Need some pointers for my network (pic)

  • Hi All,

    I'm building a larger network in various subnets and use 2 pfSense boxes on 2 Soekris 6501-70 hardware.
    (1.6ghz, 2gb, 250gb, 4xNIC onboard)

    I have things mostly working or know how to do it but I need some pointers on (I think) Firewall rules but can't find a clear answer here or through Google.

    The situation (refer to image below):
    For technical reasons I have 4 vDSL lines with it's modems hooked up to 2 soekris machines.
    The green (LAN1) network is
    Blue (LAN2) is
    Purple (LAN3) is
    Orange is considered WAN and sits on,,, (one for each modem)
    Red is outside my network and not relevant.

    The 3 accesspoints in the middle are Dual lan with built-in physical separation, distinct IP's for each subnet and 2 cables connected for that purpose (Draytek VigorAP800)

    What I want to do:
    Each LAN is supposed to be separate. But the green network (LAN1) should be able to reach Blue (LAN2) and Purple (LAN3). For this reason I connected pfSense 2 to the switch of LAN1.
    LAN2 and 3 should not be able to access LAN1 (green).
    I can reach the pfSense box and log in to its config panels but not go through it to access LAN2.
    I also can not reach LAN3 from LAN1.

    I've tried adding rules to allow LAN1 to LAN2 and both way rules and stuff. But I can't get through.
    Also. The printer on LAN2 should be available to LAN1 with no limitations. This is a Canon Laser (mf8040Cn) with LAN port and will have a static address once I configure it.

    Key thing is that LAN1 should be able to access LAN2 and LAN3 but not the other way around.

    Currently I have rules to access and deny access to the pfSense box
    Like; allow ICMP, DNS and NTP to pfSense 1 & 2 from appropriate lans. But deny everything else (Except config).
    Also I have configured some gateway rules for the dual wan setups I'm running.
    Other than that the firewalls are "empty".

    I'd assume I would have to add a rule similar to "Allow LAN1 to LAN2 on any protocol" but that doesn't work.
    I've read about static routes. But that seems to be for remote (off-site) connections only.

    Nat is currently on Automatic, if I disable it I can't access the internet anymore. Probably because of the modems not (yet?) being bridged.

    Any tips and pointers welcome.

  • I think you only need one pfsense unless you can't co-locate the modems.

  • I'm not sure what that means…
    But I physically lack ports on the soekris to connect them all to one soekris machine.

    Any ideas on how to connect LAN1 to the other 2?

  • I see - So, then 1 VLAN switch and 1 pfsense will do the trick.  (Getting this on one pfsense seems to make sense)
    I'll think about how to do it the hard way in a minute.  Get back with you.

Log in to reply