Pfsense firewall setup - 4 LANs 1 WAN



  • Hello all,

    I'm new to pfsense and looking for optimum setup assistance in the following scenario.  I want to set up 4 LANs each on their own subnet.  One for employees (lan 1), one for a technical support group (lan 2), one for a volunteer organization (lan 3), and the final one for a guest network (lan 4).  I have a quad port intel NIC for all of these so good on the wired setup.  All have wired infrastructure except for guest which is wireless  only.

    First question here is:  best method to isolate each subnet from one another?

    Now on to more complicated stuff - adding wireless to all of this.  Obviously, its easy to add wireless APs to each network on a switch somewhere, but then I'd have 4 separate wireless AP's which is not optimal in my opinion.  I don't have any managed switches in the topology but planned to use a wireless vlan capable AP which could broadcast 4 ssid's - one for each network.  I plan to plug this directly into LAN 4 (guest - since its wireless only anyway) and vlan on that interface in pfsense.  So here I have multiple questions:

    • I would create 4 vlans in addition to the 4 standard interfaces in pfsense for this, I think

    • If I set up all vlans on the guest interface, does it need DHCP turned on for the physical interface or just in the vlan interfaces?

    • If Lan 1 and vlan 1 are for the same group of users (staff), how can I keep the IP subnet the same? Bridge Lan 1 to vlan 1 with dhcp only on lan 1?

    Any other considerations I am missing?

    Thx in advance for any help

    ![pfsense 4 lans.jpg](/public/imported_attachments/1/pfsense 4 lans.jpg)
    ![pfsense 4 lans.jpg_thumb](/public/imported_attachments/1/pfsense 4 lans.jpg_thumb)



  • Let me see if I can help here.
    Yes, aside from VLAN, physical separation is the only way to isolate the networks.
    Yes, you are going to create 4 Vlans and if you want them to access different LANs, then you either have to bridge them or create FW rules to allow traffic.
    If you do bridge, the DHCP server only need to be active on the bridge or what ever has the static address. (Could be LAN).
    The only way to keep the subnets the same is to bridge.

    Good luck!



  • Thanks very much for this assistance - it is very helpful and confirming of my plans.  Just a follow up:

    • to "isolate/prevent communication between" each network from each other, is there a simple firewall rule I can use on each interface to do this?  Right now I use the default "lan to any" rule but obviously this allows traffic between Lans / vlans as well. Is there a simple "Lan to Wan/internet only" type rule I can create on the interfaces to isolate?

    Thx!



  • This is something that I have heard people wanting. There is not currently a automatic way, but you can create an alias for each interface that includes the subnets of all the other LANs and VLANs. Then you would would create a "not" rule to do the following:

    Source: LAN (or OPT) Subnet
    SPort: any
    Destination: !LANtoOthers (or OPTxToOthers)
    DPort: any

    The "!" here means that so long as the destination is not the other local subnets, pass the traffic. If it is the local subnets, then the default drop rule will take effect.
    You could also create a single alias for all of them that includes any private IPs.
    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16
    Then the destination would be !LocalPrivateIPs. Then you could create allow rules above that (since it is first matching rule wins) if you want to allow some things through.



  • Thanks for the valuable feedback!


Log in to reply