No internet on opt interfaces



  • Hi, I'm new to pfsense.  After several failed attempts of setting it up to do exactly what i needed, I've finally got it working perfectly fine, except for my OPT interfaces.

    I have 4 NIC cards in my P3 box…WAN, LAN, OPT1 and OPT2

    Right now I have my LAN connected to a 24 port network hub, my main pc connected, workbench pc(s) connected, wireless router (DHCP server disabled acting as WAP) connected and PS3 connected...all working fine, however, I cant help but to worry about all this traffic put on to a single 10/100 NIC card and that is why I need these opt interfaces to be being used :)

    Here the closest I have gotten...create a bridge involving LAN and both OPT interfaces, connect my WAP to OPT1 and attempt connection via iphone...i get a good IP, but no surf and the IP is dropped and wifi goes out completely after roughly 15-20 seconds (strange lol)

    I want to really split the load of this traffic to opt interfaces but have them operating ont he same IP range as the LAN so as to avoid issues or connection problems with devices sharing media between multiple devices all int he same subnet  (1.100 - 1.199 i think thats what a subnet is not positive) is this possible?  If not, im DEFINITELY going to require a gigabit NIC for my LAN, should have 1 anyways :P

    Im REALLY sorry for sounding like such a noob but as all my friends know as well, networking has always been my weakness in IT, Im trying really hard to build on it and pfsense is a really good way to do that.  I have learned so much its unbelievable :)

    any answers appreciated thanks



  • You'll be worse off splitting the traffic like that, especially if there's much transfer between the devices. Sounds like you're a bit confused on what you're looking to accomplish, you said you don't want to put all that load on a single 10/100 NIC, but you're putting much more load on it by doing that. The only reason you'd want to do that is if you need to filter traffic between the networks. There is far more overhead involved in filtering traffic than there is in switching it, and if you keep all the devices on the same switch, the traffic between them never touches your firewall. If you want or need to filter traffic between those, then you're on the right track, but it sounds like you're under the impression that's somehow going to have a performance benefit, when the opposite is true.

    Doesn't really address your problem, my guess there is you didn't add any firewall rules to the OPT interface so you're blocking all traffic going into it. But whether you want to actually fix the problem or reconsider what you're doing is probably the better question.



  • Ohhh k, thanks….see im under the impression that splitting the traffic across as many interfaces as possible and making the P3 processor and RAM that pfsense is running on will be MUCH faster and efficient (i.e. i thought having a dedicated interface for every single device in the house running through pfsense would ultimately be the best performance that could be achieved of course this is not possible to be done do to the 4 NIC card total limit but you know wha ti mean :P)

    So will a single NIC card have the capability to handle HD streaming on PS3, gaming on main PC, downloading torrents with bandwidth limitation, and streaming on ipad?  Seems like an awful lot of traffic for a single NIC card however I might not be fully understanding the travel and processing of network data

    I also run an android and apple server 24/7 with in as well as over the internet streaming

    Would you recommend a gigabit card? or do you think i will be fine doing all of this with a 10/100 card?



  • What's your Internet bandwidth? I presume less than 100 Mb, and I presume your LAN side switch is 100 Mb, which means it's impossible to have congestion on the LAN NIC if only Internet traffic is going through it. If you're routing traffic between internal devices on a 100 Mb NIC, you very well could exhaust that 100 Mb.

    So yeah, actually you're creating the problem you're afraid of by using multiple NICs, rather than avoiding it. :)



  • Truth be told there are several situations where having OPT NICS going to additional networks is ideal and all in all as far as the OP'r is concerned it is true that his impression of bandwidth being served directly across the WAN wouldn't be limited by this but nor would it benefit.

    This document here (http://doc.pfsense.org/index.php/Multi-LAN_Setup) is ultimately what he asked for and I need…. but this document is sadly lacking and makes the assumption that persons reading it already know how to set up each individual NIC.  So with that said there is the question that was asked and never answered by the OP and now myself.

    1. In a multi LAN setup ( A system with a primary lan nic and 1 or more optional lan nics ) how does one go about configuring the nics to allow these ports to basically function as a switch would.
        1a) For clarity's sake, it would be ideal that each device connected on each of the ports ( LAN, OPT1, OPT2 etc. ) access the webconfigurator with the same IP and have access as in a normal lan situation to all devices on each of the nics without impeding any additonal functions of the pfSense device.

    Thanks in advance.



