Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple public IP's to L2 switch with vlans

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheDoctor
      last edited by

      Hello,
      I've been using pfSense for my home network for a while but now I have to set it up to support multiple networks. My ISP has provided me with 5 static IP's with /29 subnet mask and a gateway as the 6th IP in the same subnet. My environment has a pfSense box (Intel MB, core i3 G620 2.6GHz w/4GB RAM, 3 NICs 2 - GB, 1 - 100MB)  connected to a Cisco SG200-26 L2 switch and a vmware esxi4.1 host with 6 NICs (5, 1 is used for iSCSI).

      I'm not sure of the terms but conceptually, what I'm trying to do is to setup 3 customers (A,B,C) to have OpenVPN remote access to their VMs and also host a mail server (Zimbra) in a DMZ (or an isolated vlan). Additionally, I'd like to have site-to-site VPN to each of their offices (1 for each client). Plus I have a few NAS's that I'd like to use for storage and backup storage which I'd like to be accessible from all the different networks/VMs so I thought I'd create a separate vlan and enlist it in each of the vlans so I can nfs mount the shares?

      client A –-> WAN IP 1 ---> [pfSense 2.0] –-> vlan10 ---> 10.0.10.x
      client B ---> WAN IP 2 ---> [pfSense 2.0] –-> vlan20 ---> 10.0.20.x
      etc.

      Between the vlan configuration on the cisco and the multiple IP setup on the pfSense I'm thoroughly confused and I would appreciate any advice or guidance in setting this up.

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • T
        TheDoctor
        last edited by

        Wow! I'm surprised that no one has had any suggestions.
        Anway, I managed to set it up by creating a set of VIPs and NAT rules for each subnet. I was also able to setup the VPN to route to one of the internal networks.

        I have, however, noticed a couple of issues with this setup:
        1. I can reach other subnets from one another, even though the switch port only allows tagged frames. So it seems to be pfSense that's allowing traffic from one vlan into the others. I suppose I could add firewall rules to prevent that but isn't that the whole point of creating vlans?

        2. The VPN certs that are generated have the WAN IP address and I don't see how to specify the VIP address for it. So the remote users are coming in on the wrong IP and then routing to the correct internal VLAN.

        So if anyone knows how to remedy the above issues please let me know.

        Thanks

        1 Reply Last reply Reply Quote 0
        • M
          Metu69salemi
          last edited by

          Answering only the first, do you have set these kind of rules to your vlan's?
          from vlan-subnet (or any) to any

          If yes then problem is your rule sets. you can create such alias called localnetworks and add all local networks to that alias.
          Then add this rule to your vlans

          block from vlan subnet (or any) to "local networks" and make sure that this rule is above any other rule.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.