ADSL modem not attached to pfsense box
-
The ADSL connection to the house is not where I want my server to be, including the pfSense VM.
Between the VM NICs and the 2 LANs, I am reaching the limit of my understanding of networking.
Here is the layout I have in mind:Internet
|
| x.x.x.x (from ISP)
|–-----------modem 192.168.10.1 --------------------------------------------- Switches --------------------------------------------- ---------------------------- Host (XP) ---------------------------- NIC: 192.168.10.2 bridged VMnet1: 192.168.10.3 (bridged to VM) NIC2: 192.168.0.2 bridged to VMnet2: 192.168.0.3 (bridged to VM) ----------------------------- I understand this setup is not the safest, but when the kids understand howto circumvent it, they will be old enough not to need it...
While I configure this, the good thing is that to come back to a non-firewalled setup, I just have to pause the VM, rename the modem to 192.168.0.1 and turn its DHCP on, so my testing shouldn't disrupt users too much.
Atm, I only have one NIC on the host. Do I really need 2 NICs? Since they will both be connected to the same switch, that seems redundant, but I can't quite visualise how one physical NIC can be used to have 2 NICs on the guest (WAN and LAN). Any suggestion?
Any comment before I get started ? Should this work?
Thank you for your insight.
-
Nice ASCII art! ;)
If you have a VLAN capable switch then you only need one nic.
I'm a bit confused by the box you have labeled 'switches'. Is that more than one switch?
If it's not then you don't seem to have any segregation between lan and wan. ???
If it's just for convenience then I suggest:
Run a cable direct from your router to the wan nic on your pfsense box and a cable from the lan nic to your switch.
Run a second cable from your router, assuming you have more than one port, to your switch but don't connect it.
That way you can leave the dhcp turned on on your router, providing an IP to your pfsense WAN.
If you want to remove pfsense from your setup just unplug the Lan-Switch cable and plugin the Router-Switch cable and you're good.Steve
-
Nice ASCII art! ;)
Yes one picture is worth etc… :) though that didn't quite work as the setup is still not clear it seems.
If you have a VLAN capable switch then you only need one nic.
I'm a bit confused by the box you have labeled 'switches'. Is that more than one switch?
If it's not then you don't seem to have any segregation between lan and wan. ???I don't have VLAN capable switches. The swiches box is the LAN and 2 switches. The wan arrives on the 1st floor where there are PCs attached to the same switch as the modem. The server is in the basement and also has PCs attached to the basement switch, so I can't really run a cable. I'll put a wifi access point there too, though I am still unsure how.
Does the setup make sense? Do the IP addresses seem reasonable? Thanks again.
-
Ah. So I think this question is really: can you have two IP subnets on one physical lan segment?
The answer to that is yes but I'm not sure about dumb switches.
There is probably no need to have two nics in the pfsense box, just use a virtual interface, though it will make setup easier to have two.
I have to say I have always tried to avoid this like the plague! I do have something similar setup to access my adsl modem setup which is on the wan interface public IP.
Anyone else care to comment?
I assume you realise that the pfsense box could be easily bypassed by setting an IP manually. Never underestimate how quickly children learn this stuff!
Steve
-
I'll pick a wacky IP address for the router, so
- they'd have to guess it (unless they know about and are allowed to run tracert, mmm have to check that)
- they don't run as admin, so can't set IP addresses,
so by the time they can do it, they should be mature enough… there's hoping... :)
Good to see nothing shocked you in the choice of IP addresses for the various bits. I think dumb switches can route subnets fine. I'll know soon I guess. The family is coming over for xmas (from 20,000km away, can't make a longer trip than that), so I might have to wait a bit before i find time to try.
Thx again.
-
The IP addresses all look good to me but I should say that I've never run pfsense virtualised so you're on your own there!
It would be nice to get a third opinion.Still there nothing like trying it and see. I'm sure it will help some other forum user at some point to get your experiences.
