2 ISP + Pfsense (2 Wan & 1 Lan) + Layer 3 Switch Help..
-
Afternoon,
I am new to PfSense and was hoping to get pointed in the right direction or some help.. I am trying to set up a network @ home.
I have 2 ISP and want to connect to one PfSense box using Dual WAN and have the Lan port connected to a Layer 3 Cisco Switch then all my devices connected to the switch. From my reading it look like its possible but I was looking for a guide or more concrete info.
1. Is it fine to use 2 Wan and 1 Lan or do I need 2 Lan?
2. Which device should handle assigning IP's for my Internal devices PfSense box or switch?
3. Can I dictate which ISP handle which traffic?
4. Where do I set up Vlans on both, just PfSense or on the Switch?
5. Should I use the switch to handle the DHCP and the PfSense to handle the routing out?Can any one point me in the right direction?….
Thank You
-
I used a setup similar to this on our corporate network at my last gig.
We used PFsense at the edge, I established a VLAN in each network segment and controlled security between them on the L3 switch which we used as more of a core router. I we had a guest network and private network that we wanted to allow out to the internet but not allow to communicate with each other and it worked quite well.
I had a subnet between pfSense and the core, and a subnet on each network segment (VLAN) behind it. I used ACLs on the gear to limit traffic between the segments accordingly. You can use pfSense for DHCP if you use a proxy but I ended up using the Cisco for DHCP because it was easier to manage everything there.
You don't really need VLANs configured on pfSense, it can be oblivious to the fact that they exist at all. You just need to create outbound nat rules and routes to get traffic to flow between the networks behind your switch to the internet.
You'll be able to control which ISP traffic is allocated to the same way you would in a normal multi-wan setup.
-
Thanks for the info.. That is some what I had in min but I want 3 networks..
My home network, a test lab and a guess network. I am planning to go get my cert's soon. but I see what you are saying Just setup the PfSense as the firewall basic with 2 wan, then have my cisco switch do dhcp and so on?
I am still a newbie to this, I know what I want to do but don't went know how to accomplish it….
-
I have a similar setup and approached it differently. I have 2 WAN and 2 LAN connections, all four are physical connections. I didn't have a layer 3 switch, so I physically separated all of my connections. My pfSense box has 2 NICs on the motherboard and I added 2 PCIe NICs to the box.
To answer your questions specifically:
1 - You can do both, depends on what you want your network to look like. In your case I would assume you'd use two WANs since you have two ISP connections and one LAN.
2 - I have my pfSense box manage my network (with the exception of DNS and Active Directory). It does DHCP and secondary/tertiary DNS.
3 - Yes, you can do a lot with this. I have each of my LANs going out one or the other WAN connection as well as other policies to route traffic.
4 - Both. pfSense needs to be able to read the vLAN tags as does the switch to forward them to the appropriate ports.
5 - My suggestion is to let the switch handle the vLANs and pfSense should do everything else. Everyone's approach will vary a bit, but I generally prefer to keep the switching "dumb" and leave the more intelligent work to pfSense. On much larger installations it simplifies what things are doing on the network, and if something doesn't work, it's somewhat easier to troubleshoot. -
If you want pfSense to handle everything, but you want to control segmentation on the switch you could also connect and use a single interface and multiple VLAN interfaces. You'd have a different DHCP config on pfsense for each one of these "LAN" interfaces.
You just use a trunk port on your switch to connect to the physical LAN port on pfsense. You then control access to the networks by assigning switchports to the various vlans.
-
@Bruor & @tim.mcmanus thank you for you advice.
@ tim.mcmanus I am looking do something exactly like your set up for now. I do have the hardware to add another LAN if I need to.
1. Do I need to setup DHCP if I plan on setting static IP's to everything on my network? With the exception of wirelss access point, I want that to give out DHCP.
2.As far as which LAN connect to which WAN I want to do a Failover set up with the exception of of one Computer (VM PC) that I only want going out to ATT, is that possible?
3. for ? 4 when you say both? that means I need to setup VLANs on PfSense too same as switch?
@ Buror
So once I setup PfSense interfaces with different DHCP just point the VLan's the the correct interface that I want it to use for a specific WAN? Because each DHCP will be set up according to each WAN correct?
Thank you all for taking the time to help….
-
Your answers:
1. No. DHCP, like most every other feature, is optional. Your wireless AP might NAT when it gives out DHCP addresses and this may create a double-NAT situation. I set my wireless up as a bridge and let pfSense do the DHCP. It's a little simpler to manage, and I don't have to worry about double-NAT.
2. Yes. I have a LAN rule to send traffic out of WAN2. Pretty easy to do. Just set the gateway in the advanced button.
3. Yes, you are correct. The switch needs to know which ports service which vLANs. pfSense needs to know the vLAN tags so it can route and deliver the proper services to those vLANs.
-
Thank you for the assistance. I am trying to configure now.
-
Hey guy's I have 2 other questions?
1. If I wanted wireless where would I put it on PfSense or my switch? I need it to give out address DHCP and I need to access my network for shares and AD.
2. I am learning how to do IP but want to know my isp gives me a 192.168.x.x address for my router, can I set up my internal network on a 10.10.10.1 scheme and still access the internet?
thanks
-
1. If I wanted wireless where would I put it on PfSense or my switch? I need it to give out address DHCP and I need to access my network for shares and AD.
It goes on the switch, as just another device on the LAN. Then the wireless clients appear on the LAN like any other wired devices and can see LAN file shares… (which is what I think you want).
If you have a Windows Server with AD Domain and there are wireless devices joining the domain, then you probably want to have DHCP from a domain controller/server - but that is a windows question.
