[SOLVED] - Do I need 2 pfSense routers for multi-LAN single WAN setup?
Ok, so I'm new to pfSense and not a real networking guru at all.
I have a "lab" style setup, where I have 1 AD server and several other servers all doing their own thing (SCCM/Exchange/Sharepoint, etc.)
Before I happened on pfSense I had Win2k8 box as the AD server, with routing and remote access running, to give my servers/clients access to the internet. The AD DNS sorted out all of the internal name resolution and any external browsing, etc. I need to extend the lab to have a separate LAN, but still maintain the AD name resolution and access to the internet on all LANs/Subnets.
My main LAN, which is where the Broadband router is sat is on 192.168.0.0/24, which is a real network and DHCP is provided by my router. My virtual host only LAN within VMWare Workstation, is on 192.168.100.0/24. I've installed pfSense and disabled the RRAS service and my 192.168.100.x clients can get to the web and still resolve internal DNS names. So all good there.
When I add in the new LAN on 192.168.101.0/24, which is on another host only NIC in VMWare I can't seem to get anywhere. After spending a few hours googling and playing with routes and firewall rules I did manage to get the 100 and 101 networks to see each other with ICMP traffic, but then neither side could get to the internet.
This has kind of led me to think that what I should have is the one pfSense box between the 100 network and the outside world and then another between the 100 and 101 networks. I'm probably wrong, but I just can't seem to get the right settings.
Just to make it clear incase I haven't already. The 100 and 101 networks both need to be able to resolve DNS primarily from the AD DNS server in the 100 network, so I keep the domain level traffic working, but both also need to go to the internet if required.
After spending a few hours googling and playing with routes and firewall rules I did manage to get the 100 and 101 networks to see each other with ICMP traffic, but then neither side could get to the internet.
Without knowing what your firewall rules, default gateways etc are now it is impossible to account for this behaviour. I suggest you post a screenshot of at least the firewall rules of the LAN interface so we can help you get that back to allowing traffic to the Internet.
You don't mention DHCP on your OPTx interface. How do client systems on that interface get DNS, default gateway etc?
In the default configuration, all traffic received on LAN interface is allowed, all traffic received on other interfaces is blocked. From that configuration you would normally have to add a firewall rule on the non-LAN interface to allow the traffic you want allowed THEN reset firewall states (Diagnostics -> States, click on Reset States tab, read, remember and then click on the Reset States button). It is easy to forget this last step. Firewall rules are processed "top down", first match wins.
The config is actually back at the default, as I've rebuilt the VM running pfSense. I added a DHCP helper for the 101 subnet to point to the AD server 100.10, which worked, although I switched the only client currently in 101 back to static while I was playing around.
WAN - is getting IP 192.168.0.33 with dg of 192.168.0.1 (my Draytek router).
LAN - IP is statically set to 192.168.100.1/24.
Opt1 - IP is statically set to 192.168.101.1/24.
AD server on 192.168.100.10 has dg of 192.168.100.1 and DNS as 127.0.0.1. It is DHCP and DNS server.
SCCM server on 192.168.100.20 has dg of 192.168.100.1 and DNS as 192.168.100.10 (the AD server).
New server on 101 is set statically as 192.168.101.10, dg of 192.168.101.1 and DNS as 192.168.100.10 (I've tried 192.168.101.1 too).
I changed the firewall rule on 101 to allow all traffic to all networks. I think by default it only allowed TCP. I've tried adding a bridge, but that didn't seem to work either.
When I'm back infront of the PC in the morning I'll finish the re-config of pfSense and document properly what's it's set to.
I may have not necessarily followed the "THEN reset firewall…" bit properly, but during the end of my 4 hour battle I did just resort to rebooting the pfSense server to make sure any changes took.
Thanks for taking the time to help...
I've restarted the install from scratch to make sure that there are no errant settings hanging around. I'll write this post as I configure it up.
I have the following NIC setup in VMWare:
VMnet 0 (my main real LAN that goes to the internet), 2 and 3 are mapped to the pfSense router VM, in that order.
Once I install, run the config and set the static IPs on pfSense I get the following:
Any machine on the LAN interface can now see the router and get to the web. They have the following config:
I setup the NIC for the machine in the OPT1 network like so:
Any machine on OPT1 cannot do a jot. There were no firewall rules setup, so I added the following, which replicated the LAN rules, apart from the anti-block for port 80:
Now the LAN subnet can still get to the internet. The OPT1 subnet can ping the router, ping LAN addresses and get to the internet. It also resolves names into the AD DNS.
So that's everything that I wanted it to do. It is now working exactly as I wanted. Go figure.
I've just added another OPT2 NIC for the 192.168.102.0 network and followed the same approach and that's working a treat.
Thanks for your help. I think it was down to the reset states. I probably had the right config at some point yesterday, but it didn't register properly as I hadn't done that reset and therefore I had assumed it hadn't worked.
I can get on with the real work now. Thanks again for your help…