Enabling a second LAN interface - can't connect

CyberMinion

I am using an NG-1100 running pfsense 2.4.5-RELEASE. I have used it for some time with just the WAN and LAN interfaces. I am using IPv4 for everything, although IPv6 is currently enabled.

I am now trying to make use of the additional Ethernet port, labeled "OPT." So, I first enabled it under the Interfaces>Opt section. It was defaulting to DHCP, so initially I left that alone, thinking that I would be running a DHCP server on that interface (that might not be what this actually means). Then I went to Services>DHCP Server, but suddenly realized that there was only an option to run DHCP on the LAN interface (which it currently is). I don't really need DHCP, since I will be connecting another NAT router to this OPT port. So, went back to Interfaces>Opt and switched it to static, and assigned the interface the IP 192.168.3.1. I could not specify the subnet mask, but it defaulted to 255.255.255.255, which seems a little odd. I tried setting a static IP on the downstream NAT router (192.168.3.2), but of course that was not accepted by pfsense. In further investigation, I discovered that the OPT port was registered as a gateway on pfsense, so I disabled that (since this is downsteam, not upsteam). I also added a pass rule to the firewall, from the OPT port, to any.

The result of this is that the downstream device cannot connect (or ping) the pfsense, and which pfsense has seen some packets on that interface, it is not allowing it to connect to or through it.

The OPT interface currently reads as follows:
Status - up
MAC Address - f0:ad:4e:--:--:-- Globalscale Technologies (mac partially redacted just because)
IPv4 Address - 192.168.3.1
Subnet mask IPv4 - 255.255.255.255
IPv6 Link Local - fe80::f2ad:4eff:fe08:6c7b%mvneta0.4092
MTU - 1500
Media - 1000baseT <full-duplex>
In/out packets - 125/8 (59 KiB/448 B)
In/out packets (pass) - 125/8 (59 KiB/448 B)
In/out packets (block) - 678/0 (123 KiB/0 B)
In/out errors - 0/0
Collisions - 0

Why can't I enable DHCP here? Why does it almost seem as if this is expected to be an upstream connection, even though that was not its advertised purpose? Why are static addresses not being accepted? Any thought on what I messed up, or what I am missing?

Thanks!

Gertjan

@CyberMinion said in Enabling a second LAN interface - can't connect:

o, went back to Interfaces>Opt and switched it to static, and assigned the interface the IP 192.168.3.1. I could not specify the subnet mask, but it defaulted to 255.255.255.255, which seems a little odd.

Indeed ....
Look again.
It will show up this time.

@CyberMinion said in Enabling a second LAN interface - can't connect:

thinking that I would be running a DHCP server on that interface

You should check and modify if needed the DHCP server on a LAN type of interface - even if you don't use it.

If your OPT is called "Portal" (my example) then you see this listed as "DHCP servers" :

I advise you to check your settings, and assign some pool to it.

CyberMinion

@Gertjan This is why I shouldn't redesign a network at 2 AM. You're right, that was the problem. I did find the subnet option this time (whether it wasn't there before, or I just didn't see it I don't know) and set it to a proper /24. Then when I go into the DHCP server, there is now a tab for this "OPT" port, which I used to enable the service. This tab was just missing before, I suppose because there wasn't enough IP space for it to run on. And just like that, everything works perfectly. Thank you!!

Gertjan

@CyberMinion said in Enabling a second LAN interface - can't connect:

I suppose because there wasn't enough IP

Exact.
If the possible pool size is zero - an /32 implies zero - then pfSense doesn't bother launching a DHCP server on the interface. It wouldn't work anyway.
The visual GUI effect is : no GUI 'tab'.