Need some pointers for my network (pic)



  • Hi All,

    I'm building a larger network in various subnets and use 2 pfSense boxes on 2 Soekris 6501-70 hardware.
    (1.6ghz, 2gb, 250gb, 4xNIC onboard)

    I have things mostly working or know how to do it but I need some pointers on (I think) Firewall rules but can't find a clear answer here or through Google.

    The situation (refer to image below):
    For technical reasons I have 4 vDSL lines with it's modems hooked up to 2 soekris machines.
    The green (LAN1) network is 10.0.0.0/24
    Blue (LAN2) is 10.0.1.0/24
    Purple (LAN3) is 172.20.0.0/24
    Orange is considered WAN and sits on 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 (one for each modem)
    Red is outside my network and not relevant.

    The 3 accesspoints in the middle are Dual lan with built-in physical separation, distinct IP's for each subnet and 2 cables connected for that purpose (Draytek VigorAP800)

    What I want to do:
    Each LAN is supposed to be separate. But the green network (LAN1) should be able to reach Blue (LAN2) and Purple (LAN3). For this reason I connected pfSense 2 to the switch of LAN1.
    LAN2 and 3 should not be able to access LAN1 (green).
    I can reach the pfSense box and log in to its config panels but not go through it to access LAN2.
    I also can not reach LAN3 from LAN1.

    I've tried adding rules to allow LAN1 to LAN2 and both way rules and stuff. But I can't get through.
    Also. The printer on LAN2 should be available to LAN1 with no limitations. This is a Canon Laser (mf8040Cn) with LAN port and will have a static address once I configure it.

    Key thing is that LAN1 should be able to access LAN2 and LAN3 but not the other way around.

    Firewall:
    Currently I have rules to access and deny access to the pfSense box
    Like; allow ICMP, DNS and NTP to pfSense 1 & 2 from appropriate lans. But deny everything else (Except config).
    Also I have configured some gateway rules for the dual wan setups I'm running.
    Other than that the firewalls are "empty".

    I'd assume I would have to add a rule similar to "Allow LAN1 to LAN2 on any protocol" but that doesn't work.
    I've read about static routes. But that seems to be for remote (off-site) connections only.

    Nat is currently on Automatic, if I disable it I can't access the internet anymore. Probably because of the modems not (yet?) being bridged.

    Any tips and pointers welcome.
    Thanks!



  • I think you only need one pfsense unless you can't co-locate the modems.



  • I'm not sure what that means…
    But I physically lack ports on the soekris to connect them all to one soekris machine.

    Any ideas on how to connect LAN1 to the other 2?



  • I see - So, then 1 VLAN switch and 1 pfsense will do the trick.  (Getting this on one pfsense seems to make sense)
    I'll think about how to do it the hard way in a minute.  Get back with you.