Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple pfSense boxes sharing LAN

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 449 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ruben.rothermel
      last edited by

      I need a few tips regarding a setup at school. Right now we have 2 pfSense boxes, each with their own WAN and multiple LANs. One is for the student body (400 users total... 200+ connected) and another for staff (100 users... 50+ connected).

      We have some common services (academic portal, library, printers, etc.) so what would be better:

      1. One single pfSense box managing everything but in HA/redundant mode with a second box?
      2. Separate pfSense boxes (like we have now) but with a shared LAN with the common services?
        This LAN could have our SQL+file+PHP+web servers, AD, DNS, printers, equipment GUIs...
        or even better would be to take the SQL+file+PHP+web servers and put them into a DMZ LAN?.

      I need to have the library resources, Moodle and a few printers to be accessible from to the students and all staff.

      I saw some posts with a transfer link to interconnect pfSense boxes but, can this be a common shared Services LAN or DMZ LAN?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        No you would not want to have any hosts on a shared subnet. It would almost inevitably end up with asymmetric routing.
        You would have to add static routes on all those hosts to avoid it.

        You could have a transport subnet on a link between the two firewalls and route traffic across it to access resources behind the other device.

        I would use just one pfSense box (or an HA pair) with multiple internal interfaces and regulate all the traffic there.

        Steve

        R 1 Reply Last reply Reply Quote 0
        • R
          ruben.rothermel @stephenw10
          last edited by

          @stephenw10 Thanks. That confirms to me that a single pfSense router (even better in a HA dual setup) would be a much cleaner setup for the following reasons:

          • A shared LAN would require hundreds of static routes
          • One pfSense box allows me to have multiple WANs in failover mode, with time-based bandwitdh restrictions, etc., etc.
          • Option of a HA setup just by getting a few extra ethernet ports
          • With an AMD FX 6xxxx and 16 GB o memory I only see 10% load.
          • If needed, functions like firewalling, DPI, antivirus and proxy could always be run in separate boxes.
          • I should able to route non-critical traffic between VLANs inside my HP1920 switches (like network projectors, public printers, media servers) to alleviate my main router.
          • I have only found 1 example of a shared LAN after days and days of searching.
          • There's plenty of examples of HA or transit/transport link between pfSense boxes

          Thanks for the insight. Tomorrow (monday) I'll start redoing everything. I have exactly one month to get everything running until school starts... with one machine for now, and HA as soon as I can get the second unit setup with extra eth ports.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.