routing between two internal networks

bill209

i am converting my internal network from 192.168.1.x to 10.x.x.x and would like to perform an interim step, moving some devices to the new network while leaving some on the existing one.

can pfSense route traffic between 192.168.1.x and 10.x.x.x ?
i can install a second pfSense on the new, 10.x.x.x network if that is required/easier.

i also have a managed switch that can be used if helpful. currently, the only capability in use is a VLAN between the modem router and the pfSense VM.

pfSense running latest stable version: 2.4.4_1
my experience
networking: moderate (and a bit ancient)
pfsense: casual home user

if you need any config files from my pfSense setup, please just let me know.

thanks for any help you can give!
bill

johnpoz

Pfsense can route yes - that is one of its main functions other than a firewall.

But your drawing doesn't make a lot of sense.. For starters your moving to 10/8? So you have no plans for any other vlans or networks, and your using ALL of the 10 space for 1 network.. Or those are going to other rfc1918 space? I assume is going to have somewhere close to 16 million clients on it? If you want to use the 10 space - sure that is fine, but /8 makes no sense..

What is the network coming off your cable modem? What switch do you have exactly, is it L3 and can route? Or is it just a L2 smart switch?

Not sure how pfsense is going to route anything when you show it only in 1 network 192.168..1/24 to route a router needs to be attached to more than 1 network. I don't see what other network pfsense is attached to in your drawing.

bill209

@johnpoz

thank you for the reply, let me step through your response.

Pfsense can route yes - that is one of its main functions other than a firewall
sorry if that was unclear; i did not ask if pfsense can route, i asked if it could route between the two networks as described and shown in the diagram.

ok, my response may have been a bit impertinent, but fair given your reply. : )

10/?
i am curious as whether i use 10/8 or 10/24 is relevant to the question? in fact i will be breaking up the 10.x.x.x network, but left that out of the original question in order to reduce the scenario down to as few variables as possbile. obviously i failed given almost half your response was directed at this issue. my bad.

What is the network coming off your cable modem?
as pointed out in the question, it is connected to the pfSense box via a VLAN through the switch. is there another piece of information you need about its connection?

What switch do you have exactly, is it L3 and can route? Or is it just a L2 smart switch
L3, sorry i failed to mention it.

Not sure how pfsense is going to route anything when you show it only in 1 network 192.168..1/24 to route a router needs to be attached to more than 1 network. I don't see what other network pfsense is attached to in your drawing.
the diagram shows it attached physically to both networks through the etherswitch. the pfSense VM has an address of 192.168.1.1 which logically puts it on that network. but your confusion is exactly my question - how is this supposed to be configured.

hmmmm, i don’t want to influence any additional answers with leading questions, but… does the pfSense box need TWO WAN connections to the etherswitch? one to 192.x, the other to 10.x? i can attach each cable to different VLANs on the switch, one for each network.

please understand, my knowledge is limited, so if you see something that doesn’t make sense in my setup, it’s probably because it doesn’t make sense. and as a moderator i’m sure you realize that our ignorance often extends to how well the question is asked or even if the right question is being asked at all.

i am here to learn. if your price for educating is for me to sit through snarky responses, then i’ll be glad to go elsewhere. just let me know. otherwise, i really appreciate any help you or others can provide.

johnpoz

@bill209 said in routing between two internal networks:

i am curious as whether i use 10/8 or 10/24 is relevant to the question?

Its relevant to the discussion - in assessing your understanding of basic networking.

it is connected to the pfSense box via a VLAN through the switch

Which you have not provided any details of - nor showing that on the drawing.

does the pfSense box need TWO WAN connections to the etherswitch?

Does not require 2 wans - but it does require 2 networks to be able to "route" ;) You are showing only 1. If your going to try and route via only 1 network on pfsense - router on a stick sort of setup, since you show hosts on this same network your going to run into asymmetrical problems.

A logical setup - not taking into account how you connect via vlans or physical wires would be something like this.

All of those networks could be via same L2 switch with vlans setup to isolate the different network.

bill209

@johnpoz

Its relevant to the discussion - in assessing your understanding of basic networking.
LOL

i appreciate your attempt at providing some information, i obviously can’t communicate my needs to you in a way that makes sense so i’ll go seek help elsewhere.

thank you.

