pfsense 2.4.4 multiple LAN segments



  • Uninstall 2.4.4 with 3 nic's in it, WAN, LAN and OPT1.
    The opt1 is for future use, DMZ.
    WAN set, no issues.
    LAN set no issuse, 0.251
    But that LAN connects to a 5300 which connects production segments, 212.xxx, 39.xxx, and 14.xxx.
    In segment 0.xxx, have a proxy, which all users are using for web access, no issues.

    On older pfsense, I was able to create relation ships between the 0.xxx segment and the other segments, on the 2.4.4 product, I can not. There are a couple places I can allow for all flags and sloppy rules, and that does allow users to access all the servers, most of which live in 212.xxx.

    But there is no pinging between any of the non 0.xxx segment and the outside world, which also means other tools, such as ftp or sql that would pass thru the firewall and back, do not.

    You can ping from 212.xxx to any of the server in 0.xxx, but not the web, 4.2.2.2. This is effecting a number of applications, which all use web access or ports.

    In the past I'd create relation ships between the different lan's and they those would show in routeing table. I don't see that ability today, is there another way to do it?

    Thank you,

    Jon



  • Not sure what version you are thinking about, but I have no idea what you mean and have been using pfSense from before version 1.
    What is a '5300'? is that a router? What do you mean by 'segments' I thought you mean ipv4 ranges, but 0.xxx makes no sense in that context.
    If the 'segments' exist on the other side of the '5300', you will need a static route pointing to the '5300' and return routes on the '5300'
    Taking a wild guess this is what you mean, you would add '5300' in as a gateway under routing than add a route to 0.xxx via 5300.



  • Sorry the older version was 2.1.something, the 5300 is a Netgear M5300, which routes between LAN's 212.xxx, 39.xxx, and 14.xxx thru 0.xxx which is the firewall LAN. So, the firewall 0.251 connects to M5300, all gateways from M5300 are 0.8, or 212.8, or 39.8, or 14.8, depending on which segment or offices you sit in. So, users in all offices can connect across the network and access resources and servers.

    From 0.xxx you can ping 4.2.2.2 (gte server), but from other segments, 212, 39, 14, you can not ping out to Internet.

    On older version of pfsense, you could create routes between the LAN segment of the firewall and the other segments, which allowed them to function fine.

    Hope that answers those questions.



  • The only change is that you now have to add the destination as a gateway before adding the static route.
    As I mentioned before:
    Navigate to system, routing, and add the IP of the 5300 as a gateway.
    Then go to the 'static routes' tab and add the routes via the 5300 gateway.



  • thank you, I'll give that a run.



  • @dotdash Thank you Sir,

    So, the routes went in nicely, but didn't work.
    The issue I ran into was in Firewall Rules, for what ever reason, I saw the LAN net and LAN address, but missed completely network, which would allow me to define a segment and allow it access to the firewall's LAN.

    So then I could create a rule for 192.168.212.0 / 24 to any, one for tcp/upd and one for icmp, once I could ping, all the apps on that segment were able to function properly. Did the same for 192.168.39.0/24 and 192.168.14.0/24. All working now,

    Thank you for your time and information.

    Jon


Log in to reply