Some kind of multi wan and lan



  • Hello all.
    First of all, I am deeply sorry for the bad title and that I might have posted in the wrong forum. I could'nt figure out.

    I have been benefiting from pFsense for almost a year now. I have spent many hours, and simply given up on this problem three times. I've decided to ask you guys to help me :)

    I have a 2 NIC setup for my pfSense, and not long ago i started running it as a VM.

    My ADSL line comes with two dynamic IPs, that I would like to use both of. I have achieved this once by setting a simple switch between my modem and two routers. But i'd really like to skip the switch and the extra router. How is this achievable, so that I could get WAN-IP1 and WAN-IP2? * Please note that I am completely dumm mhen it comes to VLANS.

    Then I would like three subnets.

    192.168.1.0 -> This should be my home connection where family is assigned. Running on WAN-IP1.
    192.168.2.0 -> This is for some servers. I would like to be able to make this subnet unable to communicate with anything else. WAN-IP1.
    192.168.3.0 -> This is for some other servers. I would like to be able to make this subnet unable to communicate with anything else. WAN-IP2.

    And again, this is hopefully possible without physically changing my cabling, but rather assigning an other IP.

    Hope anyone is able to help me out here.

    Kind regards

    • Sune!


  • @Excizted:

    I have a 2 NIC setup for my pfSense, and not long ago i started running it as a VM.

    My ADSL line comes with two dynamic IPs, that I would like to use both of. I have achieved this once by setting a simple switch between my modem and two routers. But i'd really like to skip the switch and the extra router. How is this achievable, so that I could get WAN-IP1 and WAN-IP2? * Please note that I am completely dumm mhen it comes to VLANS.

    Then I would like three subnets.

    192.168.1.0 -> This should be my home connection where family is assigned. Running on WAN-IP1.
    192.168.2.0 -> This is for some servers. I would like to be able to make this subnet unable to communicate with anything else. WAN-IP1.
    192.168.3.0 -> This is for some other servers. I would like to be able to make this subnet unable to communicate with anything else. WAN-IP2.

    And again, this is hopefully possible without physically changing my cabling, but rather assigning an other IP.

    You want to setup WAN-IP2 as a Virtual-IP (probably proxy arp).

    Then you can use that IP in your NAT rules to send traffic your 192.168.3.0/24 subnet.

    With Advanced Outbound NAT you can set it so that traffic from the 192.168.3.0/24 subnet is NATed on WAN-IP2.

    WIth rules on the LAN interface, you can prevent the 192.168.2.0/24 and 192.168.3.0/24 subnets from speaking to one another.  (Unless someone gets cute and configures IPs in both subnets on their ethernet interface. )  The only way you can guarantee no cross talk between the two subnets is to have two LAN interfaces.  But that requires physical changes to your cabling on the inside of the firewall.  The WAN stuff is easy though.



  • @lambert:

    You want to setup WAN-IP2 as a Virtual-IP (probably proxy arp).

    The OP said it was dynamic, that's the nasty bit. The provider probably requires a unique MAC and I can't think of any way to pull off what he wants to do. I don't really see any problem with sharing the one external IP between your subnets. They come off the same provider, and presumably the speed is limited by the line and not per IP.

    @lambert:

    The only way you can guarantee no cross talk between the two subnets is to have two LAN interfaces.

    This is really the only decent way to do this, either separate interfaces and patch into different switches, or VLANs (sorry).



  • @dotdash:

    The OP said it was dynamic, that's the nasty bit. The provider probably requires a unique MAC and I can't think of any way to pull off what he wants to do. I don't really see any problem with sharing the one external IP between your subnets. They come off the same provider, and presumably the speed is limited by the line and not per IP.

    I want two domains, so that I could run two different websites with each their domain, which require two different IP's :)
    I thought it would be possible to make a virtual switch and connect some VLANS to get both IPs? :)
    @dotdash:

    This is really the only decent way to do this, either separate interfaces and patch into different switches, or VLANs (sorry).

    Thats good enugh, really :) if it had to be critically secure i'd for sure do it physically, its mostly all those fancy network discovery features that I want to stop noticing people on my network about other people on my network without them being related :P



  • @Excizted:

    I want two domains, so that I could run two different websites with each their domain, which require two different IP's :)

    Only if you're using HTTPS, if it's plain HTTP then Virtual Hosts will solve the problem.



  • And whaat is Virtual Hosts? Dont see anything like it in my webGUI?



  • That's because it relates to the web server - try reading this article.


Log in to reply