Isolating hosts/subnets



  • Hi I have pfsense installed on my alix 2d13 board.
    The vr0 is connected to the lan port of an adsl modem/router and is set as WAN interface. (Not bridged)
    the vr1 is set as my LAN.

    I want to isolate the hosts of my modem/router from the LAN hosts of my pfSense.
    I must setup VLANs or I must create some firewall rules?

    Thanks in advance for any help


  • Banned

    Bridge the DSL thing, and make use of the third port on the Alix board, instead of doing a double NAT and similar nonsense… Set up firewall rules accordingly (e.g., allow everything but LAN2 destination on LAN1 interface, and vice versa). Done.



  • Thank you for your reply. I am new to pfsense and to networking so is there any tutorial in order to have a guide?

    Thanks in advance



  • Google is your friend.

    Here you go, sir:  http://www.overclockers.com/building-pfsense-firewall

    And the bridging your DSL modem part:  if you bought your own DSL modem then you may have quite a task as they tend to be poorly documented and supported, Google will be your best resource for this. If your telco provider provided the modem you may have an easy task ahead of you depending on the experience and knowledge of their tech support department - give them a call and tell them you would like them to place your DSL modem into Bridge mode and they will do so.

    Some companies don't call it this, or they don't tell their techs about it, so you may need to explain that you need the modem to be transparent to your firewall so that you can set your "computer" to perform the PPoE authentication.  Don't mention router or firewall.

    You will benefit greatly from initially connecting with a PC configured to do the PPoE connection just so that you and the support rep can work together more effectively (they never heard of pfSense) and you can make certain the connection works before connecting your pfSense.  Then if it doesn't work you know the problem isn't your DSL provider or your DSL modem.  Your PC should receive a Public IP address and you should be able to surf the Internet.  Don't leave it connected like this for long unless you REALLY trust your computers firewall.



  • Thank you very much for your time.

    I am not sure about the bridging. I prefer to leave the modem/router in order to serve other hosts that I want to isolate.

    I will read the tutorial in the link. Thanks



  • Be careful chaining routers - you may end up with a problem called double-NAT - this occurs when a host must communicate across two links that involve IP address changes (translations) - it breaks some web services and VPN's.  It can also result in poor performance.


  • LAYER 8 Global Moderator

    Ok does not matter if you bridge your modem or not - but I would highly suggest you bridge it so your not doublenatting.  Pfsense (wan) would have your public IP.  It just makes it easier understand and work with and performance and stability your not doublenatting.

    But it can work - you just put your pfsense wan IP into a dmz of your modems lan network, and make sure its not overlapping any of your networks that your using as pfsense lan.

    If you connect devices to your "modems" lan network other than pfsense - then for them to create sessions to devices on pfsense you have to create port forwards(nats) from pfsense wan to lan segment you want to forward too.  And to access those devices you would have to use pfsense wan IP.

    A easier better solution is put ALL devices on one of the pfsense lan segments.  In the attached example leverage the 3rd nic in your alix board to create your second lan.  Now you have 192.168.1.0/24 and 192.168.2.0/24 and you can allow or block whatever traffic you want between these segments with simple pfsense firewall rules and no natting will be happening between them.  Only when these devices go to the internet (pfsense wan) will they be natted.

    Its rarely a good idea to double nat.  And should be avoided whenever possible.



Log in to reply