Lan access in wan if

  • I have a test bed set up in our office.

    Outer adsl router (Gateway) > WAN IF PFsensebox LAN IF> Internal LAN (LAN 2192.168.2.0/24)

    Outer adsl router serves Internet access to test machine on this side (LAN1

    PFsense WAN IF is assigned a static external IP address.

    My question is what is the most secure way to let the LAN communicate with the network?

    It is not a production setup so I have the freedom to modify accordingly for test purposes.

    Any enlightenment from users would be great thanks.



  • What on the LAN does the LAN need to communicate with?

    The answer to that will influence what you do - NAT (and port forwarding) or routing.  Ultimately you should deny all access by default and only allow the minimum possible.

  • Thanks for the reply Cry Havoc

    I have added another picture to clarify my situation.

    I wish for the entire LAN1 network to be able to talk to the LAN1

    I may have a test web server on the 2.0 side that I wish to access from the 1.0 side.

    This may be pie in the sky.

  • Which is it:

    1. Every device on can access any device on
    2. Every device on can access a single web server on

    If it's the second I'd suggest you instead put the test server on the network.  If it's the first then there isn't any way to do that securely - you'll be turning off security to allow every device on both networks to communicate.

  • Would it be possible to put the network on the OPT1 interface? Could rules be set up to allow the 1.0/24 to talk to the 2.0/24 network range via OPT1?.

    I will forget the web server at this point. It would be good to get the two independent IP network ranges to be able to talk to each other.

    Any ideas appreciated.

    BTW I do not need the 1.0/24 network to have internet access just be able to talk to the 2.0/24 network.

    Thanks so far.

  • If you can put them both on the same firewall then it's much easier, yes.  Then it's a simple routing problem and there's nothing fancy to do.

  • I just tried doing an all * all on the LAN interface 2.0/24 and a all * all on the OPT1 1.0/24 to see if leaving it wide open the seperate networks could talk and no dice. I could not ping from the 1.0 network to the 2.0 network. Any ideas?

    Also which IP address should the OPT1 interface be should it be within the 1.0 range?.

    Sorry for this amount of questions but this scenario has been on my mind for a while now.

  • It sounds like you want to do something like the attached diagram. These firewall rules will give you internet and OPT1 access from LAN and LAN access (but no internet) from OPT1:

    LAN interface

    • LAN net   *   * *   *

    OPT1 interface

    • OPT1 net  *   LAN net  *   *  *

    Use automatic outbound NAT.

  • Before I go ahead clarknova,

    1. What IP address should I set the OPT1 Interface to. Does it have to be so it sits inside the ip range.

    2. On the 1.0/24 windows client what would the default gateway and prefered DNS server be? Do I set these to the same values as what the 2.0/24 network have.


  • 1. The address of the OPT1 interface will be 192.168.1.x, where x is any value from 1 to 254. 0 and 255 are reserved in a /24 network.

    2. If you use pfsense's DNS forwarder and DHCP server then the clients will obtain their gateway and DNS server automatically when requesting DHCP.

Log in to reply