Howto access two LANs from a single port with NG-1100?

sminded

Router NG-1100

Setup 1:

Connected to LAN-port (call it LAN1):
Local network 172.16.0.0/12. The connection is to a managed switch which is having DHCP-service running

Connected to OPT-port (call it LAN2):
Local network 10.0.0.0/8. The connection is to a managed switch which is having DHCP-service running.

Connected to WAN-port (call it LAN3):
New Local network assigned by the NG-1100. Could be network 192.168.99.0/24.
If I connect a switch to this port, multiple devices should be able to connect and get its address from the DHCP-server.

• The device connected on LAN3 must be able to communicate with all devices on LAN1 and LAN2
• The devices on LAN1 and LAN2 should not be able to communicate with each other

Setup 2:

LAN-port and OPT-port same as above
WAN-port: Connected to a Nighthawk M1, or similar LTE+WiFi router

• In this setup same rules apply as above, but I wan't all devices connected to M1 to be able to communicate to LAN1 and LAN2

1. Are these setups possible with the NG-1100?
2. Any suggestions and pointers on how to accomplish this in Pfsense

Thanks!

Gertjan

@sminded said in Howto access two LANs from a single port with NG-1100?:

Local network 172.0.0.0.

Are you sure ?
RFC 1918.

sminded

@Gertjan Sorry, typo, now updated.

johnpoz

@sminded why would you use up a whole range of rfc1918 space for one segment /12 and /8?

Are these setups possible with the NG-1100?

Yeah all things are possible (within reason).. What network space you use on your networks is up to you. What you allow or don't allow between your segments also up to you.

Not sure why anyone would run dhcp off their switch, when they have much easier to use and more feature rich dhcpd right there on pfsense that is connected to these networks.

Putting some network on what is pfsense wan, and allowing traffic to stuff behind pfsense would require port forwards, and out of the box would be natted.. Not exactly sure what your goal is, but I would put stuff on pfsense wan.. Pfsense is better at the edge.. Can be used as downstream sure.. Is your only internet connection the LTE via the M1?

sminded

@johnpoz LAN1 and LAN2 are already existing, I could explain what they are (represent), if its necessary. They are not under my control.

johnpoz

@sminded well if they are not under your control - connecting them together via a router, you control - normally not smiled upon by the people that control those networks. But sure you can connect any networks you have connection to together.. Routing stuff from one network to the other prob going to be problematic because devices most likely point to some other gateway provided by the people that manage that network.. So they wouldn't even send traffic to pfsense anyway to get to the other network.. Unless you manage devices on both of these network and could point them in the right direction to get to the other network, or used port forwarding and nat to allow them to talk to things on the other network. But since you don't want them talking to each other.. What is the point of connecting them together via pfsense?

If you want some device to talk to something on lan1 or 2 from 3 (your wan of pfsense) you would need either setup routes on these devices on lan 3, or use nat and port forwarding, and then you would have to also outbound nat it to either lan1 or 2, or why would those devices send the return traffic back to pfsense.

sminded

@johnpoz I realize I might have to explain a little bit more.
LAN1 and LAN2 represents two separate networks on a train. Each LAN have a serviceport which I want to connect to the NG-1100 temporarily while doing service. So, NG-1100 and my solution is not a permanent solution, but a temporary that allows me to connect to devices on both LANs from a single point.
Moreover, on every train, the IP-addresses will be different since the supplier of the train have put the vehicle number as part of the IP-address.

172.15+C.T.x
10.T.C.x

Where C designates car number in the train, can be 1,2,3, or 6. And T designates the train number, can be between 1 and 60.

So the whole idea is to easily and quickly connect the NG-1100 to both service ports while entering the train for service reasons, and then connect the service laptop to the NG-1100. From there the service person can upgrade all software on different devices, download log files, or do other things.

stephenw10

Yes the 1100 will route between those subnets allowing you connect to either of them. You would almost certainly need to NAT the traffic as those networks wonlt have a route back. So effectively you would have those two existing subnets be WANs for the 1100.

Probably easier to think of it as simpky assigning the OPT port as an additional WAN.

So:
WAN port to the LAN1 subnet.
OPT port to the LAN2 subnett.
LAN port still the pfSense LAN with your cli8ent attached to it.

sminded

@stephenw10 This seems like a good idea. And a third WAN port for an LTE modem, will also work then I guess.

stephenw10

Yes that could work, assuming it's a USB device since there are only 3 ports. Modem support in pfSense is variable though. Be aware.