Mulitple lan with dual wan



  • 1 lan nic has internet with dhcp given as 192.168.4.100, the 2nd lan nic there is no internet but i do get a dhcp for my laptop 192.168.3.10 I have been searching forums and trying things for 4 days, but no luck.

    pfsense in dashboard
    DNS server(s) 127.0.0.1
    192.168.1.254
    208.67.222.222
    208.67.220.220

    dual wan is load balanced by shared / grouped gateway. and its green working.

    my opt1 and opt2 are bridged to lan
    if there is any better way of doing this please let me know, I'm new to pfsense, but have used other routers/tools for many years?
    (eventually i will go all the way to opt6 once i get 1 of the multiple lans to work)

    Interface Network port
    WAN ue2
    LAN  bridge0
    OPT1 ue0
    OPT2 em0
    OPT3 ue1

    eventually i will have opt4 opt5 and op6 each going to a different switch/ap for a different floor.
    Goal is to have 250 different dhcp ips available per floor. (if your thinking why )

    sys > adv : turn tables

    net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. 1

    net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface 1

    if i set net.link.bridge.pfil_member =0 then both laptops get internet but they get the same ip address subnet of 192.168.4.# (4.100 for laptop1, 4.101 for laptop2) but I need them to get their own subnet ip.

    ps. Sabrent Usb to Network works and linksys usb nic works, but etekcity and monoprice brands don't work for anyone else trying to add nic's via usb.

    lan snapshot:

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    add
      pass   * * * LAN Address 443
    80
    22 * *   Anti-Lockout Rule
    move edit
    add
    avanced icon   IPv4 * LAN net * * * LoadBalWan none   Default allow LAN to any rule 
    edit
    delete add
    icon   IPv6 * LAN net * * * * none   Default allow LAN IPv6 to any rule

    if you need any snapshots or configuration files i will be happy to show.

    thanks again

    james



  • If you want clients on different subnets (a good thing) then you do not need any bridging. You will likely create OPT1, OPT2,… assigned to each of the NICs, then connect that NIC to a switch on the appropriate floor of your building. Then enable OPTn, give it an IP in a subnet different to the others (192.168.2.1/24 192.168.3.1/24 ...), enable DHCP on each OPTn and add rule/s on each OPTn to allow source OPTn net destination "wherever you want to let them reach".

    Also, I would choose private IP space other than 192.168.[0|1|2..].* just because so many other people use that space and it creates hassles if you end up having OpenVPN clients connecting in future from random cafe WiFi that uses those Ips.



  • Yep that's what I did, lan, opt1 and opt2 have different subnets, with dhcp, with firewall ruling exactly like LAN outbound, but the internet doesn't work on opt2, or opt1 devices, only lan devices have internet working.
    all of my OPTn have dhcp working, just no internet. is their a special gateway or advanced routing outbound that needs to be done? / am I missing a silly step somewhere?

    ( Modem) 192.168.1.254
                                |
                      Netgear VPN Router - 192.168.7.0
                                |
                      –---------------------------------------------------
    private ip (wan) |                                                  |
      Pfsense (strictly for guests)                company workstations

    (LAN) (private LAN)              (opt1) (private LAN)                                  (Optn max = 5)
      192.168.2.*                                      192.168.3.*
    with dhcp                                            with dhcp
    laptop1 via switch                            laptop2 via switch

    my goal is to have more than 250 dhcp leases and not communicate with each other's subnets.

    If I Bridge opt1 with lan1 everything works. but i'm limited to 248 leases.
    so my setup is with the diagram above, I cant get laptop2 connected to the internet, no pings, but I do get dhcp ip addresses and I can ping 192.168.7.1 and 192.168.1.254

    is something wrong in adv outbound, proxy, or firewall rules ? thanks
    or do I need to take something out/ add?

    Static routes
    Interface Network Gateway Description
    LAN  192.168.1.0/24  192.168.1.254
    LAN  192.168.7.0/24  192.168.7.1

    Firewall: Rules OPT1
      *  OPT1 net  *  *  *  opt source 
      *  *  *  *  *  opt any

    Firewall: Rules LAN
      *  LAN net  *  *  *  Default LAN -> any

    Firewall: Rules WAN
      TCP/udp  *  *  WAN address  *  (wan dest)

    thanks.



  • It would be easiest to keep this simple. Use automatic outbound NAT, so LAN, OPT1, OPT2… will get NAT applied on the way out of pfSense WAN. Doing it that way, the front-end modem, Netgear VPN router, whatever, do not need to have routes back to LAN, OPT1... subnets. Everything from your guest LANs behind pfSense will seem to come from the pfSense WAN IP.
    I expect you do not want the guests to be able to access any of the company workstations or other guest LANs. So you want to block traffic to any of that. Since those are all in 192.168.0.0/16, make an alias "LocalIntranet" for 192.168.0.0./16, then:

    LAN:
    Pass protocol TCP/UDP source LANnet destination LANaddress port DNS (53) - that lets them do DNS requests.
    Block protocol all source LANnet destination LocalIntranet - stop any traffic directed to other places in the local intranet.
    Pass protocol all source LANnet destination any - let everything else through - general internet access

    Then OPT1 becomes the similar thing:
    Pass protocol TCP/UDP source OPT1net destination OPT1address port DNS (53)
    Block protocol all source OPT1net destination LocalIntranet
    Pass protocol all source OPT1net destination any

    And you don't need any rules on WAN, unless you want to manage pfSense from the WAN side, then you could Pass source "some WAN IPs" destination WANaddress port (22, 80, 443, whatever)


Log in to reply