Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple WAN IPs towards multiple isolated LANs

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 317 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Edigest
      last edited by

      I would like to use a single pfSense virtual firewall to handle several WAN IPs, and each WAN IP X should be "connected" to a specific LAN Y; each LAN should be isolated from the other.

      Example:
      LAN1 : 192.168.0.x
      LAN2: 192.168.1.x
      WAN IP1: 11.11.11.11
      WAN IP2: 11.11.12.12

      • LAN1 and LAN2 should not be able to talk to each other
      • Port 443,80 of WAN IP1 should be forwarded to 192.168.0.100 of LAN1
      • Port 443,80 of WAN IP2 should be forwarded to 192.168.1.200 of LAN2

      What is the best solution/configuration of the pfSense ?
      Should I use a single WAN interface with multiple IPs?
      Is it better to create multiple DMZs?
      Single LAN with IP aliases?
      On the LANs side, should I use a single switch with a different VLAN for each LAN, or should I use multiple switches ?

      Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        @Edigest said in Multiple WAN IPs towards multiple isolated LANs:

        Should I use a single WAN interface with multiple IPs?

        If you get all those WAN IPs from a provider or another internal network there's no need for seperate interfaces. You want to isolate the LANs, the WAN IPs shouldn't matter.

        Is it better to create multiple DMZs?

        To fully isolate - yes.

        Single LAN with IP aliases?

        Such a setup (various IP ranges on a single physical interface without VLANs) is never separated and secure! Don't do that!

        On the LANs side, should I use a single switch with a different VLAN for each LAN, or should I use multiple switches ?

        Multiple switches if you are really paranoid about thing, but AFAIK there are still no real world active attack scenarios against VLANs so using a (good!) single switch with VLAN capabilities should be fine. Just create separate VLANs and configure them in pfsense as e.g. DMZ1/DMZ2.

        What is the best solution/configuration of the pfSense ?

        That depends. Do those LANs need internet or "WAN" access? Should they only respond to incoming queries via their respective WAN IP? Depending on the answers of what those DMZs/LANs should be able to do, your ruleset will have to reflect this. If you want to make sure they can't see each other just put a blocking rule with the other respective DMZ/LAN network on top of everything else on that interface e.g. for DMZ1:

        block any from dmz1_net any to dmz2_net any 
        

        and vice versa. If you wanna grow that setup later, just create an alias consisting all private address space (RFC1918) and use that as destination instead of dmz2_net. This way you block all private IP space as destination (depending if your WAN is in private address range, too and if you have destinations there that should be available.)

        Greets

        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        E 1 Reply Last reply Reply Quote 1
        • E
          Edigest @JeGr
          last edited by

          @JeGr Thank you very much, very clear.

          That depends. Do those LANs need internet or "WAN" access? Should they only respond to incoming queries via their respective WAN IP?

          Each LAN Y should be able to navigate through its corresponding WAN IP (NAT WAN IP1<->LAN1, NAT WAN IP2<->LAN2; and they should only respond to incoming queries via their respective WAN IP (only some port should be port forwarded to a membet of the corresponding LAN)

          So summarise your hints:

          • single WAN with multiple WAN IPs (WAN aliases)
          • multiple DMZs (one for each LAN )
          • virtual switch with VLAN support (each pfSense DMZ connected to a specific switch port with the corresponding VLAN)

          Did I miss something?

          1 Reply Last reply Reply Quote 1
          • JeGrJ
            JeGr LAYER 8 Moderator
            last edited by

            @Edigest said in Multiple WAN IPs towards multiple isolated LANs:

            Did I miss something?

            Don't think so. You should turn off automatic outbound NAT, too and configure it manually: let those 127.0.0.1 and ::1 rules intact but remove all rules belonging to the DMZs and only map those networks (let's call them DMZ1/DMZ2) to their respective WAN IP you wish that subnet to have.

            Besides that and a tight firewall ruleset you should be good to go.

            Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.