OPT as LAN Interface

  • Hi,

    I recently built a pfsense 2.4.5 with a Broadcom 10G SFP NIC on a old HP Desktop.

    NIC as bxe0 and bxe1. I was able to configure 1 as LAN and 1 as WAN and all working fine.

    I want to configure the onboard / built in gibabit port as another LAN and keep it same network.

    It shows as OPT1 and i tried bridging method but didnt work. Not sure where its going wrong.

    After bridge mode i have internet at OPT1 but lost in bxe1. if dont do bridge i dont have internet in OPT1.

    I want to enable OPT1 so i can use that for Wifi router.

  • This post is deleted!

  • @rajeshs said in OPT as LAN Interface:

    if dont do bridge i dont have internet in OPT1.

    Two things to check here:

    • Firewall rule on OPT1
    • Outbound NAT rule for OPT1 net

  • @viragomann thanks I made opt1 work with dhcp

    Still have to figure out if my other net 192.168.1.x will see this.

  • LAYER 8 Global Moderator

    @rajeshs said in OPT as LAN Interface:

    Still have to figure out if my other net 192.168.1.x will see this.

    If networks are directly attached to pfsense, then any network can "see" them ;) All comes down to if you allow traffic between them via rules or not.

    Out of the box with default lan rules of any any, then yes your lan of 192.168.1/24 would be able to talk to opt1 (192.168.2/24)

    Now opt1 would not have any default rules, so if you want opt1 to be able to start a conversation with your lan devices, you would have to allow that in the opt1 rules, either it be a any any rule like defaults on lan. Or specific rules to talk to only specific IPs in lan, or specific protocols or ports. If lan is allowed to talk to opt1 (which it would with the default rules).. Then anything in opt1 would be allowed to answer via state table. But opt1 would not be allowed to start the conversation with something in lan without the rules on the opt1 to allow it.

    Keeping in mind just because you allow traffic through pfsense, doesn't mean that some security software or firewall running on the device will allow for traffic from some other network.

    edit: The other caveat that new users overlook seems all the time, other than devices own firewalls is rules have to be in place to allow the traffic before you force anything out some specific gateway..

    Example while the default rules on lan are any any.. If you changed that rule to be any any but edited the rule to force the traffic out your wan gateway, or some vpn connection.. Then no lan would not be able to talk to opt1, because your vpn or your wan isn't going to be able to talk to opt1 network.

    So if you want to force traffic out some specific gateway via policy routing, then you have to have rules above the policy route to allow the local traffic you want to allow.

  • @johnpoz thanks. I added any any for opt1.

Log in to reply