Multiple LAN networks



  • Hello there to all.

    This is one of my first posts, and before I begin, I will say that I am experienced with networking and am not new to it, but I am new to using pfSense.

    So, what I basically wish to do is to set up multiple LAN networks to the box. I have mutliple NIC's installed on the box, I would like to know how to get this to work. I have one LAN that I have set up for servers and my VM box, and I would like to have a second network for my own personal use with a wireless AP. I would like to make it so that if any guests or whatnot were to connect to my personal network, they would not be able to get into the server network. That is the basic premise of this project.

    If I could know how to get this to work, that would be amazing. Thank you.


  • Netgate Administrator

    That's no problem.
    Just assign the second NIC and enable it, it will show initially as OPT1 but rename it if you want. Then set it as type 'static' and give it an IP address and subnet different to your LAN. Add DHCP to the new subnet if you wish. Then add firewall rules to allow traffic from the new subnet to connect to the internet or where ever you want. By default there will be no rules and everything will be blocked. If you don't want clients on OPT1 to access machines on LAN then simply don't add rules to allow that.
    I have a similar interface setup to allow guest wifi clients. The firewall rules on that interface allow traffic with destination 'NOT local subnets' and an exception that allows access to the DNS forwarder on the interface.

    Steve



  • Alright, that got me started into this.

    Currently I still don't seem to be getting internet access to the OPT1 interface. I copied the same firewall rule from the LAN interface over to the OPT1 interface.

    My subnet for LAN is the 10.0.0.0/8 subnet and I have my personal network set to the 192.168.1.0/24 subnet. DHCP is provided to OPT1, and still no internet access through PING. The client on OPT1 is also unable to ping the 192.168.1.1 address of the pfSense box on that interface.

    The firewall config for OPT1 is as follows:
    Action: Pass
    Disabled: Unchecked
    Interface: OPT1
    Protocol: any
    Source: OPT1 subnet
    Destination: any
    Log Packets: Unchecked
    Description: OPT1 allow all outbound

    The OPT1 config is as follows:
    Enable: Checked
    Description: OPT1
    Type: Static
    MAC, MTU and MMS are blank
    IP address: 192.168.1.1/24
    Gateway: None



  • @JaredKat:

    Currently I still don't seem to be getting internet access to the OPT1 interface. I copied the same firewall rule from the LAN interface over to the OPT1 interface.

    It is usually necessary to reset firewall states after major firewall rule changes. See Diagnostics -> States click on Reset states tab read and take appropriate action.

    If you haven't already done so, restart or otherwise reset the computer on the OPT interface to make sure it acquired its network configuration by DHCP from pfSense.


  • Netgate Administrator

    I would not expect to have to reset the firewall states simply after adding an interface, I did it yesterday and didn't need to, but it's easy to do so try that.
    It looks like you're doing everything right. Check the firewall logs to see if your connection attempts are being blocked. Check the DHCP supplied IP info given to your client machine. When you ping the OPT1 interface what response do you get? No route? 100% loss?.
    It's easy enough to typo some setting, I've done it many times.  ;)

    Steve



  • User reported
    @JaredKat:

    Currently I still don't seem to be getting internet access to the OPT1 interface. I copied the same firewall rule from the LAN interface over to the OPT1 interface.

    so more was done than add the new interface.

    @stephenw10:

    I would not expect to have to reset the firewall states simply after adding an interface, I did it yesterday and didn't need to, but it's easy to do so try that.

    It is not clear to me exactly what you are reporting:

    • you added a new interface through the web GUI and were still able to access the internet through the LAN interface

    • you added a new interface through the web GUI and no firewall rules on the new interface and were able to freely access the internet through the new interface

    • something else


  • Netgate Administrator

    Sorry, to be clear:
    I added a new interface by assigning it - the NIC was already in the box.
    I enabled it, added IP info, enabled dhcp and added an allow all firewall rule.
    Then I connected a client and had internet access.

    However I am prepared to believe that doing that in a different order or applying changes half way through could introduce a state that needs resetting.

    Steve


Log in to reply