Multiple Lan Subnets on one NIC card



  • As part of my company migration from Valuepoint to pfSense, I'm looking for another feature we currently have with Valuepoint in pfSense.

    Valuepoint allows us to create "Alias Subnets" for our LAN connection on one NIC card. This allows us to have TWO local networks on one card.

    DHCP is enabled and assigns IP addresses from 10.0.0.100 - 10.0.0.240 to our guests.
    We have our access points and other equipment set up on 192.168.2.10-192.168.2.50.

    The Valuepoint LAN address would then be 10.0.0.1 AND 192.168.2.1 on ONE NIC card so that both of our networks work.

    While the two can technically access each other, our access points are usually hidden from programs that try to find devices on the guest network. It basically hides them from the guests, so they don't try to get in to areas they don't belong.

    I'm trying to do the same in pfSense- create some kind of "virtual/alias network/subnet" I've tried added an alias network in the firewall rules, but that doesn't seem to do what I want. I believe to have found some documentation on this feature, but even if that's what it is, it's from version 1.X and we're on version 2 and I can't match the steps with our current version.

    Is there a simple way to do this feature?

    Thanks in advance for any help!



  • You would need to go into Firewall -> Virtual IPs and setup an IP Alias that will act as teh gateway for that second subnet. Then you only need to create a FW rule to allow that traffic to the internet and also make sure that if you are using manual outbount NAT that the new subnet is translated.



  • I've tried what you're suggesting.. at least these screen shots are what I have. but when I set a device statically to the other subnet, it can access the pfsense gateway, but it still can not access the internet.






  • and also make sure that if you are using manual outbound NAT that the new subnet is translated.

    I wonder if there is an issue here even when using Automatic NAT. Does pfSense correctly add NAT rules for the extra "virtual" subnets that it finds on LAN?
    You can check that by looking at /tmp/rules.debug and search for "nat". There should be an outbound NAT section that includes references to your 10.0.0.0/16 subnet.



  • @phil.davis:

    I wonder if there is an issue here even when using Automatic NAT. Does pfSense correctly add NAT rules for the extra "virtual" subnets that it finds on LAN? You can check that by looking at /tmp/rules.debug and search for "nat". There should be an outbound NAT section that includes references to your 10.0.0.0/16 subnet.

    I was using Automatic NAT, and this is what I found (It did not reference the 10.0.0.0/16 network):

    cat /tmp/rules.debug | grep 'nat'

    no nat proto carp
    nat-anchor "natearly/"
    nat-anchor "natrules/
    "
    tonatsubnets    = "{ 10.13.0.0/16 127.0.0.0/8  }"
    nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 192.168.222.189/32 port 500
    nat on $WAN  from $tonatsubnets to any -> 192.168.222.189/32 port 1024:65535

    so I did a generic any to any on the WAN adapter, like the attached photo, and it works like a charm now!!



Log in to reply