Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN vs Subnetting for VM hosting.

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brianwebb01
      last edited by

      I have a network of VMs each having a LAN IP address and a public IP address.  They each have a 1:1 NAT map for public access via the public IP for HTTP, SSH etc.  I'm trying to figure out a way to restrict the LAN IPs from talking to each other, but there are some cases where a group of LAN IPs will need to communicate.  Currently I can't set a LAN firewall rule because I suspect the traffic is being routed through the switch so PFsense never sees it.

      I'm on a 192.168.0.X configuration with subnetmask 255.255.255.0

      From what I've researched it looks like I could use VLANs or IP Subnets w/ static routes to restrict the access.  I'm thinking that I don't want to go the VLAN route since there are 100+ VMs at the moment that don't need to talk to any other IPs, so I'd be looking at 100+ VLANs and growing.  So my thinking is that I need to subnet each VM so that it can't talk to other IPs that aren't in the same subnet, then add static routes so the subnet can talk to PFsense. Does this sound right?

      If I'm on the right track, does anyone have recommendations on how to setup the subnets?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • B
        brianwebb01
        last edited by

        Update:  So i'm on the subnetting plan.  I've got things setup on different subnets so they can't talk to eachother but I need each subnet to connect back to the main router as a gateway.  Is there a way to take an IP from the subnet and point it at the pfsense box?  Surely ISPs that subnet everything like this don't have a router per subnet.

        1 Reply Last reply Reply Quote 0
        • K
          kc8apf
          last edited by

          Just add virtual IPs on the pfsense box.  One per subnet.  You'll need to add appropriate firewall and NAT rules to allow traffic from the various subnets.

          1 Reply Last reply Reply Quote 0
          • B
            brianwebb01
            last edited by

            Thanks for the response, I added the Virtual IP, alias and FW rule but still no dice.  I'm not sure what I should add into NAT though.  Here's the setup:

            Virtual Machine:
            address: 192.168.1.2
            netmask 255.255.255.252
            gateway 192.168.1.1

            pfSense:
              Virtual IP:
               Type: Proxy ARP
               Interface: LAN
               IP Address: 192.168.1.1

            Alias:
                Name: mySubnet
                Type: Network
                Network(s): 192.168.1.0/30

            FW Rule:
                Action: Pass
                Interface: LAN
                Protocol: any
                Source: mySubnet
                Destination: 192.168.0.1

            Thanks!

            1 Reply Last reply Reply Quote 0
            • K
              kc8apf
              last edited by

              Can you ping pfsense from the vm?  Did you add firewall and nat rules to allow traffic from 192.168.1.x via 192.168.1.1?

              1 Reply Last reply Reply Quote 0
              • B
                brianwebb01
                last edited by

                I can't ping pfsense on the virtual IP (192.168.1.1) or the real LAN IP (192.169.0.1).

                I added a firewall rule that allows any traffic from 192.168.1.0/30 to talk to 192.168.0.1.

                Is that Firewall rule wrong? What should I be setting up in NAT, my 1:1 only has the WAN interface.

                Thanks

                1 Reply Last reply Reply Quote 0
                • K
                  kc8apf
                  last edited by

                  You need to allow 192.168.1.0/30 to talk to 192.168.1.1.  Crossing subnets would require routing which can't happen until you allow traffic in the interface.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.