Adding a second lan (not sure what to call it)

  • In the diagram below, there is a working pfsense setup for a web server (and other LAN clients that are not shown). Everything comes through the public IP.

    I need to add a separated WIFI for public use, but I want them to be able to hit our web server. I have added a second WAN interface to the pfsense box that uses an internal IP.

    Pfsense can ping the wifi router and vice versa, but traffic won't pass through in either direction.

    |					|
    |	CABLE MODEM (		|
    |					|
       |	    	  |		   |
       |Public IP	  |		   |
       |(Static)   	  |	   |
       |	   	  |		   |
       |	   	  |		   |
    +-------------------+	+----------------+
    |		    |	|		 |
    |   PFSENSE	    |	|   WIFI	 |
    |		    |	|		 |
    +-------------------+	+----------------+
    	|			|
    	|			|
    +-------------------+	+-----------------+
    |		    |	|		  |
    |   WWW Server	    |	|   WIFI CLIENT	  |
    |     |	|  |
    |   |   | |
    +-------------------+	+-----------------+

    Effectively I need to ping It should not be difficult to do, but I just can't seem to get it. Any thoughts would be appreciated!

  • If you have only 1 static IP, 2nd WAN interface is not needed. Everything will still go out by the same IP.
    So, you have some kind of AP or wireless router that is connected directly to your ISP modem, and that AP or wireless router has 2 subnets one for company's use and second for guests/employee cellphones?

  • This can be done with either VLANs or an OPT1 interface. We would need to know more about your hardware. What does your pfSense box have for interfaces? Do you have a managed switch available? Is your wifi an all-in-one wifi router, or just an AP?

  • @pfrickroll
    I agree - we only added the 2nd WAN interface because of this project. I think the second external interface is necessary. I'm pretty sure the cable modem won't allow internal IP's (that it assigns by DHCP). To put it differently, I couldn't ping the wifi router from pfsense over the public IP, but plugging in another network interface with DHCP let's it ping. Unnecessary - maybe.

    The wifi router (with AP's and various guest cellphones mainly) has only one subnet. I can change those settings as needed.
    Wifi is not used for company purposes out of a distrust of wireless networks and the sensitivity of our LAN traffic (healthcare).

  • @kom
    Wifi router is an openwrt router with a couple of unifi-pro AP's.

    pfsense is on a pc with a WAN, LAN , and an OPT1 that I just added (USB nic.. gag ... in the image above)

    I don't have any managed switches.

  • OK, so get a dumb switch for $10, put it on OPT1, get rid of the openwrt router and put the APs on the switch. Then you have pfSense doing everything, and you can use firewall rules to control access from OPT1 to LAN. If you go this route, you might want to replace the USB NIC with something better.

  • In a current physical setup you won't be able to achieve it without managed switch. You could plug all your WiFi network into OPT1 interface on pfSense and then through firewall rules achieve results of one LAN reaching the other.

  • @kom Boss won't go for the AP on the lan-side of the firewall

  • It's not on the LAN side, it's on the OPT1 side. Totally different networks. You can easily isolate them.

  • @kom face palm

    I think I could add DHCP to OPT1 and move the WIFI router to a bridge setup behind OPT1. I may be short on IP addresses for the guests...

    I may be able to move the WWW over to OPT1 with the wifi... I'll sketch that out.