Multi-LAN segragation.



  • seams IP requests I have from LAN1 are being fulfilled by LAN2?
    pfsense is the dhcp for LAN1 though…

    this is a rule I put in but doesn't seam to work .....

    I cant ping from lan1->lan2 or lan2->lan1 ....??

    turning off DHCP in lan2 has been my only fix.


  • LAYER 8 Global Moderator

    So take in lan2 is 10.0.0 network?

    As to lan2 dhcp answering lan 1??  What?  What is your physical connections?  Broadcast is not going to go across pfsense segments.

    So what is your physical connections if lan2 is answering lan1 broadcasts for dhcp?

    As to allowing ping, etc.  You need your rules to allow traffic above your rule there with a gateway..  Your sending all traffic to that gateway and not allowing to use pfsense local routing.  All rules for local segments need to be before rules with gateways.



  • @johnpoz:

    So take in lan2 is 10.0.0 network?

    As to lan2 dhcp answering lan 1??  What?  What is your physical connections?  Broadcast is not going to go across pfsense segments.

    So what is your physical connections if lan2 is answering lan1 broadcasts for dhcp?

    As to allowing ping, etc.  You need your rules to allow traffic above your rule there with a gateway..  Your sending all traffic to that gateway and not allowing to use pfsense local routing.  All rules for local segments need to be before rules with gateways.

    the PF sense box would be the only way the two networks would have to communicate.

    my windows server running DHCP on the 10.x was issuing dhcp..

    my phone servers were replying NTP to clients on the 192.168.x ….

    the two networks are not connected except through the 2 lan's on PFsense.


  • LAYER 8 Global Moderator

    So you sure there is not common switch?  dhcp is broadcast, broadcast does not cross networks.  Did you bridge your interfaces in pfsense?  Do you have your interfaces reversed?

    Did you setup dhcp relay on the interface vs actual dhcp server?



  • @johnpoz:

    So you sure there is not common switch?  dhcp is broadcast, broadcast does not cross networks.  Did you bridge your interfaces in pfsense?  Do you have your interfaces reversed?

    Did you setup dhcp relay on the interface vs actual dhcp server?

    no common switch. one is internal network (10.x) other is "guest" network. with 2 different infrastructures. until I added the pfsense box.

    I didn't setup "anything" in pfsense except to pass traffic from      wan -> lan  &  wan -> lan2…

    maybe the traffic is going lan->wan->lan2 ???

    interfaces have no possible way of being reversed, the 192.x interface has its own dhcp server on pfsense.
    the 10.x interface is merely a gateway. with no dhcp.
    the pfsense dhcp server has issued over 100 addresses and has a lot of availability (192.168.5.101 - 192.168.125.254)

    the dhcp relay says it cannot run while there is a dhcp server running.


  • LAYER 8 Global Moderator

    Dude how do you have 6 wans?

    Layout your network.. What I can tell you is broadcasts for dhcp do not route!!!  So unless you have bridged something, or have a physical connection there is no way for dhcp on interface lan2 to answer broadcasts from lan1 network… There just isnt..

    You sure you don't have a rouge dhcp server on your lan handing out the same addresses as lan2 is?  Or you must have a dhcp helper on your lan sending the traffic to lan2 IP..  A IP helper will turn the dhcp broadcast into a unicast and send it to the dhcp server.  But it would tell it what network its from, so if that was the case lan2 shouldn't send an offer.

    Why don't you draw out network you have with wan1-6?? What??

    Why don't you just sniff the traffic and see what is going on.. Why are you so sure lan2 is handing out dhcp to lan1



  • @johnpoz:

    Dude how do you have 6 wans?

    Layout your network.. What I can tell you is broadcasts for dhcp do not route!!!  So unless you have bridged something, or have a physical connection there is no way for dhcp on interface lan2 to answer broadcasts from lan1 network… There just isnt..

    You sure you don't have a rouge dhcp server on your lan handing out the same addresses as lan2 is?  Or you must have a dhcp helper on your lan sending the traffic to lan2 IP..  A IP helper will turn the dhcp broadcast into a unicast and send it to the dhcp server.  But it would tell it what network its from, so if that was the case lan2 shouldn't send an offer.

    Why don't you draw out network you have with wan1-6?? What??

