Will this work?

  • The image below shows the kind of setup I have for my network. My question would be whether this will work  since the pfSense box is after the NAT and it needs to route traffic for the 192.168.2.* and 192.168.3.* LANs. pfSense would serve more as a bandwidth manager rather than as a firewall since as you can see there's already a firewall placed before the NAT.  I have already tested this setup with both the LAN and WAN IPs of pfSense having the same subnet mask as the NAT. As I had observed, traffic is not routed at all between the said LANs and the NAT. Now, is this setup correct? Or do I need to do some modification? If so, then how should I go about this? I concede that I don't have that much knowledge in network hardware. Thanks.

  • You have the pfSense in a bridging setup here (same subnet on LAN and WAN). Trafficshaping won't work on bridging setups (yet). There is a bounty on this kind of enhancements but it's not done yet. Check out the bounty section for more information.

  • ok. so where should i place pfSense in this setup? should I replace the NAT with pfSense? or is it possible that I place it before the NAT? if i replace the NAT with pfSense, how should i configure it to handle traffic from the 192.168.2.* and 192.168.3.* LANs?

  • Depending on what the nat-server does I would dump it and let pfSense handle everything. Make each local subnet a VLAN and trunk the port to the pfSense (this way you can firewall them if needed later too).

    You even might be able to replace the other 2 flammed boxes with a single pfSense. Not sure what they do or what they are meant for.

  • I kind of don't get what you mean by trunk the port to the pfSense. Can you explain further on this? Sorry for my ignorance.

  • A trunk is a port which will see all configured vlans. It's not a pfsense specific terminology. See http://en.wikipedia.org/wiki/Vlan for details.

  • Can you give me an idea on how to create these VLANs in pfSense since I have decided to replace the NAT server with pfSense? And how to trunk the ports to pfSense. Also, is pfSense by default configured as a NAT server? Your help is greatly appreciated. Thanks.

  • By default pfSense will do NAT on any interface that has a gateway set. If you need other settings you can get full control over the NAT by enabling advanced outbound NAT at firewall>NAT, outbound.

    To create VLANs with pfSense go to interfaces>assign, VLAN tab. You can create VLANs for your Interfaces there. After that you can assign the VLANs just like a real interface. They'll show up everywhere just like if they were an interface (firewallrules, nats, interfacesettings…).

    How a trunk port is configured at your switch depends on the switch itself. Check the manpages of your switch (it of course has to support vlans but as you already have a vlan in your networkmap I guess it does).

  • should i set a specific IP address for each VLAN? if so, how can i set it in pfSense? thanks.

  • @hoba:

    They'll show up everywhere just like if they were an interface (firewallrules, nats, interfacesettings...).

  • ok. so now i have created 1 VLAN, which has the LAN's interface as its parent interface, and assigned it as an OPT1 interface with an IP of my default LAN is assigned an IP of The switch that I am using is a 3com 3300 which supports VLANs and it has 1 default VLAN with a default tag of 1. I have also assigned a tag of 1 to the VLAN that I have created in pfSense. Now, am I doing this right? Or do I need to add another VLAN at the switch. For the time being, the VLAN cannot route any data. So, I guess there's something wrong somewhere. Thanks.

  • You should create a vlan per subnet, so make LAN and OPT1 both a vlan and don't run a subnet directly on the same nic. Then set up your switch accordingly and you should be all set.

    And you shouldn't use VLAN1. The ID 1 is often used for special things or preconfigured on devices which might mess things up.

  • ok. so, i have asked the network admin whether he created vlans on the switch for each subnet with regards to the previous NAT server. Actually, he didn't. He just created the 2 subnets from the NAT server, which is Windows 2000, trunked to one interface and didn't do anything with the switch.  On the Windows server, he first entered an IP which is and added another IP for the same interface which is The result are two subnets that can route data to each other. I wish I could do the same with pfSense. Thanks

Log in to reply