I think I could add DHCP to OPT1 and move the WIFI router to a bridge setup behind OPT1. I may be short on IP addresses for the guests...

                        I may be able to move the WWW over to OPT1 with the wifi... I'll sketch that out.

                        Thanks

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.