KOM

@bill209 I've never worked with such a config but couldn't you add a trunk vlan between the two pfSense nodes and then add static routes to each to route the other network through the trunk?

johnpoz

He doesn't have 2 pfsense - he says he could bring up another one. But there is no need..

But no we can not help you if you can not even give basic information.. So your current network I take it this 192.168.1/24 network. But your currently not using pfsense to route this to the internet?

And this is being done by your cable device, which your calling a modem - but I have a suspicion its actually a gateway?

More than happy walking you through migration of your network to a 10 network, while maintaining your current network during the process. But how are you configured currently? It for sure is not how you have it currently drawn.

bill209

@johnpoz @KOM

thanks for the further feedback from you both.

i’ve simplified the drawing to show the network as-is, removing the intended 10.x network and simply renaming the devices for clarity. i am not a networking professional, and the diagram (poorly) represents a physical topology of the network.

to answer your questions/discussion points above:

@KOM i could add a second pfSense box within the 10x network as you noted (good point btw); however, if i can do it with one, as johnpoz mentions, then i'd like to pursue that path first.

@johnpoz

• yes, i am using pfSense to route this to the internet. the traffic goes through the cable modem.

• the ‘cable modem’, which is an arris surfboard and connects the network to the internet. if you prefer to use a term other than ‘cable modem’ for this device, let me know.

• finally, this is my current network as drawn, and fwiw, pfSense and this network architecture works without issue*.

so what i’m trying to accomplish:

to my existing 192.x network i’d like to add devices to a 10.x network, and allow

1. communication between all 10.x and 192.x devices within my home network
2. and i’d love pfsense to be able to provide all the services it does for the 192 network, such as DHCP, FW, routing, etc (if possible)

example for testing: plug a PC into the trendNet with a hardcoded IP of 10.0.0.100/24, and have it communicate to the internet and to the other 192.x devices.

you noted that i’m not providing you basic information, but i do not know what else to give you. if you let me know what i am missing (fw rules, gateways, etc.) i will be more than happy to provide you with any information, as i clearly understand that it is YOU helping ME, and without such information this is just an exercise in futility (for both of us).

thanks again.

• i did not illustrate the pfSense gateways as this is more of a physical diagram, but i do have the normal WAN gw along with a VPN gw for certain devices. all of this works great.

KOM

@bill209 I thought you already had two pfSense instances because of your diagram.

Create a vlan for your 10.0.0.0/8 network on pfSense, tag the ports on your switch that you want to use for that network and then plug your devices into those ports. pfSense will treat it like any other interface with firewall rules you can manage with all the same services available.

That's a different config you have. I would plug the Arris directly into your proxmox server and map it to pfSense WAN, another port on the proxmox server (assuming it has 2+ NICs) would act as LAN for pfSense and you would plug the switch into it. All other devices go into the switch.

johnpoz

@bill209 said in routing between two internal networks:

yes, i am using pfSense to route this to the internet. the traffic goes through the cable modem

How per that diagram you have no wan network? Like I said from the get go asking about 10/8 - assessing basic networking understanding.. Which not seeing any sofar.. sb61990, you mean a sb6190 I take it..

And even if your not showing your wan - from that drawing the only thing that could be assumed is your internet L2 is the same as you lan L2. Since you don't call out any different vlans setup on that switch..

How that is drawn I see no purpose to pfsense at all.. How could it route when you show 1 network..

bill209

@KOM

the original diagram had a second pfSense box in the 10.x network but was followed with a question mark to show it was possible. i admit not clear.
thanks for the suggestions, it makes sense and i will give it a shot!

@johnpoz

if you cannot follow this topology of a simple network, there is little else i can provide to help you.

and your insistence that your earlier rant about 10.x subnets was simply to find out my level of networking experience is ludicrous and a very transparent attempt at covering up your inability to simply admit that that line of snarkiness had nothing to do with the question at hand.

have a great memorial day weekend.

technical skills are a dime a dozen, technical skills coupled with empathy and understanding are invaluable.