Configure a second pfsense box to add 2 subnets



  • Hi there, at our company we have 2 pfsense SG's due to having 1 AT&T fiber connection and 1 Comcast Business Coaxial connection. One of our pfsense boxes has died, so I ended up restoring a configuration to get our network back up. I sent out the other box for repair, which we just got back.

    On our Corp LAN, we have two guest Wifi networks (BYOD) which were ran through the Pfsense box (the one who's config is missing). Each of these Wifi networks goes through a unifi gateway and have the gateway address of 192.168.2.1 & 192.168.3.1.

    I just got the WAN programmed and brought the box back online, I am lost as to how I can create the 2 networks and then somehow connect them to our 172.16.9.1/24 network (we have dell switches) in which the unifi gateway resides, as I only see you can set 1 LAN per interface port from the GUI. I don't recall there being two cables plugged in. Is there a way to configure 2 separate vLANS onto 1 LAN interface on the pfsense box, leave DHCP off, and somehow it then routes the traffic back so the unifi gateway can then utilize the 2nd ISP Comcasts internet on the 2 Wifi's? I am learning networks and would appreciate any insight. I found the port on the Dell Switch that I believe it was previously plugged into which has STP enabled on it. The Dell switches don't appear to be doing any routing, I am afraid to plugin the 2nd pfsense to this port and take down my companies network in the process.



  • @chris1337c said in Configure a second pfsense box to add 2 subnets:

    Is there a way to configure 2 separate vLANS onto 1 LAN interface on the pfsense box

    Yep, really easy. Go to Interfaces -> Assignments, and click on the VLAN tab. Add a new one, assign it to your LAN interface as the parent interface, and repeat for as many VLANs that you want. Then, you need to enable them and give these interfaces IP address settings. You can find all that under the Interfaces menu by clicking in the specific VLAN you just created.

    Keep in mind, to actually use these VLAN interfaces, you need to add pass firewall rules, because by defaut they are created with none. For an example, check your LAN rules, there's a pass any source to any destination rule in there. Simply duplicate it for your VLAN interfaces, or you could also recreate it for your VLAN interfaces. Recreating existing rules is a good way to actually learn how to build them.

    Jeff



  • @akuma1x thank you for the insight, I was able to get the vlans setup on the pfsense box exactly how you described (assigning both to the opt1 interface- since I am remotely using the LAN interface). I am worried about plugging it into the switch, there are two Dell poweredge switches stacked, I found a port that has STP enabled and nothing plugged into the other end, I am assuming this was where the pfsense was originally plugged in. I am assuming by the unifi controller having the gateways 192.168.2.1 & 192.168.3.1 setup it will be able to see the vlans and the service to the wifi will be restored. On the Dell switches I dug through the GUI and can't seem to find any routing done on them so it's a safe assumption they are L2 (since they are old). Since the pfsense boxes were switched around I am wondering if I should reboot the network to flush out the tables and let the switches rebuild the Mac/port table.



  • All ports are untagged on the switch, I haven't identified if they are trunked or not I suspect that they are, these Dell switches are driving me nuts Cisco guy here.



  • I don't know what STP does on a Dell switch like that, it might just be used to prevent looping.

    Where is your DHCP server on your network? Is it all being provided by your pfsense box, or something else?

    Your LAN port on your pfsense box - what is that connected to?

    Jeff



  • @akuma1x DHCP for the 172.16.9.1/24 (LAN port in live pfsense box) is all handled by the other pfsense box that is already connected to the Dell switch. That is the only other network that is configured and plugged into the switch that I see on the box. The pfsense box I just setup the vlans on I have plugged into nothing but the laptop



  • @akuma1x
    Pfsense 1 (LAN 172.16.9.1/24 DHCP on) -> Dell switches (stacked)
    Pfsense 2 (LAN 192.168.1.1/24 DHCP off) -> laptop
    Opt1 (configured the two vlans on this)
    192.168.2.1/24 DHCP off
    192.168.3.1/24 DHCP off



  • I essentially have 2 connections & 2 pfsense firewalls. 1 is connected to our managed switch (Dell poweredge pos) 172.16.9.1/24 and the second one previously died without any configurations saved (durrrp previous IT guy). I got the new one back, setup the vlans to match the gateways of the wireless networks on the unifi controller (this is on a 172.16.9.# internal server), the wireless guest networks are 192.168.2.1/24 & 192.168.3.1/24, I am not understanding how the previous IT guy was able to have both of these Firewalls plugged into the same switch, have DHCP turned on, and yet the wifi devices reaching out to the AP's -> unifi -> pull IP from 2nd firewall, I am afraid to turn DHCP on and plug it into the switch as this could take down the production network. I have been reading for hours and need a hero.


  • LAYER 8 Netgate

    No idea why you would have two pfSense nodes for two WANs.

    That would require the hosts know how to route to either node based on where they are trying to do.

    A much more common way to handle it is to connect both WANs to different interfaces on the outside node, create a gateway group, and policy route to it for the inside host traffic.

    https://docs.netgate.com/pfsense/en/latest/book/multiwan/index.html

    I perused this thread and cannot get a clear picture of what you are trying to do based on your descriptions.

    A proper network diagram would probably be in order since the design sounds rather unconventional.


Log in to reply