PfSense behind router - multiple subnets



  • Hello pfSense forum,

    I searched for some topics that could be related to this problem, but haven't found anything specific.
    My current network configuration is quite simple and working.

    A router (integrated modem, DHCP provider, VoIP provider) is connected to a switch. From the switch, all local devices are connected to the router.
    This simple configuration is drawn on the left side.
    Now if I integrate the pfSense ALIX board, the new setup will look like the diagram on the right side:

    The IP addresses are fictional, but the subnet numbers are not.
    What I want to achieve here is to put the local devices into a different subnet than all the other devices.
    It should be possible to reach the pfSense device and the router from the local network.
    I don't want to put the router into bridged mode, because its firewall (NAT & SPI) should be used, too.

    How can I properly configure this?

    Also thanks to the administrators/moderators for deleting my old thread and letting me repost it properly.


  • LAYER 8 Global Moderator

    "The IP addresses are fictional, but the subnet numbers are not."

    Huh?  What you show is everything on a 192.168.1.0/24 (255.255.255.0) network..

    Did you mean 192.168.1.0/24, 192.168.2.0/24 ?

    As to
    "I don't want to put the router into bridged mode, because its firewall (NAT & SPI) should be used, too."

    Why??  Seems pointless and will be a performance hit, there is almost never a actual good reason to double nat ;)

    But in general – sure if you want to run multiple segments behind pfsense, even if double natting it is not a problem

    I would assume you wanted

    192.168.1.0/24 as the wan on your pfsense and then 192.168.2.0/24 and 192.168.3.0/24 as segment behind pfsense?



  • @johnpoz:

    Did you mean 192.168.1.0/24, 192.168.2.0/24 ?

    Yes, I updated the diagram.

    @johnpoz:

    I would assume you wanted

    192.168.1.0/24 as the wan on your pfsense and then 192.168.2.0/24 and 192.168.3.0/24 as segment behind pfsense?

    What I want looks like this:

    Segment/Subnet group 1:

    • Device 1: IP: 192.168.1.0 Subnet: 192.168.1.0/24

    • Device 2: IP: 192.168.2.0 Subnet: 192.168.2.0/24

    • pfSense ALIX: LAN IP: 192.168.3.0 LAN subnet: 192.168.3.0/24

    Segment/Subnet group 2:

    • pfSense ALIX: WAN IP: 192.168.4.0 WAN subnet: Not /24 and not /32, but on the same subnet as Router

    • Router: LAN IP: 192.168.5.0 LAN subnet: Not /24 and not /32, but on the same subnet as pfSense ALIX

    Subnet 3:

    • Router: WAN IP: xx.xx.xx.xx WAN subnet: xx.xx.xx.xx/32

  • LAYER 8 Global Moderator

    Your drawing is still not right - you have pfsense wan connected to your router - but they are in differnet networks.  Pfsense wan would be in the same segment as your router lan in front of pfsense

    in your drawing the 192.168.5.0/24

    So for example the routers lan might be 192.168.5.1 and pfsense wan would be 192.168.5.2

    Then on pfsense lan side you could have as many segments as you want, where pfsense might have say 192.168.2.1 and 192.168.3.1 on its interfaces for the 192.168.2.0/24 segment and 192.168.3.0/24 segment.

    Now the way you have it drawn you only show 1 interface on pfsense, with only 1 connection to your switch - does your switch do vlans?

    If not you would setup something like this where pfsense had multiple interfaces for your different lan segments.  If your switch supports vlans - then you trunk the connection to pfsense interface and then on your switch put whatever ports you want in whatever vlans they need to be in.




  • @johnpoz:

    Your drawing is still not right - you have pfsense wan connected to your router - but they are in differnet networks.  Pfsense wan would be in the same segment as your router lan in front of pfsense

    I corrected the drawing and my second reply on this thread accordingly.

    @johnpoz:

    Now the way you have it drawn you only show 1 interface on pfsense, with only 1 connection to your switch - does your switch do vlans?

    From what I could gather, it does not.
    There was no mention of VLAN on the datasheet.

    What about a properly configured double NAT?


  • LAYER 8 Global Moderator

    What you show is a double nat with that 192.168.5.0/24 on the wan of pfsense vs an actual public IP.

    But how are you going to have 2 lan networks?  Does pfsense have 2 lan interfaces?  Seems you don't have a switch that supports vlans..  So how do you expect that to work?



  • Which 2 LAN networks do you mean?
    I don't want to separate 192.168.1.0 and 192.168.2.0, only Subnet/Subnet group 1 and Subnet/Subnet group 2.
    Of course the Router WAN should not be in the same subnet as all the other devices.

    The pfSense ALIX 2D13 has 3 interfaces, which can either be configured as LAN or WAN, so I guess it does have 2 LAN interfaces.

    Shouldn't it be possible to just change the subnet masks/prefixes to separate the subnets?
    I don't understand the problematic here and would be glad if you can explain this.


  • LAYER 8 Global Moderator

    I think you don't understand the concept of a network segment or subnet or vlan for starters.

