Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual WAN, dual LAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sheepthief
      last edited by

      The more I think about this the more I think it would be better to use two pfsense boxes, but for various reasons I'd prefer to avoid that. Let's see if I can describe the plan without drawing a diagram…

      Site with WAPs with multi-SSID delivered via VLANs, one for staff wifi, one for guest wifi.

      Staff VLAN (security via 802.1x/RADIUS) is bridged to the local network.

      Guest VLAN (security via CP/RADIUS) is routed through an OpenVPN tunnel to a remote site where there's another pfsense box acting as an internet gateway.

      The pfsense box at the internet gateway actually serves a number of tunnels to sites with the pfsense boxes providing staff/guest VLANs.

      The guest network must never see the staff network, and vise versa! So, dual-WAN, but for dual networks rather than for failover or load-balancing.

      What's working so far, in isolation; WAPs, VLANs, 802.1x/CP/RADIUS, OpenVPN tunnelling.

      What's not working: routing. It seems that I need two default routes, one for the staff to the local network, and one for the guest network through the VPN tunnel to the remote internet gateway.

      Is this scenario reasonable, or am I barking up the wrong tree entirely? Is policy-based routing via firewall rules the way to go?

      I've learned a fair amount over the last few weeks but I'm a bit stuck at the moment (and taking a step back to pause and think).

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That's reasonable. You'll have to policy route the clients out the VPN.

        1 Reply Last reply Reply Quote 0
        • S
          sheepthief
          last edited by

          @cmb:

          That's reasonable. You'll have to policy route the clients out the VPN.

          Thanks for the response cmb. I've got policy-based routing working now (forcing guest traffic down a VPN tunnel, though I had to disable gateway monitoring for that to work).

          However, I've had to abandon rolling staff and guest networks through pfsense - it turns out that running pfsense in bridging mode, while using VLANs, and in an ESX high-availability virtual environment, is a bit of a nightmare of layer 2 loops, and it seems that there's no way to resolve it. Ah well.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Yeah, running anything with bridging and HA in ESX will be a mess. Not something I'd recommend, either don't do HA, or don't do bridging, generally the latter the only good option.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.