Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Making guest network with extra nic

    General pfSense Questions
    2
    5
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Vorkbaard
      last edited by

      I have a PfSense 2.0.1-RELEASE machine catering to a small branch office. It's a plain setup: 1 wan and 1 lan nic, and an IPsec tunnel to HQ.

      The internet connection has four ip addresses but we use only one:

      WAN IP address: aaa.bbb.187.80/30
      Gateway: GW_WAN - aaa.bbb.187.69

      Next week the branch office will be entertaining a bunch of guests and they will need internet connections. However I don't want them to be able to access the corporate network.

      What I'm trying to accomplish is to set up an extra wireless network for the guests (I have a spare wireless access point so a wired lan connection will do) that does have access to the internet but not to the rest of the network. Now I've played around a bit with an extra nic on a similar setup but I never seem to be able to get both lan cards working at the same time.

      Can anyone point me in the right direction? I'm not sure what keywords to look for - am I trying to create a VLAN?

      I know how to accomplish this using a second PfSense machine but I'm pretty sure there's a far easier way.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        This should be fairly straight forward.
        Add the extra NIC, assign and enable the interface. Setup DHCP on that interface to hand out private IPs to any clients on it. Connect you WAP to it. Enable NAT on the interface if you have previously disabled it.
        Set firewall rules on that interface to allow access to external address from the private subnet but disallow access to either your other internal IPs or your remote network. Set the gateway as the system default, specifically not via the VPN.

        Do this one step at a time verifying that it's working at each stage. Most problems are because people try to do everything in one go and then don't know which part isn't working!

        Steve

        1 Reply Last reply Reply Quote 0
        • V
          Vorkbaard
          last edited by

          Working like a charm now, thank you very much.

          I didn't need to block traffic from OPT1 to LAN in the firewall though, blocking from OPT1 net to WAN net sufficed.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Hmm, OK.
            Well as they say 'if it ain't broke don't fixit' but…
            Are you using the VPN as your WAN directly? Is traffic from opt1 to the internet going via the vpn?
            It seems odd that blocking the WAN subnet would suffice but clearly I don't have the full picture.

            Steve

            1 Reply Last reply Reply Quote 0
            • V
              Vorkbaard
              last edited by

              Perhaps my first layout picture was a bit fuzzy. I only mentioned the IPsec tunnel because I thought there's a small chance it would matter but I really don't think it will.

              My lab setup has no vpn or IPsec connections whatsoever. In the live setup both the regular and the guest networks connect directly to the internet, with only the regular (corporate) network connecting to an IPsec tunnel.

              Btw, I rebooted PfSense after setting up the second nic and the firewall behaviour didn't change so it's not a hiccup. But it works so I'm happy :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.