• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

LAN, use opt as lan interface

General pfSense Questions
lan side interfaces bridge vlan
4
16
3.2k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    netgater
    last edited by Dec 14, 2019, 4:40 PM

    ahh the CCIE set you off right? deaden your ability to listen well. As I mentioned I lost my touch long ago so , I'm pretty sure your smarter than me.
    If you read carefully and din't focus on CCIE and typos. I said I tried replicating all FW rules applied to LAN, it means i copied all default fw rules in the LAN and applied to my new interface except the anti-lockout rule. I didn't see any packet hitting the FW rules, no icmp, no nothing , zero packets) on the new interface as they do with the default LAN interface. "Then clearly you have L2 connectivity" god spare me the OSI layer bottom up troubleshooting. You sound like a network expert from Dlink supporting elderly who cannot access the internet.
    Please god help me, still hoping there are anyone older than an 8th grader in this forum. Really need help.

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz Dec 14, 2019, 4:48 PM Dec 14, 2019, 4:44 PM

      Again post up your rules you created... Can not tell you what is wrong without you actually showing it..

      Here is what happens users says they did X, when they really did Y! If you do not post up what you actually have set there is no way for me to help you find what you did wrong..

      Because it really is this simple.

      Create IP on interface optX, lets call it 192.168.42.1/24
      Enable dhcp server on this interface - lets call the scope 192.168.42.100-200

      Client gets 192.168.42.200 via dhcp, with gateway and dns pointing to 192.168.42.1

      But without any rules on optX to allow, nothing going to happen.. Your not going to ping anything, your not going to get to the internet, etc..

      Unless you dicked with the outbound nat, when you created your new interface pfsense would of automatically added this to your outbound nat.. But again without rules on optX to allow what you want - nothing going to work.

      Common problem is user put TCP vs any for the rule - so no ping (icmp) or dns (udp) doesn't work...

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      N 1 Reply Last reply Dec 14, 2019, 4:55 PM Reply Quote 1
      • N
        netgater @johnpoz
        last edited by Dec 14, 2019, 4:55 PM

        @johnpoz you're the expert you know there are 3 default rules applied to lan on a new setup pfsense,
        allow any any ipv4,
        allow any any ipv6, and anti lockout rule.
        I copied and applied the any any ipv4 and any any ipv6 (not that I need it) to the new lan (opt). No packet is hitting the rules. The fact that i got ip from the scope it means i should at least some udp packets there. But there is none.

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz Dec 14, 2019, 5:02 PM Dec 14, 2019, 5:01 PM

          Dude I can not help you without you actually showing what you did!!!

          Did you copy the rules and leave them set to lan net vs your new opt net??

          Do you not know how to post a screenshot???

          If you got an IP from your dhcp scope on pfsense... Then you should see traffic sent to pfsense IP... When you sniff...

          Post up your settings!!! Did you put some rules in floating? Those are evaluated before your interface rules.

          login-to-view

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          N 1 Reply Last reply Dec 14, 2019, 5:12 PM Reply Quote 1
          • N
            netgater @johnpoz
            last edited by Dec 14, 2019, 5:12 PM

            @johnpoz effing hell, nope, I'm out of here. Can't do this anymore. We're not going anywhere with this, clearly you and I are on a different frequencies.
            Don't have time troubleshooting with an amateur network expert working as a tier 1 tech support in small market consumer-grade network vendor. Or a network engineer supporting 2 spoke sites or someone lower in the food chain, I'll give 10 yrs to get high 6 figure salary. You have the drive you'll get there.

            I give up. I honestly thank you for being helpful.

            P. S.
            If anyone can read this and have answer. I'm not here to troubleshoot with children. Im here for guidance how pfsense behave and how am i able to achieve what I'm trying to do. Not here te hear recommendations about best practice and topology suggestions.

            1 Reply Last reply Reply Quote 1
            • D
              Derelict LAYER 8 Netgate
              last edited by Derelict Dec 14, 2019, 7:28 PM Dec 14, 2019, 5:23 PM

              It behaves just like any other firewall. Layer 1, Layer 2, Layer 3. You remember the OSI model from your CCNA studies right?

              How do i make my opt interfaces like a 2nd LAN interface. I just want to have a 2nd or 3rd lan interface that behave exactly like the LAN interface.

              Do you want the new ports to be on the same broadcast domain or different broadcast domains than LAN?

              @johnpoz just showed everything necessary to get a new interface working as a separate router/firewall interface (a different broadcast domain):

              1. Create the interface, enable it, and number it
              2. Enable the DHCP server on the interface (optional if you want to statically configure hosts)
              3. Add firewall rules to pass connections established by hosts on that interface into the firewall
              4. Be sure the interface source addresses match the rules for Outbound NAT

              That is all that is required to get basic connectivity for those hosts. Of course, you have to do everything you need to do to get Layer 2 connectivity between the hosts and the router interface port.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 1
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz Dec 14, 2019, 5:37 PM Dec 14, 2019, 5:35 PM

                We're not going anywhere with this

                Nope not going to get anywhere when mister ccie can not figure out how to show is work for validation..

                Lets see your sniff you did.. Clearly the dhcp discover got there if your client actually got dhcp from pfsense interface you setup... But you can not show us this?

                What your saying is not actually possible - if you got dhcp from pfsense, then you would see traffic via a sniff.. It wouldn't of been able to hand you dhcp if not, etc..

                If you can not be bothered to show us what you actually did, vs what your saying your doing - since clearly that is not working.. Then no we are never going to get anywhere.

                But you know what happens all the time - even non ccie does this...Is they set the firewall rule to be tcp vs any... And then can not figure out why its not working... Or they put the wrong source net on the rule, etc.. But guess you know the 2 second screenshot showing what you did is too much trouble..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 1
                • K
                  kiokoman LAYER 8
                  last edited by Dec 14, 2019, 6:28 PM

                  if you think that you have already done as @johnpoz and derelic suggested but it's still not working there must be something wrong on what you did, it's a realy simple implementation and there are no bug or malfunction on pfsense that can prevent that from working, only layer 8. that's why we always ask for screenshot, most of the time -> ppl says they did X, when they really did Y unintentionally, 4 or more eyes are better than 2.

                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                  Please do not use chat/PM to ask for help
                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                  1 Reply Last reply Reply Quote 2
                  • N
                    netgater
                    last edited by Dec 15, 2019, 4:44 AM

                    It worked guys thank you very much to @johnpoz for your patience it works for me. Sorry, I didn't have access to my router yesterday hence couldn't provide any screenshots.
                    You acting like a dick from the get go, kind of overshadowed your awesomeness. Thanks anyways.

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz Dec 15, 2019, 11:19 AM Dec 15, 2019, 11:03 AM

                      Dick? Really? Calling you out on calling yourself a ccie when clearly everyone knows that is not even close to true is not being a dick... That is just calling someone out on their BS!

                      So what was the problem, only tcp for the rule? Wrong source?
                      Maybe you had policy route on the rule? But that wouldn't of stopped ping to pfsense IP? Only ping to other lan.. That is another common mistake.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      16 out of 16
                      • First post
                        16/16
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.