If the Wireless AP is really the ONLY place that you want to give out DHCP addresses then you could use it for DHCP, but you have to be able to specify the pfSense LAN IP as the default gateway (i.e. some APs are also routers with a WAN port on them... and will default to make themselves the gateway...). Really I would not do this - when your network expands you will have the DHCP in an odd place on the side.
I do what Tim does - put DHCP on pfSense. It keeps the various network services managed in 1 place. Personally, I would just have my AD server with a real static IP, and have other known devices given static-mapped IPs from pfSense DHCP, and "unknown" guests given IPs from the pfSense DHCP pool. Then in future you can change your IP addresses as you wish from pfSense DHCP server with the minimum of fuss. (Make sure to turn off DHCP on the wireless AP, l3 switch and any other box that feels the urge to be a DHCP server)2. I am learning how to do IP but want to know my isp gives me a 192.168.x.x address for my router, can I set up my internal network on a 10.10.10.1 scheme and still access the internet?
You can leave that like it is - your front-end modem/router might be 192.168.1.1 and you do DHCP client on pfSense WAN and it gets 192.168.1.2 - that works but the front-end device will also be doing NAT, so 2 layers of NAT messing with the packets out and in.
Most people would change the front-end device to be just a bridge modem - pass through the real internet to pfSense. Then setup the pppoe or whatever ISP connection on the pfSense WAN.
And yes, definitely use a LAN subnet like 10.10.10.0/24 away from the over-used 192.168.[0|1].0/24 -
@ phil.davis Thank you for your response.
1. thanks that makes sense i will have to look on windows forum in regards to AD and wireless..
2. ok to make sure I understand. I would put my isp modem into bridge mode and what this does is let the wan on the pfsense get the 192.168.x.x address correct?
3. Then I make the LAN on the PfSense 10.10.x.x correct?
4. So once i set up DHCP on the PfSense it will keep my network in the 10.10.x.x scheme?
5. Also do I setup my WAN as DHCP or static?
6. Also I have 2 ISP do I put both into bridge mode?
Thank you.
-
also…..
7. can you load balance, Failover and divide traffic at the same time? Meaning I want to do load balance and fail over with both ISP but I have 1 VM that I only want traffic running on a specific ISP and not both. -
@ phil.davis Thank you for your response.
1. thanks that makes sense i will have to look on windows forum in regards to AD and wireless..
2. ok to make sure I understand. I would put my isp modem into bridge mode and what this does is let the wan on the pfsense get the 192.168.x.x address correct?
3. Then I make the LAN on the PfSense 10.10.x.x correct?
4. So once i set up DHCP on the PfSense it will keep my network in the 10.10.x.x scheme?
5. Also do I setup my WAN as DHCP or static?
6. Also I have 2 ISP do I put both into bridge mode?
Thank you.
2. Bridge mode lets the real public IP "get through" to the pfSense. You won't see any 192.168 on the WAN side any more. Usually you have setup pppoe on the ISP modem, with a username/password given by the ISP. When the modem goes to bridge mode, then you need to put that username/password into pfSense pppoe settings. The particulars of selecting bridge mode depends on the modem.
3. Yes - e.g. pfSense LAN IP is 10.10.0.1/24
4. Yes - enable DHCP on pfSense, give it some reasonable (for you) range of addresses to use (you know how many devices there might be) - e.g. 10.10.0.100-199 - whatever.
5. You WAN will end up being pppoe I suspect.
6. Each ISP would be on a different port (NIC), so you will have an ISP on WAN and an ISP on OPT1 (which you can give another name like WAN2). Once you get one running in bridge mode and working, then do the same sort of thing for the other, on the other port - setup 1 at a time, don't "burn all your bridges" (couldn't resist the pun).
7. You can make gateway groups that load balance (equal priority/tier gateways) or that prefer one WAN and failover to the other. Load balance effectively "fails over" because it load balances only among the members that are up. Then you add firewall rules to select the traffic you want and policy-route it into a gateway group, or a particular WAN (if you don't want failover/load-balance for that traffic).
I'm sure there is a doc describing the process of setting up WAN/pppoe with a front-end device in bridge mode - can someone give a link to it?
-
Thanks for the info. thats what I did. I put both my IPS router into bridge mode. time warner and ATT Uverse. But the problem I am having is the LAN it only works with 192.168.1.1. Is there a doc on setting up the 10.10.x.x scheme that i am trying to do?
-
also both ISP is always on so I am not sure about using PPPoe. If am not mistaken that is use for ISP thatr need a user name and password correct?
-
pppoe - you only need that if your ISP does it that way with username/password. It sounds like you get a direct connection that is "just there" when you plug it in, good that it is easy.
You can set the pfSense LAN side to be any private IP subnet that you want. e.g. set LAN to static IP 10.10.42.1/24 Set the DHCP range to 10.10.42.100-199 or whatever you need/want within the LAN subnet.
With just 1 LAN, you don't really use the layer3 switch functionality. Give the L3 switch an IP address in 10.10.42.0/24 so you can access it and manage it if needed. Set static IPs in 10.10.42.0/24 on any special devices (e.g. a server) that might need to have a real static IP. Let other devices get DHCP from pfSense, if you want them to get the same IP every time, then make static mapping entries for them.But maybe I am missing something behind your question? Because I don't really understand why you would say "LAN it only works with 192.168.1.1".
-
@ Phil.davis Thanks for the info I got it up and running. set both my isp to bridge then the lan to a 10.x.x.x scheme.
I was having trouble with the lan 192.168.1.1 for some reason, (most like because I did not know what I was doing). :)
Thanks for all the help I got the basic up and running now it time to do some testing with the firewalls rule and loadbalancing…..Thanks again