    Why don't you just sniff the traffic and see what is going on.. Why are you so sure lan2 is handing out dhcp to lan1

    I have a complex network and this is the wifi controller I run that shows where my 10.0.1.x clients are showing up at. you can see the other clients are all 192.168.x





  • network layout.

    took me quite some time, I hope it helps.


  • LAYER 8 Global Moderator

    Well from your drawing your windows dhcp server scope is only 10.0.1.1 - to 10.0.1.50, so where did 10.0.1.125 come from?

    So your saying in your windows dhcp server your seeing leases handed out to these clients?  How do you know they are not static, or some other dhcp server?  Does your dhcp server show lease for these macs.  With such a large wifi network its quite possible for someone to be running a dhcp server on it.

    Here is the thing dhcp is BROADCAST!!!  It is NOT possible for the packets to get to your windows dhcp server through pfsense unless you have bridged your lan1 and lan2 interfaces??  Or you have something that is connected to both your network that is..

    You would think someone running such a network would know basic concepts of broadcast and how dhcp works..  It takes 2 seconds to look into your windows dhcp server and validate if lease is there for that mac.

    How about you send out some dhcp discover packets on your wifi network and see what answers ;)  Here is a simple windows tool that will detect dhcp servers on your network.

    Lets see you sit on your wifi network and run this tool and have it detect your windows dhcp server ;)

    http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

    BTW thats it detecting my lan dhcp server.. It didn't find my wlan dhcp or my dmz dhcp..




  • @johnpoz:

    Well from your drawing your windows dhcp server scope is only 10.0.1.1 - to 10.0.1.50, so where did 10.0.1.125 come from?

    So your saying in your windows dhcp server your seeing leases handed out to these clients?  How do you know they are not static, or some other dhcp server?  Does your dhcp server show lease for these macs.  With such a large wifi network its quite possible for someone to be running a dhcp server on it.

    Here is the thing dhcp is BROADCAST!!!  It is NOT possible for the packets to get to your windows dhcp server through pfsense unless you have bridged your lan1 and lan2 interfaces??  Or you have something that is connected to both your network that is..

    You would think someone running such a network would know basic concepts of broadcast and how dhcp works..  It takes 2 seconds to look into your windows dhcp server and validate if lease is there for that mac.

    How about you send out some dhcp discover packets on your wifi network and see what answers ;)  Here is a simple windows tool that will detect dhcp servers on your network.

    Lets see you sit on your wifi network and run this tool and have it detect your windows dhcp server ;)

    http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

    BTW thats it detecting my lan dhcp server.. It didn't find my wlan dhcp or my dmz dhcp..

    I mistakenly put 1.50 instead of 1.150, i made that chart just for this thread. the red 1.0.1.125 etc was there as demonstration not what the actual SS showed.

    the windows server did indeed "see" those clients, the leases were all there and time stamped appropriately.

    im a mcse/mcp/sqldba and I know basic networking but its not my strong suit. I've been getting a crash course in it recently. aswell as wireless networking.
    sorry I don't meet your knowledge expectations.
    I haven't needed to learn everything ive ever done
    "has worked without problems"

    I spent a few hours digging in my wiring rack to verify there wasn't any cross-connects. the closest i got was a wireless broadcasting radio(PtmP link, not wifi/2.4ghz) for 192.x plugged into the 10.x but it was on a Vlan…........
    should have been a stray 192 device running 'off-network'  that may have been it. the ubiquiti radios i run have password and run in WDS mode, i cant fathom how it could have looped back to the 192.168,5,1 gateway.

    thanks for the link on the tool i downloaded it. I'll try reconnecting the pfsense to 10.x and re-run the tool.


  • LAYER 8 Global Moderator

    So now your not leasing from the wrong dhcp server now?

    Here is the thing - for pfsense to be what was passing the traffic you would have to setup bridging between the interfaces.  Or have a dhcp relay, or a helper, etc..  You couldn't even have a bad nat or forward or firewall rule that would pass the traffic.

    dhcp is all broadcast traffic - and can not cross network segment boundary's without a helper/reley that turns it into unicast and sends it to a specific dhcp server that has a  scope setup for the source network it came from.  Even if dhcp server got a request from a helper from a a different network it would not give it a lease for a scope it didn't have.

    So if your getting leases from a server in the wrong network - you have to have a broadcast connection between the network, so a wire, sure an AP in wds that is on wrong wired network and connected to wireless network.

