Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need some pointers for my network (pic)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adegans
      last edited by

      Hi All,

      I'm building a larger network in various subnets and use 2 pfSense boxes on 2 Soekris 6501-70 hardware.
      (1.6ghz, 2gb, 250gb, 4xNIC onboard)

      I have things mostly working or know how to do it but I need some pointers on (I think) Firewall rules but can't find a clear answer here or through Google.

      The situation (refer to image below):
      For technical reasons I have 4 vDSL lines with it's modems hooked up to 2 soekris machines.
      The green (LAN1) network is 10.0.0.0/24
      Blue (LAN2) is 10.0.1.0/24
      Purple (LAN3) is 172.20.0.0/24
      Orange is considered WAN and sits on 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 (one for each modem)
      Red is outside my network and not relevant.

      The 3 accesspoints in the middle are Dual lan with built-in physical separation, distinct IP's for each subnet and 2 cables connected for that purpose (Draytek VigorAP800)

      What I want to do:
      Each LAN is supposed to be separate. But the green network (LAN1) should be able to reach Blue (LAN2) and Purple (LAN3). For this reason I connected pfSense 2 to the switch of LAN1.
      LAN2 and 3 should not be able to access LAN1 (green).
      I can reach the pfSense box and log in to its config panels but not go through it to access LAN2.
      I also can not reach LAN3 from LAN1.

      I've tried adding rules to allow LAN1 to LAN2 and both way rules and stuff. But I can't get through.
      Also. The printer on LAN2 should be available to LAN1 with no limitations. This is a Canon Laser (mf8040Cn) with LAN port and will have a static address once I configure it.

      Key thing is that LAN1 should be able to access LAN2 and LAN3 but not the other way around.

      Firewall:
      Currently I have rules to access and deny access to the pfSense box
      Like; allow ICMP, DNS and NTP to pfSense 1 & 2 from appropriate lans. But deny everything else (Except config).
      Also I have configured some gateway rules for the dual wan setups I'm running.
      Other than that the firewalls are "empty".

      I'd assume I would have to add a rule similar to "Allow LAN1 to LAN2 on any protocol" but that doesn't work.
      I've read about static routes. But that seems to be for remote (off-site) connections only.

      Nat is currently on Automatic, if I disable it I can't access the internet anymore. Probably because of the modems not (yet?) being bridged.

      Any tips and pointers welcome.
      Thanks!

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        I think you only need one pfsense unless you can't co-locate the modems.

        1 Reply Last reply Reply Quote 0
        • A
          adegans
          last edited by

          I'm not sure what that means…
          But I physically lack ports on the soekris to connect them all to one soekris machine.

          Any ideas on how to connect LAN1 to the other 2?

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            I see - So, then 1 VLAN switch and 1 pfsense will do the trick.  (Getting this on one pfsense seems to make sense)
            I'll think about how to do it the hard way in a minute.  Get back with you.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.