Trying to have two subnets

inzel

Hello everybody, I am very new to using pfsense other than a basic config of 1 wan and 1 lan. All of that is working great and I have many different services being nat'd to different boxes with no issue. I am trying to figure out how to get the lan interface to be the gateway for more than one subnet. Right now the pfsense box is using a lan ip of 192.168.2.1 and all of my boxes are on the 192.168.2.x network. I want to have the pfsense box route traffic for the 192.168.1.x network as well. I would like to have a separate subnet for obvious reasons.

Am I able to configure that with the setup that I have? If so, how do I do that? Some kind of a step by step guide would be very helpful.

Thank you in advance

marcelloc

You can apply an ip alias (firewall -> virtual ip) to lan interface.

I would like to have a separate subnet for obvious reasons

If this obvious reason is security, then I suggest you to segment your network and assign a new interface(using vlan or phisical network card) on pfsense.

inzel

Thank you for the reply. I have made a vlan but I am having trouble setting the rest up. I really cant grasp what I am doing wrong. For the sake of it, here is a pic what I have right now.

I want to be able to connect to the ESXi, which is on a different subnet, from one of my other computers.

inzel

I got it! I need to create a GW, vlan, and interface. Then I had to put them together and enable it! All set and working great. Thanks

inzel

I spoke too soon… I have an interface with a static ip of 192.168.1 with a gateway assigned that is of the same ip. I have a vlan assigned to the interface as well...

I can get there just fine if I assign a second ip to one of my boxes... but I am unable to reach the other machines without a second ip...

Any thoughts?

marcelloc

If you change your lan to 192.168.5, you also need to change network ip configuration on all machines at the same network/vlan.

inzel

I dont have anything set to 192.168.5.x…

I have one subnet at 192.168.2.x and one at 192.168.1.x

My virtual machine is using 192.168.1.101. My box that Im connecting with is at 192.168.2.36. If my box uses 192.168.1.36 as well as 192.168.2.36, it works fine. IM trying to figure out a way, without a second router, to use just the 192.168.2.36 ip and still reach the 192.168.1.101

marcelloc

inzel,

Sorry, I swapped info with another post.

what vlan ids did you applied to pfsense interface?

You should get something like this to have both vlans working and wan as well

LAN (lan)        -> bce0_vlan10 -> 192.168.2.1
WAN (wan)        -> bce1_vlan20 -> x.x.x.x
opt1 (opt1)        -> bce1_vlan30 -> 192.168.1.1

inzel

I created two new interfaces that are tagged to a vlan

WAN         rl0 (mac)
LAN         bge0 (mac)  –-> 192.168.2.1
External_LTM bge0 vlan421 --> 192.168.1.1
Internal_LTM bge0 vlan420

Im not worried about the internal interface at the moment... that is going to be behind a load balancer. I just need to hit the External_LTM

marcelloc

The lan interface attached to bge0 must be tagged to.

The default switch vlan on most switches has id=1

configure it to
WAN              rl0 (mac)
LAN              bge0_vlan1 (mac)  –-> 192.168.2.1
External_LTM    bge0_vlan421 --> 192.168.1.1
Internal_LTM    bge0_vlan420

and see if it works

inzel

HHmmm… how do I do that? As soon as I tag it, I lose my lan connections. Is there something special to do inside pfsense?

marcelloc

Do it from pfsense console but you may have to setup all(3) vlans again.

inzel

Ok…. I want to clarify what I mean when I say I lose lan connections... I mean that I am unable to rdp into a box from outside when I do that... Ill try it from the console and recreate the vlans. Should I create the LAN vlan first?

inzel

I am unable to connect via console… since I dont have a serial port or a serial cable. I deleted the vlans and recreated them, starting with vlan 1 and assigning it to the LAN interface. No luck. I ended up creating all of them again and Im back to where I was before

marcelloc

From outside, you will need to Allow access from external ip to pfsense gui at wan address to configure lan interface.

But if have access to vlan1 untagged, you will need first to edit switch port pfsense lan is conected to and tag default vlan or set it as trunk.
Also check the id number for default vlan.

Do it carefully to do not loose access.

In short:
Access gui from wan
Edit switch config to tag all vlans you need
assign lan to It's vlan id.

inzel

Thank you for taking the time to help me out with this. It seems that I need to do some reading because I dont know where to change the switch config in the gui. I do have access to the gui from wan tho. I will look in to that further and try to educate myself more before I ask any further questions.

Thank you again for everything so far