Do I need to specify multiple gateways?



  • Hi folks, beginner/barely intermediate here looking for advice so please be gentle.

    My setup is as follows:

    WAN has my ISP gateway set.
    LAN, OPT1 and OPT2 under the interfaces menu, all have 'none' as the gateway set . I can access the internet from clients on each interface but my question is, should each interface have it's own gateway set from a security point of view?

    I'm an ex smoothwall user and each interface there used it's own gateway iirc. So clients on the LAN would use a different gateway to clients on the DMZ/OPT interface.

    Since I have only set a gateway on the external WAN interface, will I need to set a different
    LAN IP 10.1.1.1 - should all clients point to 10.1.1.1 as gateway
    OPT1 IP 10.1.2.1 - should I have to point my clients to 10.1.2.1 as the gateway?
    OPT2 IP 10.1.3.1 - and to 10.1.3.1 as the gateway?

    Or is this sort of routing handled internally by pfsense?

    Any advice appreciated!
    Thanks


  • Banned

    Do NOT set any gateways on LANs.



  • I'm always compelled to do something I'm told not to do! :)
    May I ask why please?


  • Banned

    Because it will break your networking. Use firewall rules if you want separated LANs.



  • Forgive my ignorance but I thought the LAN was seperate  to the optional interfaces by default. Or do I need to create some rules to make it so?

    EDIT: Ok so am I right in thinking I'd need to create rules to ALLOW the interfaces to talk. No rules there by default which means they ARE separate???



  • Yes, sounds like you have it correct. The "gateway" setting on the Interfaces->WAN,LAN,OPT1 etc GUI page is for an Upstream Gateway. The text has been enhanced in 2.1.1 (to be released "real soon now" (tm JimP :).
    You set this to the Upstream Gateway IP on WAN-style interfaces - the way out to the big bad internet.
    On LAN-style interfaces you enable DHCP and pfSense hands out to the clients the LAN (OPT1, OPT2 as appropriate) IP address as the (upstream) gateway.
    So the clients get gateway set to the pfSense IP of the interface they are connected to. Then pfSense has an ISP address as its gateway.

    Add rules on each LAN-style interface to allow traffic source LANnet (or OPT1net…) destination"wherever you want to let them go".



  • So when you say 'upstream gateway', do you mean multiple outbound internet connections? Or have I totally misunderstood?

    What happens if I haven't enabled DHCP on the LAN, OPT1, OPT2 interfaces? Will I need to set each gateway?

    And when I'm dealing with the rules for the LAN, I take it if I only want clients on the LAN to go out via the LAN gateway, the source should only ever be either a host on the LAN or set to 'LAN net'? Same for the OPT1 interface, keeping all rules set to a host on OPT1 or OPT1 net.

    I hope I've understood you correctly but apologise in advance if I haven't.

    UPDATE:
    Was late last night when I was looking at this. Ok so it states on each interface page that the gateway is the IP for each interface. Think I get it now, thanks!



  • Just to clarify this for future readers:

    So when you say 'upstream gateway', do you mean multiple outbound internet connections? Or have I totally misunderstood?

    Each WAN-style link will have an "upstream gateway". If you have 1 WAN, then just 1 upstream gateway, 2 WANs = 2 upstream gateways…

    What happens if I haven't enabled DHCP on the LAN, OPT1, OPT2 interfaces? Will I need to set each gateway?

    Then on the client machines on LAN you have to manually set their gateway to the pfSense LAN IP (that is their way out to the internet - their "upstream gateway") For clients in OPT1 set their gateway to the pfSense OPT1 IP…

    And when I'm dealing with the rules for the LAN, I take it if I only want clients on the LAN to go out via the LAN gateway, the source should only ever be either a host on the LAN or set to 'LAN net'? Same for the OPT1 interface, keeping all rules set to a host on OPT1 or OPT1 net.

    Yes, on the LAN cable pfSense should only ever receive packets with a source IP in LAN net, so your pass rules would only specify hosts on LAN or LAN net. and as you say for OPT1…



  • Phil, Doktornotor,

    Thanks so much for your help and advice. Great stuff!


Log in to reply