Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense 2.4.4 multiple LAN segments

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    6 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      ykkurovsky
      last edited by

      Uninstall 2.4.4 with 3 nic's in it, WAN, LAN and OPT1.
      The opt1 is for future use, DMZ.
      WAN set, no issues.
      LAN set no issuse, 0.251
      But that LAN connects to a 5300 which connects production segments, 212.xxx, 39.xxx, and 14.xxx.
      In segment 0.xxx, have a proxy, which all users are using for web access, no issues.

      On older pfsense, I was able to create relation ships between the 0.xxx segment and the other segments, on the 2.4.4 product, I can not. There are a couple places I can allow for all flags and sloppy rules, and that does allow users to access all the servers, most of which live in 212.xxx.

      But there is no pinging between any of the non 0.xxx segment and the outside world, which also means other tools, such as ftp or sql that would pass thru the firewall and back, do not.

      You can ping from 212.xxx to any of the server in 0.xxx, but not the web, 4.2.2.2. This is effecting a number of applications, which all use web access or ports.

      In the past I'd create relation ships between the different lan's and they those would show in routeing table. I don't see that ability today, is there another way to do it?

      Thank you,

      Jon

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        Not sure what version you are thinking about, but I have no idea what you mean and have been using pfSense from before version 1.
        What is a '5300'? is that a router? What do you mean by 'segments' I thought you mean ipv4 ranges, but 0.xxx makes no sense in that context.
        If the 'segments' exist on the other side of the '5300', you will need a static route pointing to the '5300' and return routes on the '5300'
        Taking a wild guess this is what you mean, you would add '5300' in as a gateway under routing than add a route to 0.xxx via 5300.

        1 Reply Last reply Reply Quote 0
        • Y
          ykkurovsky
          last edited by

          Sorry the older version was 2.1.something, the 5300 is a Netgear M5300, which routes between LAN's 212.xxx, 39.xxx, and 14.xxx thru 0.xxx which is the firewall LAN. So, the firewall 0.251 connects to M5300, all gateways from M5300 are 0.8, or 212.8, or 39.8, or 14.8, depending on which segment or offices you sit in. So, users in all offices can connect across the network and access resources and servers.

          From 0.xxx you can ping 4.2.2.2 (gte server), but from other segments, 212, 39, 14, you can not ping out to Internet.

          On older version of pfsense, you could create routes between the LAN segment of the firewall and the other segments, which allowed them to function fine.

          Hope that answers those questions.

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            The only change is that you now have to add the destination as a gateway before adding the static route.
            As I mentioned before:
            Navigate to system, routing, and add the IP of the 5300 as a gateway.
            Then go to the 'static routes' tab and add the routes via the 5300 gateway.

            Y 1 Reply Last reply Reply Quote 0
            • Y
              ykkurovsky
              last edited by

              thank you, I'll give that a run.

              1 Reply Last reply Reply Quote 0
              • Y
                ykkurovsky @dotdash
                last edited by

                @dotdash Thank you Sir,

                So, the routes went in nicely, but didn't work.
                The issue I ran into was in Firewall Rules, for what ever reason, I saw the LAN net and LAN address, but missed completely network, which would allow me to define a segment and allow it access to the firewall's LAN.

                So then I could create a rule for 192.168.212.0 / 24 to any, one for tcp/upd and one for icmp, once I could ping, all the apps on that segment were able to function properly. Did the same for 192.168.39.0/24 and 192.168.14.0/24. All working now,

                Thank you for your time and information.

                Jon

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.