    Where do you plan changing
    "Shouldn't it be possible to just change the subnet masks/prefixes to separate the subnets?"

    Your switch does not support vlans, so you want to what just run 2 different address spaces over the same physical wire?  To what purpose?

    if you want to use address space from 192.168.1.1 to 192.168.2.254 then just use a mask of /23 or 255.255.254.0

    if you want to be able to firewall between these networks then you need 2 physical interfaces on pfsense, one on 192.168.1.0/24 and the other on 192.168.2.0/24 or you can run them over the same physical interface if your switch supports vlans



  • @johnpoz:

    Your switch does not support vlans, so you want to what just run 2 different address spaces over the same physical wire?  To what purpose?

    Why on the same physical wire?
    The networks I want to separate are not on the same physical wire, as one is on the LAN NIC (vr0) of the pfSense and the other is on the WAN NIC (vr1) of the pfSense.
    So why would I need VLANs at all if I don't want to separate the devices (192.168.1.0 and 192.168.2.0) from each other?

    From what I understand IP addresses in one subnet should not be able to communicate with IP address from the other subnet.
    Is this correct?

    I am sure you noticed, that I want to do this for security reasons.
    So does subnet separation provide any security?
    I mean firewalls/routers automatically put the LAN in one subnet and the WAN in the other.
    Otherwise it would be the same as just plugging the devices into a modem or bridging the LAN NIC onto the WAN NIC.


  • LAYER 8 Global Moderator

    "The networks I want to separate are not on the same physical wire, as one is on the LAN NIC (vr0) of the pfSense and the other is on the WAN NIC (vr1) of the pfSense."

    Dude your drawing shows 3 different network segments on the LAN side.. with 1 wire going to pfsense - this is the SAME wire for 3 different network segments.. Which as drawn is not going to work and just on the same wire.  Do you plan on creating a virtual IP on pfsense in 192.168.2. or 192.168.1

    How do you think boxes on 192.168.1 or 192.168.2.0/24 are going to talk to pfsense that lan is 192.168.3.0/24??

    If you want to provide security between these network segments on your lan side then you need to create interfaces on pfsense that have a connection in each network or vlan.  You can then firewall between them.

    Yes by default in a simple pfsense install with wan in 1 network, and lan in another network you will be doing NAT and would have firewall between them. But see your drawing

    You have 3 different networks on the lan 192.168.1.0/24 2.0/24 and 3.0/24 – how do you expect these to work with.. How does 192.168.2.0/24 talk to pfsense IP on 192.168.3.0/24??

    You are showing one physical wire, with 3 different networks on it.  And just because you put a box on 192.168.1.0/24 and one on 192.168.2.0/24 on the same physical network (switch) they can talk to each other.. Its not a good idea, it has all kinds of issues - but it is not secure that is for damn sure.

    You stated this:
    "What I want to achieve here is to put the local devices into a different subnet than all the other devices."

    So lets be clear, your showing all kinds of different segments.  You have a wan segment, and then multiple lan segments.  But you have not shown how your going to accomplish the multiple segments on the lan side.. So again yes between a wan and lan segment yes you can firewall, and by default you would even be natting so they are isolated from each other.  but if what your wanting to firewall between your multiple lan segments then you need an interface for each network segment you want to have on your lan side.. Or if you only have 1 physical interface on pfsense or limited to some number less than the number of segments you have on the lan side you need vlan support to properly isolate and firewall these segments from each other.




  • Thank you so much for that answer.
    I finally understand where you were trying to point me to and realize that I was concentrating too much on the WAN's subnet of the pfSense, while leaving the security aspects of the LAN segments aside.
    Of course it's insecure, because the 2 devices are connected to each other with the switch, but as mentioned in this post: I didn't think about that.

    @johnpoz:

    How do you think boxes on 192.168.1 or 192.168.2.0/24 are going to talk to pfsense that lan is 192.168.3.0/24??

    You said this, because they are in different IP address spaces, right?
    So logically, should it be 192.168.1.1/24 (device 1), 192.168.1.2/24 (device 2) and 192.168.1.3/24 (pfSense) instead?
    Sorry for the fictional notation. It was to meant keep things simple, but it seems to be inapplicable.

    @johnpoz:

    And just because you put a box on 192.168.1.0/24 and one on 192.168.2.0/24 on the same physical network (switch) they can talk to each other.. Its not a good idea, it has all kinds of issues - but it is not secure that is for damn sure.

    I never planned to assign those fictional IP addresses to the devices, because that would be nonsense.
    Usually they get 192.168.1.100 and if 192.168.1.101 on the LAN side of the pfSense I think.
    In the first sentence quoted here, you hinted that the LAN devices wouldn't be able to communicate with the pfSense, but here you say that they could talk to each other.
    But only if they were in the same address space and on the same switch it shouldn't be secure. Is this correct?
    Or would they also be able to talk to each other, when they would have those fictional IP addresses, while being connected via switch and thus represent a security threat?

    Now to the LAN separation problem.
    Is the only way to solve this to buy a VLAN capable switch or could I just remove the switch, connect the first device to NIC1 (vr0), the router to NIC2 (vr1) and the second device to NIC3 (vr2)?

