Adding a second lan (not sure what to call it)

spittlbm

In the diagram below, there is a working pfsense setup for a web server (and other LAN clients that are not shown). Everything comes through the public IP.

I need to add a separated WIFI for public use, but I want them to be able to hit our web server. I have added a second WAN interface to the pfsense box that uses an internal IP.

Pfsense can ping the wifi router and vice versa, but traffic won't pass through in either direction.


+---------------------------------------+
|					|
|	CABLE MODEM (10.1.10.1)		|
|					|
+---------------------------------------+
   |	    	  |		   |
   |Public IP	  |		   |
   |(Static)   	  |10.1.10.30	   |10.1.10.20
   |	   	  |		   |
   |	   	  |		   |
+-------------------+	+----------------+
|		    |	|		 |
|   PFSENSE	    |	|   WIFI	 |
|		    |	|		 |
+-------------------+	+----------------+
	|			|
	|			|
+-------------------+	+-----------------+
|		    |	|		  |
|   WWW Server	    |	|   WIFI CLIENT	  |
|   192.168.1.9     |	|   192.168.2.11  |
|   255.255.255.0   |   |   255.255.255.0 |
+-------------------+	+-----------------+

Effectively I need 192.168.2.11 to ping 192.168.1.9. It should not be difficult to do, but I just can't seem to get it. Any thoughts would be appreciated!

pfrickroll

If you have only 1 static IP, 2nd WAN interface is not needed. Everything will still go out by the same IP.
So, you have some kind of AP or wireless router that is connected directly to your ISP modem, and that AP or wireless router has 2 subnets one for company's use and second for guests/employee cellphones?

KOM

This can be done with either VLANs or an OPT1 interface. We would need to know more about your hardware. What does your pfSense box have for interfaces? Do you have a managed switch available? Is your wifi an all-in-one wifi router, or just an AP?

spittlbm

@pfrickroll
I agree - we only added the 2nd WAN interface because of this project. I think the second external interface is necessary. I'm pretty sure the cable modem won't allow internal IP's (that it assigns by DHCP). To put it differently, I couldn't ping the wifi router from pfsense over the public IP, but plugging in another network interface with DHCP let's it ping. Unnecessary - maybe.

The wifi router (with AP's and various guest cellphones mainly) has only one subnet. I can change those settings as needed.
Wifi is not used for company purposes out of a distrust of wireless networks and the sensitivity of our LAN traffic (healthcare).

spittlbm

@kom
Wifi router is an openwrt router with a couple of unifi-pro AP's.

pfsense is on a pc with a WAN, LAN , and an OPT1 that I just added (USB nic.. gag ... 10.1.10.30 in the image above)

I don't have any managed switches.

KOM

OK, so get a dumb switch for $10, put it on OPT1, get rid of the openwrt router and put the APs on the switch. Then you have pfSense doing everything, and you can use firewall rules to control access from OPT1 to LAN. If you go this route, you might want to replace the USB NIC with something better.

pfrickroll

In a current physical setup you won't be able to achieve it without managed switch. You could plug all your WiFi network into OPT1 interface on pfSense and then through firewall rules achieve results of one LAN reaching the other.

spittlbm

@kom Boss won't go for the AP on the lan-side of the firewall

KOM

It's not on the LAN side, it's on the OPT1 side. Totally different networks. You can easily isolate them.

spittlbm

@kom face palm

I think I could add DHCP to OPT1 and move the WIFI router to a bridge setup behind OPT1. I may be short on IP addresses for the guests...

I may be able to move the WWW over to OPT1 with the wifi... I'll sketch that out.

Thanks