Passing traffice between OPT1 and LAN, dual LAN, single WAN

  • I am using  pfSense version 2.0.1-RELEASE (amd64)

    I have two LANs which need to be able to pass traffic between one another and use the same WAN connection.

    I currently have the following setup:

    WAN - Sidera 100Mb fiber
    LAN (CallCenterLAN) -, interface is at
    OPT1 (MGMT_LAN) -, interface is at

    I have successfully gotten internet access two both the LAN and OPT1 networks. The challenge now is that I need to pass traffic between the networks. I've tried a bunch of different things and I have probably entered an bunch of unnecessary firewall rules. I have attached images of the MGMT_LAN and CallCenterLAN interface firewall rules.

    I have also created gateways in the System>Routing for both the CallCenterLAN and MGMT_LAN interfaces.

    I still cannot pass data between the networks. Nothing is showing up in the firewall logs for anything I test (i.e. pings from to, and IP which responds to PING). I am at a loss as to what I should do  next. I've read a lot of post but I haven't been able to find a solution.

    ![Call Center Rules.jpg](/public/imported_attachments/1/Call Center Rules.jpg)
    ![Call Center Rules.jpg_thumb](/public/imported_attachments/1/Call Center Rules.jpg_thumb)
    ![MGMT LAN Rules.jpg](/public/imported_attachments/1/MGMT LAN Rules.jpg)
    ![MGMT LAN Rules.jpg_thumb](/public/imported_attachments/1/MGMT LAN Rules.jpg_thumb)

  • Just as important as the firewall configuration is the configuration of the two systems that are attempting to communicate through the firewall. For example, if and had network masks of 16 they would each think the other was on the same network and would attempt to communicate directly rather than going through the firewall. Similarly, if the network masks were correct but they had incorrect routing (for example, a default gateway that wasn't the firewall) then they might not be able to communicate. A traceroute (tracert on Windows) can be very helpful in detecting routing problems.

    It is sometimes necessary to reset firewall states after firewall rule changes, see Diagnostics -> States, click on Reset States tab.

    Firewall rules apply to packets received on the nominated interface. Unless there is a configuration error, I suspect you shouldn't be receiving packets from the MGMT_LAN subnet on the CallCentreLAN interface so you might want to block such packets (or let the default drop rule have them). (Similarly the CallCentreLAN subnet on the MGMT_LAN interface.)

  • Thanks for your reply wallabybob.

    The subnet mask for both networks is 24 bit (

    The device at has a default gateway of The device at has a default gateway of I want to pass traffic from each network to the other which is why I made sure there were rules to allow traffic to and from each network on each interface. I have gone so far as to reboot the entire device, but that didn't help.

  • Ok so I went back and reconfigured everything on the router. Something I forgot to mention is that the main reason I want two networks is that I have other gateways on the CallCenterLAN network. I am phasing these out, but I need to be able to assign certain devices to certain gateways until I have tested out new fiber connection.

    I can pass data between devices which are using the and gateways, but not from the network to devices on which do not have the gateway. Other devices on have different gateways, but are on the network and can communicate with one another.

    For example when pinging (the device has a gateway of, I see an ARP go from my computer at to the gateway, which gets passed to and the ARP gets broadcasted; there is a response from to, but I never see it get back to the interface, nor the network. Is that never going to work?

  • @seanpd:

    For example when pinging (the device has a gateway of, I see an ARP go from my computer at to the gateway, which gets passed to and the ARP gets broadcasted; there is a response from to, but I never see it get back to the interface, nor the network. Is that never going to work?

    The details are important here: The arp asks for the MAC address of which computer?
    Assuming it is all correctly configured, this is (roughly) how it should work: attempts to ping The ping destination is off network (the first 24 bits of 10.2.0 is not 10.2.1) so the ping has to be sent to the default gateway If the MAC address of the default gateway is not know an ARP request for it will be sent. On receiving the ARP response, will know the MAC address to which to send the ping. pfSense will receive the ping on and forward it to through its interface on the network. However the MAC address of may not be known so pfSense may need to send an ARP request for the MAC address of on the interface.

    ARPs should not be "forwarded" unless the interfaces are in a bridge, but you have made no mention of bridging.

  • Netgate Administrator

    Surely the problem here is that on receiving the ping from it will attempt to respond but, because it's on a different subnet, will send the response to it's gateway ( not pfSense. Does this other gateway have a route to the subnet?


  • No it doesn't. We are transitioning off several AT&T Uverse circuits and those routers are very limited in their features. It won't be an issue after I've gotten rid of them. In the short term, I just added another network adapter to my desktop connected to the network so that I can reach those devices not connected to the gateway. I can to realize that's really the only computer I need to have full access to both networks. The AD servers are using the gateway, so people on the network have access to AD, print server, DNS, etc. After such a long day of work, it's easy to lose perspective.

  • You can find Dual Wan configuration in following link

  • Rebel Alliance


    You can find Dual Wan configuration in following link

    1º Your Blog post is wrong:

    Having "WAN1" on Tier 1 & "WAN2" on Tier 2 and using "Member Down" as trigger level you are NOT Doing "Load Balance" you are doing "Fail Over".

    Please review your "Blog" post, then come back with accurate info.

    You can check the info from the pfSense Docs:

    If any two gateways are on the same tier, they will load balance.

    If they are on different tiers, they will do failover preferring the lower tier.

    If the tier is set to "Never" then the gateway is not considered part of this group.

    2º OP is talking about Single WAN & Multi LAN

  • Netgate Administrator

    Poster above has only posted 3 times. All identical posts linking to his blog.
    I don't wish to put anyone off contributing but this seems a little suspicious.  ;)

    If I'm wrong then I apologise.


Log in to reply