    Another question:
    As you can see the pfSense automatically gave all LAN segments and its WAN side the subnet prefix /24.
    Does this mean, that anything from the WAN side of the pfSense could directly attack the LAN segments behind it or has this nothing to do with subnet prefixes?

    With all that being said, I thank you for taking your time and helping me.
    I hope that one day I can give something back to the community by helping other newbies.


  • LAYER 8 Global Moderator

    Dude I think you really need to do some research on basic networking ;)

    As you can see the pfSense automatically gave all LAN segments and its WAN side the subnet prefix /24.
    Does this mean, that anything from the WAN side of the pfSense could directly attack the LAN segments behind it or has this nothing to do with subnet prefixes?

    Just because your network on wan is a.b.c.?/24 and your lan also has /24 (255.255.255.0) – your lan would be something like x.y.z.?/24 or even a.b.d.?/24 -- these are DIFFERENT networks.

    It wouldn't even work if both networks where the same on both sides ;) Since your natting and routing not bridging.

    That network mask (255.255.255.0) example is 24 bits and tells you how much of the address spells out the network, and what portion of the address is hosts.  With 24 bits it is easy because the first 3 octets is network, and the last octet is for host addresses on that network.

    So for example

    192.168.1.0/24 means that 192.168.1 is the network, and .1-254 would be valid hosts. .0 is the wire and .255 is broadcast.

    When you were giving 192.168.1.0/24 and 192.168.2.0/24 and 192.168.3.0/24 you were calling out 3 different networks!

    since /24 means that 192.168.1 is the network address.  I think this clicked with this statement

    So logically, should it be 192.168.1.1/24 (device 1), 192.168.1.2/24 (device 2) and 192.168.1.3/24 (pfSense) instead?

    Those are all host addresses and would be on the same network segment.

    If you want to directly connect your devices to pfsense and not use a switch, then sure you could put 1 pfsense interface on lan1, and 2nd interface on lan2 – say 192.168.1.0/24 and 192.168.2.0/24

    So pfsense would have for example
    lan1 192.168.1.1
    lan2 192.168.2.1

    And your devices would be
    lan1 192.168.1.2
    lan2 192.168.2.2

    That works - you could then allow the ports you want between those networks via firewall rules on pfsense.  Or you could buy another switch

    Lets see if these drawings help you understand your options on having multiple lan segments

    So first one you got how you would normally do it with different physical nics for each network segment.

    2nd one is how you could do it with no switches and just directly connected to interfaces on pfsense - like you mention

    3rd is how you would do it with vlans (802.1Q) - where you only have 1 physical connection to the switch (trunk) you have addresses on pfsense for each network segment.  But then your vlan capable switch can put different ports in the vlan (network segment) you want the device connected to be on.  A trunk allows multiple networks to flow over the wire, where the different network traffic would be tagged with what vlan (network) it is on.  The vlan cable switch based upon the vlan tag on the traffic determines if that traffic can be sent to specific ports or over specific trunks.  You can normally put access control lists on trunk ports that say only xyz tagged can flow over this port.

    Keep in mind in these drawings that WAN is in terms of what pfsense sees it as, it could be the internet, it could be just another segment behind your current internet router, etc.  Pfsense sees an interface that has a "gateway" as a wan connection and segments that don't have gateway set on pfsense as LAN.. Where pfsense is the "gateway" for devices connected to pfsense lan segments.  Pfsense is the gateway to other lans or out its wan, etc.  for devices connected to its lan networks.

    Also keep in mind by default pfsense NATS traffic between its lan network(s) and its wan network..  So while a computer on lan1 is talking to computer on lan2 if allowed by firewall rules, the lan 2 computer would see the actual IP address of the computer on lan1.  While if computer on lan1 is talking to a computer on the WAN or beyond, that computer would think the traffic came from the pfsense wan IP (a.b.c.?), not the computer actual lan1 IP..  All the computers on lan1, 2 or etc while talking to boxes on the wan network segment of pfsense would all look like they came from pfsense wan IP (a.b.c.?)  If you want wan device to be able to create traffic to lan devices you would need to create a port forward along with firewall rule to allow the traffic.  While devices talking between the lans only need firewall rules and not nat rules.

    But since its seems your are putting pfsenses wan on a rfc1918 network behind another nat router, this is called a double nat..  And that router connected to the internet would change pfsense a.b.c.? address to whatever your public internet address is.  This why normally you would want pfsense to be the internet connected router/firewall.  And you don't have to deal with the double nat, and can allow all your devices to talk to each other on your network(s) without have to create nats, etc. etc.

    I like nothing more than to help people understand networking - so I sure hope this helps the light bulb turn on for you ;)








  • Reading through your last post, I learned much and start to understand the basics of network separation.
    Thank you for taking your time and writing that detailed explanation. It helped me a lot!



  • Bravo johnpoz for hanging in there.

    I like nothing more than to help people understand networking - so I sure hope this helps the light bulb turn on for you

    Indeed you must.  And I'm sure you helped someperson472034.  In enjoyed reading your networking explanation as well.


Log in to reply