Multiple Pfsenses talking to each other?
-
Hello I have a Pfsense setup working no problems. But i would love to setup a second Pfsense for my brother he would like to have one. I have muiltiple Static IP addresses i can assign to each of them. But i was wondering If it is possible that both Pfsense talk to each other?
i'm trying to put my brother on his own network for his own 2 servers without talking to my network.
I have comcast. I setup a second router and for some odd reason they talk to each other. One has a 192.168.1x.XX address and the other has a 192.168.0x.XX address i can ping each other back and forth and see each other. I need to stop that. But concast if both are on the same subnet that is what happens.
I'm not a programmer and Still new to hosting my own. I'm okay with hosting my own stuff but not others. Can someone help me to figure this out. I'm also slow at understanding and learning. Please forgive me. Also a lot of things from pfsense I don't know or understand yet.
Joseph
-
Your brother in the same house?
Ou got multiple static public IPs?If so
Set up a second Wan with one of your static pub IPs
Set him up with his own interface (optxxx) and his own ip range
Deny rule that he can not access the other net
And on top a limiter that he can only use a amount of your total bandwidth
Allow rule to allow www traffic and you are good to goBrNP
-
@noplan Hello, Thank you I will look into this. I'm not sure how to do the whole Deny rule from one Pfsense router box to another pfsense router box. I'm okay with leaving the bandwidth unlimited because we have great internet here and he Pays for half of it and half the power bill.
Joseph
-
@josephchrzempiec said in Multiple Pfsenses talking to each other?:
One has a 192.168.1x.XX address and the other has a 192.168.0x.XX address i can ping each other back and forth and see each other
Those two subnets would usually be /24s and separate from each other unless you have routing enabled. They may both be in a larger subnet such as 192.168.0.0/16 in which case they would talk directly.
Can we see a diagram of how this is connected?
Steve
-
As
@stephenw10 a diagram a painting whatever would be a great help to get u up n runningBr np
-
Hello, Here is a image of my setup not the best drawing but I have tried my best. on the my main one is 10.1.151.1 the second router is 1692.168.0.1 Both have same subnetmask 255.255.255.0
-
Hi there try it this way !
WAN yellow is whatever comcast serves to you
LAN green is your net.
OPT1 red is his net.let us know if this helps ...
your original version here:
-
Yes, using a single pfSense instance with multiple interfaces will give you the most control over the traffic between them. You can pass or block whatever you need.
If you want to have a 2nd pfSense and use a static WAN IP in the same subnet as the first pfSense then it will need to be connected the same way. So that will either be directly to the comcast device or via some type of bridged setup through the first one.
Steve
-
-
Hello all, Thank you I will try them. But I honestly don't know how to do one pfsense with multiple wan for the static ip addresses. Sorry If I'm Pharsing that wrong Still kind of new to pfsense and still learning. Also I'm not a programmer in any sense. I'm great at hardware. That is what I have been doing for the past 28 years. But I'm very good at following directions as well for help.
The second question is ports. Can i do multiple port 80s. Because my brother uses port 80 for his webserver. And I use it as well for mine. I do not know how what would work without using a second pfsense box.
Joseph
-
@noplan Hello noplan. That is what I'm thinking of doing is to use multiple pfsense boxes.
Joseph
-
Can i do multiple port 80s
yes you can but that's another topic, and you'll switch from port 80 to 443 for starters, and after you are runnin with pfS you'll have haProxy set up n runnin with a nice acme let's encrypt automatisation and of course an openVPN server and for an always on vpn on your mobile a fine wireguard. sounds cool ... but are all topics for another day
how to do one pfsense with multiple wan for the static ip addresses
as a show stopper I dont know what your comcast device serves you (maybe somone here in the forum can help you out)
you set up a WAN with static IP
the easier way round is when your comcast device hands your public IPs out via DHCP
then you connect your OPT 1 (the third interface and not the LAN) again with your comcast device and set this interface up with a static IP as your WAN2.now you have access to internet from lan over WAN1
next setp assing your opt3 interface to your LAN2 (the lan for the brother)
as you can see you need a box with 4 interfaces
assign IP / Mask to this interface and done
onward with firewall rules for quick test allow from LAN2 any to any (this will give you internet over WAN1)
the next set is routing .. .set a route form LAN2 to WAN2 easy
and you are set and done. then the fin starts with doing rules on the firewall to keep the LAN1 seperated form LAN2 (u got an any2any rule and wie have to fix it)hope that helps a little.
-
Yes, it really depends on how comcast are handing you the public IPs.
How is your current pfSense WAN configured?
I assume you have /29 from Comcast?
Steve
-
Hellom I do not have any Pfsense Setup at the moment on my network. At my fathers house i have one setup. But at home I do not.
Here is how i have our network setup at home. Comecast comes in it is a gateway/modem/router. I have a lan port coming from comcast and going to a Tp-Link router wan port. And in the Tp-Link router I have the Second Static ip address information within the Tp-link router. I'm able to do everything from the Tp-link port forwarding on ip addresses and anything else Needed within the router. Basically Only Port forwarding only really that is all. And on the comcast Gatway/modem/router i do all my stuff without effecting my brothers network. Unless i unplug his network wire to the internet LOL
But basically he can do whatever he like without effecting my stuff.
Joseph
-
Ok, so your public IPs are in the same subnet I assume?
Does the TP-LInk actually get a public IP or is it port forwarded from the Comcast router?
I would still suggest using a single pfSense instance with just a modem in front of it if you can.
Steve