Bridging and Vlans - have I missed the point



  • Hi,

    I am after some help for a setup I have.  My setup is follows

    I have a server with two network cards, 1 is connected to a Wimax connection Which gives a /29 of which the gateway is the lower address.

    The second card is connected to a managed switch with 4 Vlans

    I would like Vlan 10 to be a standard internal LAN with private ips which will form a guest network, this will have the second lowest public ip address
    Vlans 20 is for office 1 which needs the third public ip from the /29
    Vlans 30 will be the forth another public ip

    Ideally the offices will have some traffic shaping or limiting on. Do I do this with bridges?



  • Traffic shaping: Firewall: Trafic shaper
    Rules(what traffic allowed etc): Firewall:Rules:corresponding interface

    no need to use bridging

    Manual outbound nat handles that need of share those public ip's to right vlans



  • thanks, that makes some sense to me, once on an interface i can apply the traffic shapping and firewall rules which is great, i thought i had been barking up the wrong tree with bridges

    Which opens my next question:

    How do you get a public IP to sit on an interface and how does that all work with gateways.

    from my isp i get X.X.X.201/29 with X.X.X.201 being the gate way

    My first interface takes the 202 address and has a private IP in the way
    Interface two (vLan 20) takes the 203 address and uses 1:1 NAT to a single IP (i may change this depending on how I get on with the next vLan)
    Interface three (vLan 21) i would like to be able to plug a device into this vLan that will then take the 204 address

    The other addresses will eventually be assigned the same way as interface3

    Am i missing a really simple tick box or do i need to do something clever for interface 3?



  • Manual outbound nat is your answer, if you already have virtual ip's.

    when you set trafic go out with one ip, it'll come back via that ip-address.

    Notice, that first wan ip-address is unneeded to apply here, please check attachments






  • Thanks, not quite what i was after (i wanted to put the public IPs on the actual devices themselves) however 1:1 natting will work and if it ain't broke….

    I have set virtual IPs as Proxy ARP which i think fixed my first issue as i had them as IP Alias.  What's odd though is that the Outbound nat is set to automatic but it seems to work as required with the correct outbound routing with just the 1:1 nat selected.  The manual outbound rules are there but switched off.  I am very hesitant to say this is possibly a bug, or that your previous post added an unrequired step but it might be worth someone who knows this part of pfsense looking into it.

    Thanks for you help in getting it working



  • More likely feature than bug. pfsense seems to be capable lot of different functions and thusfore it might be tricky to setup


Locked