Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple LAN segments accessed from single IP address

    Scheduled Pinned Locked Moved Routing and Multi WAN
    14 Posts 3 Posters 2.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jay209
      last edited by

      Hello community !

      I am just learning some network security and i replaced my usual router with a pfSense device.
      As i had an old 775 rig lying around, i installed second LAN card and started to experience with pfSense.
      Now, i would need your help with the routing part as i do not understand how to do some translation.
      The configuration is as follows:
      WAN: public IP, static
      LAN: only one LAN port, 192.168.2.x, mask is 255.255.255.0

      In the LAN side, i have some other devices belonging to other IP classes: 192.168.1.x, 10.5.120.x and 192.168.100.x. What i want to to is to access all of them having only a single IP on my computer. There is a samba server for storage (192.168.1.x) and some monitoring devices (10.5.120.x and 192.168.100.x).

      My default LAN is 192.168.2.10 for my computer. This is assigned via DHCP. It will always be this value as DHCP server knows my MAC address.

      Where should i define, in pfSense, the path to other network segments (192.168.100.x and 10.5.12.x)?
      I know that i can define them manually on my computer LAN adapter but my goal is to use only one IP, provided by DHCP, and let the pfSense gateway to do the translation. Also, i know that this is possible because when i set the VPN connection i get a different IP (let's say 10.10.10.2) and the gateway knows, automatically, to translate any request coming from my VPN lan segment. So, using VPN (10.10.10.2) i am able to access 192.168.2.x .

      I hope i explained it with enough details. Any advise would help me as i don't even know where to start looking on the Internet for information.

      Thank you!
      J.

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @jay209
        last edited by

        @jay209 said in Multiple LAN segments accessed from single IP address:

        In the LAN side, i have some other devices belonging to other IP classes: 192.168.1.x, 10.5.120.x and 192.168.100.x.

        To you have an additional router in the LAN, where these subnets are connected to or are these all on a single L2 network?

        J 1 Reply Last reply Reply Quote 0
        • J Offline
          jay209 @viragomann
          last edited by

          @viragomann They are connected to same L2 network. Only their own IPs are different. Between pfSense router and my devices is a simple switch with 8 ports.

          V 1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @jay209
            last edited by

            @jay209
            You should better get a VLAN capable switch for proper network segmentation.
            But yes, it would be also possible on a single L2, however, you need to assign an IP of each subnet to pfSense, which is used as gateway on the respective network devices.

            J 1 Reply Last reply Reply Quote 0
            • J Offline
              jay209 @viragomann
              last edited by jay209

              @viragomann If i go to LAN, there are options only for my current LAN segment (192.168.2.x). Should i go to Virtual IP and define there a new network segment? 192.168.100.x , for example?

              LE: I just added a new virtual IP (192.168.1.1). I set its type as IP Alias. But when i ping from my computer (i have 192.168.1.12 set by hand) it does not reply back.

              V 1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann @jay209
                last edited by

                @jay209
                Yes, you need to add virtual IPs of type "IP alias".

                Also consider to add rules to LAN to allow the desired connections. The default rule might only allow access from LAN subnet.

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jay209
                  last edited by

                  @viragomann I did the following:
                  I defined a Virtual IP (Type Alias), on interface LAN with address 192.168.1.1/24. This virtual IP should act like a gateway for 192.168.1.x subnet, right ?

                  At least this is what i am trying to achieve.

                  Then, i go to Firewall -> Rules -> LAN: All traffic is allowed. I even created a new rule stating that from 192.168.1.0/24 there is no restriction to LAN net (this is my current LAN segment that has access to the internet).

                  Just to be a clear, i want to be able to access the entire /24 segment of 192.168.1.0 subnet from 192.168.2.12 .

                  There is something i am missing... but i can't figure out what.

                  V 1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann @jay209
                    last edited by

                    @jay209 said in Multiple LAN segments accessed from single IP address:

                    I defined a Virtual IP (Type Alias), on interface LAN with address 192.168.1.1/24. This virtual IP should act like a gateway for 192.168.1.x subnet, right ?

                    Yes.

                    At least this is what i am trying to achieve.
                    Then, i go to Firewall -> Rules -> LAN: All traffic is allowed. I even created a new rule stating that from 192.168.1.0/24 there is no restriction to LAN net (this is my current LAN segment that has access to the internet).
                    Just to be a clear, i want to be able to access the entire /24 segment of 192.168.1.0 subnet from 192.168.2.12 .

                    Your computer use pfSense as default gateway as well?

                    Is any of the involved devices multi-homed in both subnets?

                    Enable the logging in the LAN rules and check if the rules get any hits then.
                    Also check if there are any blocks in the filter log.

