Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bridge-VLAN or what?

    Scheduled Pinned Locked Moved
    Routing and Multi WAN
    2
    4
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Popupgbg
      last edited by

      Hi!

      I´m trying to help out at the kids school and have the following scenario.
      There is one physical network for the staff and one physical network for the kids.

      Today there is no connection between the network but I want to put a network printer in the staff network but I want computers in booth network to be able to use it, I also want the computers connected to the staff network to be able to reach the server in the kids network.

      The kids computers should not be able to reach anything in the staff network except for the printer. Booth network should have Internet access.

      What would be the right way to do this in pfsense?

      I have been reding the "The book" but can´t get this to work.

      LAN–--192.168.0.0----(DHCP Server 192.168.0.150-192.168.0.250)---Printer---192.168.0.15
                                          |   
      ----WAN----Static IP-----|           
                                          |           
                                          |
                                          OPT1---192.168.1.0----(DHCP from 192.168.0.0 - Range 150-250)---Server---192.168.1.10

      Thanks for your help
      Thomas

      1 Reply Last reply Reply Quote 0
      • C
        clarknova
        last edited by

        From a technical standpoint there is nothing wrong with the way you have drawn it (except the dhcp range on OPT1, but I'm guessing that's a typo). What is it that's not working?

        From a security standpoint I would prefer to put the 'common access' items, including the server and printer, in a DMZ network. This way, if a kid manages to compromise any of these hosts, they don't have automatic access to the staff network.

        db

        1 Reply Last reply Reply Quote 0
        • P
          Popupgbg
          last edited by

          Hi!

          I was thinking about put server and printer in DMZ but the old Linux system then needs to be reconfigured and i don’t want to do that. Today there is no DHCP in the old network setting, the guy before me didn´t "like" DHCP.

          During Christmas vacation I will replace some of the old system and until then I need to fix this.

          As it is now I have created a bridge LAN–-OPT1 in the settings page for LAN interface and computers on OPT1 gets  IP-addresses over DHCP, created an UDP rule in OPT1 to pass DHCP from LAN to OPT1 but I´m not able to get Internet access for computers on OPT1, only for computers in LAN

          Best Regards
          Thomas

          1 Reply Last reply Reply Quote 0
          • C
            clarknova
            last edited by

            I don't see anything in your original post that would suggest that you want to bridge interfaces. Unbridge them and make firewall rules as follows:

            LAN interface
            TCP  LAN net  *  Server  80  *  *
            *      LAN net  *  !OPT1 net * *  *

            OPT1 interface
            TCP  OPT1 net  *  Printer  9100 * *
            *      OPT1 net  *  !LAN net  *  *  *

            The above rules assume that your server is listening on port 80 and the printer on port 9100; you'll have to adapt them to your situation. Use automatic outbound NAT.

            db

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.