  • @The:

    1. In a multi LAN setup ( A system with a primary lan nic and 1 or more optional lan nics ) how does one go about configuring the nics to allow these ports to basically function as a switch would.
       1a) For clarity's sake, it would be ideal that each device connected on each of the ports ( LAN, OPT1, OPT2 etc. ) access the webconfigurator with the same IP and have access as in a normal lan situation to all devices on each of the nics without impeding any additonal functions of the pfSense device.

    The configuration discussed in the opening paragraph of http://doc.pfsense.org/index.php/Multi-LAN_Setup does not meet your specifications because it doesn't describe a "switch like" configuration.

    Configuring all the "LAN" NICs into a bridge would appear to be what you are looking for.

    Caution: If you need to support Gigabit traffic between some of the "LAN" interfaces a hardware switch could be a better option. A "hardware" switch is almost always cheaper and more power efficient than an equivalent "software" switch.

    It is a while since I setup a bridge, my apologies if I have left out a crucial step. This MIGHT be a little more complicated than necessary since it will migrate the pfSense LAN interface from its current physical interface to a bridge.

    1. On a computer connected to the pFsense WAN interface connect to the pfSense GUI.
    2. Save the current configuration file (Diagnostics -> Backup/Restore)
    3. For each of the pfSense "LAN" interfaces (other than the specific LAN interface) disable DHCP server (Services -> ) and set the Interface type to None (Interfaces -> <pfsense interface="" name="">)
    4. In Interfaces -> (assign), click on Bridges tab and create a bridge by clicking on the "+" button.
    5. Add all the pfSense "LAN" interfaces (EXCEPT LAN) to the bridge members (hold down SHIFT key and click to add multiple interfaces), click Save
    4. Click Interface Assignments tab, note the current network port for the pfSense LAN interface (you will need the "network port" later) and use the pulldown to set the network port for the LAN interface to bridge0. A Save button should have appeared - click on that. Now you should have all the pfSense "LAN" interfaces bridged together (EXCEPT the previous LAN interface). We now need to add the previous LAN interface to the bridge.
    5. On Interfaces -> (assign) click the "+" button to assign a new pfSense interface for the physical interface ("network port" that WAS the pfSense LAN interface. There should be a new "OPTx" interface assigned to the network port previously used for the pfSense LAN interface.
    6. Click on the Bridges tab. click the "e" button to the right of the bridge description, add the newly created OPTx interface to the bridge member interfaces, click Save.

    It should be all done. Its possible (but I think it is unlikely) you might need to reboot to correctly initialise the new configuration.

    Edit:
    I'm sorry, I left out a step. If you don't already have a firewall rule allowing access to the web GUI from the WAN interface you will need to add one before doing the above. You will probably want to remove that rule on completion. The eact form of the rule will depend on whether you access the web GUI by HTTP (port 80) or HTTPS (port 443).</pfsense>



  • Wallabybob,

    Thank you for replying quickly, i will tinker with this shortly to see how this will function in my environment.  I can see how the original document doesn't make the assumption that all users utilizing this type of setup and can see why its not included however im sure some might agree that it is useful in some enviroments and while i would also agree a hardware switch will likely perform better some would rather not afford that cost if using recycled equipment.  Regardless this seems to be what i need and appreciate the time you took to reply, a few last things…

    1. utilizing this bridge should have to create new firewall rules and would i mirror the original LAN configurations or is this done automatically when LAN is applied to the bridge?
    2. Is there anything i must do with vlans or is that not related?  i thought i remember having to designate vlans because the IP address of the device is set to one network but if i have other networks on different ranges downstream from the router's interfaces they cant communicate with eachother or something like that?

    Thanks a ton again, been really happy with pfsense as i've newly discovered it and now im really excited in part from the great users that regular the forums.



  • Sorry, in answering another post I realised I left out a step in my previous reply. I have added an explanation to the end of my previous reply.

    @The:

    1. utilizing this bridge should have to create new firewall rules and would i mirror the original LAN configurations or is this done automatically when LAN is applied to the bridge?

    Configuration relating to a pfSense interface is not reset when the interface is assigned a different "network port".

    @The:

    1. Is there anything i must do with vlans or is that not related?  i thought i remember having to designate vlans because the IP address of the device is set to one network but if i have other networks on different ranges downstream from the router's interfaces they cant communicate with eachother or something like that?

    If you want a specific answer you will have to ask a specific question. There are so many possibilities I'm not prepared to attempt to guess the details.


Log in to reply