                    J 1 Reply Last reply Reply Quote 0
                    • J Offline
                      jay209 @viragomann
                      last edited by

                      @viragomann I just ran some tests with latest modifications.
                      My computer is set to get 192.168.2.7. pfSense is the default gateway.
                      I set the virtual ip 192.168.1.1/24. With current setting and no restriction rules on LAN i am not able to ping 192.168.1.1.
                      If i add 192.168.1.2 on my computer alongside 192.168.2.7, i am able to ping the 192.168.1.1.
                      So this seems like a routing issue and pf does not know that it should be the gateway, translating the requests from both sides.

                      In the firewall logs i can only see messages related to lan and wan, nothing related to 192.168.1.1.

                      Please bear with me as i am still trying to learn. Maybe i misconfigured something ?

                      V johnpozJ 2 Replies Last reply Reply Quote 0
                      • V Offline
                        viragomann @jay209
                        last edited by

                        @jay209 said in Multiple LAN segments accessed from single IP address:

                        I set the virtual ip 192.168.1.1/24. With current setting and no restriction rules on LAN i am not able to ping 192.168.1.1.

                        192.168.1.1/24 is the IP alias on pfSense?
                        For this to work, it's only necessary, that pfSense is the gateway on the computer (even the LAN address) and that there is the default LAN rule still in place allowing any from LAN net.

                        So this seems like a routing issue and pf does not know that it should be the gateway, translating the requests from both sides.

                        pfSense is a router by default. It forwards any packet according to its routing table, as long as a filter rule allows that.

                        If i add 192.168.1.2 on my computer alongside 192.168.2.7, i am able to ping the 192.168.1.1.

                        If you do this, both are in the same L2. I guess that only this makes the destination device happy. My suspect is, that it blocks the access otherwise.
                        So maybe you can disable its firewall for testing and configure it accordingly later if that's the reason.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Online
                          johnpoz LAYER 8 Global Moderator @jay209
                          last edited by

                          @jay209 what is the goal of this exercise? Are you attempting to migrate to new IP space? Running multiple L3 on the same L2 is not good practice, and provides no real security.

                          If your goal is actual segmentation of your network, you should either physical create different L2 networks for your different L3 networks, or use vlans for your isolation.

                          It works for migration from network space A to B for example - but it is not a good setup for long term.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          J 1 Reply Last reply Reply Quote 0
                          • J Offline
                            jay209 @johnpoz
                            last edited by

                            @johnpoz The goal is to learn about network and security. For now, the short term goal is to simplify the access to some devices i use. Later on, the goal is to segment the network using managed switches and vlans.

                            But for now i want to achieve 1st goal: accessing multiple devices (different subnets) from a single computer using a default ip (192.168.2.7 for my computer).
                            I know it is not secure but the goal is for me to learn how to interconnect these subnets using pfSense.

                            We can agree on the idea that i can change the ip adress of the devices but these devices, once tested and configured, will be sent in other places.
                            Then i get a new set of devices, having same default IPs.

                            So, it is important for me to 1st create these additional subnets in the router so i can always access the devices from my default ip.

                            I already defined the virtual ip for several subnets but i miss the route to them.
                            192.168.1.1/24 is the first of them. But as i have mentioned in earlier posts i miss something in the firewall and the new subnet is not responding to ping . I have checked the firewall logs but there is no mention about any traffic from 192.168.2.x to 192.168.1.x or reverse.

                            Sorry for my long post but am still trying to describe as much as i can what i try to do. Because, for me doing so, will make sense and i can understand how things are working in networking.

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ Online
                              johnpoz LAYER 8 Global Moderator @jay209
                              last edited by

                              @jay209 said in Multiple LAN segments accessed from single IP address:

                              So, it is important for me to 1st create these additional subnets in the router so i can always access the devices from my default ip.

                              creating a vip not really creating a new network on pfsense IMHO.. its just multiple L3 on the same L2..

                              If you have say lan 192.168.1.0/24 with pfsense being 192.168.1.1, and you want to have other devices on this same L2 as say 192.168.2.x/24 then you would create a vip on pfsense..

                              And you might have to adjust your rules to allow for that traffic that is a different netblock.. But if you put it on lan, than lan net should included the new IP range.

                              So here I just created a vip on my lan 192.168.14.1/24

                              You can see that it was added to my outbound nat. I can ping the 14.1 address of pfsense, and I can get to the internet - and viewing states while pinging 8.8.8.8 you can see coming from my PC that I changed to 192.168.14.2/24 that is on my "lan" network..

                              alias.jpg

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              J 1 Reply Last reply Reply Quote 0
                              • J Offline
                                jay209 @johnpoz
                                last edited by

                                Guys, i am still working on this trying to configure it. I think i am doing some kind of progress. Please bear with me as today i don't have that much time. I'll come back tomorrow.

                                Thank you for all your advises!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.