    BTW – how do you run such a network and not have a diagram, a actual real one?  Showing lets say all your layer 1 connections, your layer 2 and 3 setup?  You say you put that together for this thread?  That is not a diagram of such a network.  You really should have a detailed network diagram if your going to manage a network like that - so you don't have to spend hours digging through a wiring cabinet for starters ;)



  • @johnpoz:

    So now your not leasing from the wrong dhcp server now?

    Here is the thing - for pfsense to be what was passing the traffic you would have to setup bridging between the interfaces.  Or have a dhcp relay, or a helper, etc..  You couldn't even have a bad nat or forward or firewall rule that would pass the traffic.

    dhcp is all broadcast traffic - and can not cross network segment boundary's without a helper/reley that turns it into unicast and sends it to a specific dhcp server that has a  scope setup for the source network it came from.  Even if dhcp server got a request from a helper from a a different network it would not give it a lease for a scope it didn't have.

    So if your getting leases from a server in the wrong network - you have to have a broadcast connection between the network, so a wire, sure an AP in wds that is on wrong wired network and connected to wireless network.

    BTW – how do you run such a network and not have a diagram, a actual real one?  Showing lets say all your layer 1 connections, your layer 2 and 3 setup?  You say you put that together for this thread?  That is not a diagram of such a network.  You really should have a detailed network diagram if your going to manage a network like that - so you don't have to spend hours digging through a wiring cabinet for starters ;)

    im 1 man….
    I replaced 3 people....
    I run all ends of the It department, software, servers, desktops, bandwidth, POS, databases, POS terminals, printers, Linux, windows, cables(cat3, cat5, cat6, coaxel, Siamese cable, fiber) wireless (wifi, PtP), security cameras, ALL OF IT.
    I just finished migrating from Xenserver 6.2 to Microsoft 2012 VM fabric...

    I've rebuilt two networks, and expanded them,  I have an excel worksheet with all my IP's and duties (ssid, broadcasting, receiving, PtP, notes.) its actually quite a spreadsheet. otherwise I go crazy.
    I've been doing 82 hour work weeks recently. please give me some slack.

    I've only been here for 6 months! this company begged me for months to help them. the last crew wasn't helping anyone. nothing ANYWHERE was labeled. and when they couldn't find out where something goes, they ran new wire.............. LMFAO!
    I'm labeling things as I go, and crawling through attics to find wire.
    somepoint soon ill have a grid together with all that stuff.

    here is a screenshot of my last day on the last payroll.

    ![IMG_1187 (Medium).JPG](/public/imported_attachments/1/IMG_1187 (Medium).JPG)
    ![IMG_1187 (Medium).JPG_thumb](/public/imported_attachments/1/IMG_1187 (Medium).JPG_thumb)


  • LAYER 8 Global Moderator

    Well dude you might of mentioned that you just took over a mess ;)

    But this statement right here
    "and when they couldn't find out where something goes, they ran new wire…........... LMFAO!"

    Yeah that could quite easy lead to loops and crossed network boundary's that could lead to the wrong dhcp server answering broadcasts ;)

    Sure hope they are paying you decent wage per hour if your putting in 163 hours in 2 weeks.  But if its a month your short for typical US work hours ;)



  • @johnpoz:

    Well dude you might of mentioned that you just took over a mess ;)

    But this statement right here
    "and when they couldn't find out where something goes, they ran new wire…........... LMFAO!"

    Yeah that could quite easy lead to loops and crossed network boundary's that could lead to the wrong dhcp server answering broadcasts ;)

    Sure hope they are paying you decent wage per hour if your putting in 163 hours in 2 weeks.  But if its a month your short for typical US work hours ;)

    im 99% sure I had a vlan issue.
    port 11 instead of port 10…....... I think I can legitimately say its okay I missed that.

    82 hour work weeks I get overtime and double time. and I have other 'extra' perks that's arnt so shabby.

    works isn't work if you love what your doing!

    glad its NOT my pfsense though. I love this routing software. a bit frustrating at times, but kick-@ss.


  • LAYER 8 Global Moderator

    that is some crazy hours - no wonder your missing stuff ;)  I agree when you love what you do time flys - but still need some down time or you start to miss stuff like vlans and ports ;)


Log in to reply