Multiple Subnets (VLANs) behind pfSense

    First I want to tell you shortly my problem:
    Behind my pfSense i have many subnet (vlans) and the problem is that i am not able to get into the internet, when I am in a different subnet than the pfSense is. I read a lot of documentation and most said, that I have to change the NAT to advanced; but this does not help.

    My configuration:
        |________|_______ |_______|
                         HP L3 Switch
                 pfSense (

    The HP L3 Switch is responsible that the different subnets can commuincate with eatch other. There is no problem with the routes!

    First, I had instead of the pfSense an IPCop. There is no problem with the internet connection form other subnets. I had only add an static route with route add -net netmask gw and every subnet could connect to the internet. In pfSense I also added the same static route but other subnets are not able the get in the internet. I also disabled the firewall, but it does not help. All PCs which are in the same subnet with the pfSense get an internet connection.
    So I think there is a problem with the firewall or with the NAT. But I don't know what.

    Could anybody help me? I did not found a manual which helped me and I searched a lot of hours.

  • You have to add your "multiple" networks in static routes in pfsense box (to be sure that pfsense is able to route back), for LAN interface. Moreover, be sure you have appropiate rules for that Lan Segments, in policy rules to allow incoming traffic in LAN rules


  • You have 2 options:
    Either you add additional subnets to the LAN interface
    –> http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf

    or you create VLANs on the parent interface on which LAN is assigned and configure a trunk on the HP switch.
    --> http://doc.pfsense.org/index.php/HOWTO_setup_vlans_with_pfSense

  • The route you mentioned was pointing to the box itself, which is not helpful.
    You need a route on the pfSense box pointing to the L3 switch. Ideally, the firewall should be on a separate VLAN. e.g.- Let's assume is the firewall vlan and there are various devices on vlans from If the switch was on the firewall vlan, you would add a static route to (LAN if) gateway You would have to make sure your outbound nat source was and that your outbound rule on the LAN was using and not "lan subnet".

  • That's right dotdash the gatey way is xxx.254.
    I have reset the pfsense and made the tutorial from GruensFroeschli again and now it functions!!!!

    Thanks a lot!!!

