Running multiple routers in one pfsense using VLANs?
-
Is it possible to run more than one router in pfSense?
Further reading here indicates that multi WAN to the same ISP may not work if both WAN links have the same ISP gateway. It is not clear if it actually does or doesn't work with 2.01.
Some people suggest running additional pfSense boxes to put each modem on its own gateway, which although functional, consumes more energy, and requires more hardware.
Apparently if I were to use VLANs, it should be possible to do everything from the one box with no additional hardware.
VLAN1 - WAN1, PPPoE to modem #1
VLAN12 - LAN1 for VLAN1 - Set to 192.168.2.1 – no hardwareVLAN2 - WAN2, PPPoE to modem #2
VLAN22 - LAN2 for VLAN2 - Set to 192.168.3.1 -- no hardwareGateway group:
VLAN12 - Multi-WAN virtual link to LAN1 output
VLAN22 - Multi-WAN virtual link to LAN2 outputVLAN4 - LAN3 for gateway group - Set to 192.168.1.1 - used by clients
Can this work?
Doing something like this apparently would fulfill the need for each PPPoE to be on its own gateway, while not requiring additional hardware for the multi-WAN gateway group.
VLAN12 and VLAN22 would have no assigned switch ports. They are purely virtual for passing data between the virtualized PPPoE gateways and the gateway group.
-
(Very quiet forum section, few responders? Oh well, I will just talk to myself and think out loud.)
It looks like merging multiple router functions into a single box should be theoretically possible, though it is unclear if a pfSense virtual VLAN can send out data and have it picked up by another pfSense virtual VLAN.
For the two PPPoE child routers:
- Don't need DHCP, since the parent router will be the only receiver
- Don't need NAT, since the parent router will be the only receiver
- Firewall rules must be explicitly defined rather than using "any"
- LAN side is a VLAN circuit only, no gateway groups defined here
The parent router acts normal like a default configured pfSense, and uses DHCP and NAT.
- Default-config WAN is not used, replaced by load balanced group
- Don't firewall block data thru 192.168.x.x since that is required
- Firewall rules must be explicitly defined rather than using "any"
So the order of construction appears to be:
1. Default install of pfSense creates the parent router
- Set initial WAN to unused temporary VLAN X
2. Create first child router and rules, using unwired VLAN A
3. Chreate second child router and rules, using unwired VLAN B
4. Build the gateway group with unwired VLAN A and VLAN B as members
5. Disable the default WAN interface, change rules to point to gateway group