Making guest network with extra nic

  • I have a PfSense 2.0.1-RELEASE machine catering to a small branch office. It's a plain setup: 1 wan and 1 lan nic, and an IPsec tunnel to HQ.

    The internet connection has four ip addresses but we use only one:

    WAN IP address: aaa.bbb.187.80/30
    Gateway: GW_WAN - aaa.bbb.187.69

    Next week the branch office will be entertaining a bunch of guests and they will need internet connections. However I don't want them to be able to access the corporate network.

    What I'm trying to accomplish is to set up an extra wireless network for the guests (I have a spare wireless access point so a wired lan connection will do) that does have access to the internet but not to the rest of the network. Now I've played around a bit with an extra nic on a similar setup but I never seem to be able to get both lan cards working at the same time.

    Can anyone point me in the right direction? I'm not sure what keywords to look for - am I trying to create a VLAN?

    I know how to accomplish this using a second PfSense machine but I'm pretty sure there's a far easier way.

  • Netgate Administrator

    This should be fairly straight forward.
    Add the extra NIC, assign and enable the interface. Setup DHCP on that interface to hand out private IPs to any clients on it. Connect you WAP to it. Enable NAT on the interface if you have previously disabled it.
    Set firewall rules on that interface to allow access to external address from the private subnet but disallow access to either your other internal IPs or your remote network. Set the gateway as the system default, specifically not via the VPN.

    Do this one step at a time verifying that it's working at each stage. Most problems are because people try to do everything in one go and then don't know which part isn't working!


  • Working like a charm now, thank you very much.

    I didn't need to block traffic from OPT1 to LAN in the firewall though, blocking from OPT1 net to WAN net sufficed.


  • Netgate Administrator

    Hmm, OK.
    Well as they say 'if it ain't broke don't fixit' but…
    Are you using the VPN as your WAN directly? Is traffic from opt1 to the internet going via the vpn?
    It seems odd that blocking the WAN subnet would suffice but clearly I don't have the full picture.


  • Perhaps my first layout picture was a bit fuzzy. I only mentioned the IPsec tunnel because I thought there's a small chance it would matter but I really don't think it will.

    My lab setup has no vpn or IPsec connections whatsoever. In the live setup both the regular and the guest networks connect directly to the internet, with only the regular (corporate) network connecting to an IPsec tunnel.

    Btw, I rebooted PfSense after setting up the second nic and the firewall behaviour didn't change so it's not a hiccup. But it works so I'm happy :)

Log in to reply