Mulitple lan with dual wan
g10 last edited by
1 lan nic has internet with dhcp given as 192.168.4.100, the 2nd lan nic there is no internet but i do get a dhcp for my laptop 192.168.3.10 I have been searching forums and trying things for 4 days, but no luck.
pfsense in dashboard
DNS server(s) 127.0.0.1
dual wan is load balanced by shared / grouped gateway. and its green working.
my opt1 and opt2 are bridged to lan
if there is any better way of doing this please let me know, I'm new to pfsense, but have used other routers/tools for many years?
(eventually i will go all the way to opt6 once i get 1 of the multiple lans to work)
Interface Network port
eventually i will have opt4 opt5 and op6 each going to a different switch/ap for a different floor.
Goal is to have 250 different dhcp ips available per floor. (if your thinking why )
sys > adv : turn tables
net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. 1
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface 1
if i set net.link.bridge.pfil_member =0 then both laptops get internet but they get the same ip address subnet of 192.168.4.# (4.100 for laptop1, 4.101 for laptop2) but I need them to get their own subnet ip.
ps. Sabrent Usb to Network works and linksys usb nic works, but etekcity and monoprice brands don't work for anyone else trying to add nic's via usb.
ID Proto Source Port Destination Port Gateway Queue Schedule Description
pass * * * LAN Address 443
22 * * Anti-Lockout Rule
avanced icon IPv4 * LAN net * * * LoadBalWan none Default allow LAN to any rule
icon IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
if you need any snapshots or configuration files i will be happy to show.
phil.davis last edited by
If you want clients on different subnets (a good thing) then you do not need any bridging. You will likely create OPT1, OPT2,… assigned to each of the NICs, then connect that NIC to a switch on the appropriate floor of your building. Then enable OPTn, give it an IP in a subnet different to the others (192.168.2.1/24 192.168.3.1/24 ...), enable DHCP on each OPTn and add rule/s on each OPTn to allow source OPTn net destination "wherever you want to let them reach".
Also, I would choose private IP space other than 192.168.[0|1|2..].* just because so many other people use that space and it creates hassles if you end up having OpenVPN clients connecting in future from random cafe WiFi that uses those Ips.
g10 last edited by
Yep that's what I did, lan, opt1 and opt2 have different subnets, with dhcp, with firewall ruling exactly like LAN outbound, but the internet doesn't work on opt2, or opt1 devices, only lan devices have internet working.
all of my OPTn have dhcp working, just no internet. is their a special gateway or advanced routing outbound that needs to be done? / am I missing a silly step somewhere?
( Modem) 192.168.1.254
Netgear VPN Router - 192.168.7.0
private ip (wan) | |
Pfsense (strictly for guests) company workstations
(LAN) (private LAN) (opt1) (private LAN) (Optn max = 5)
with dhcp with dhcp
laptop1 via switch laptop2 via switch
my goal is to have more than 250 dhcp leases and not communicate with each other's subnets.
If I Bridge opt1 with lan1 everything works. but i'm limited to 248 leases.
so my setup is with the diagram above, I cant get laptop2 connected to the internet, no pings, but I do get dhcp ip addresses and I can ping 192.168.7.1 and 192.168.1.254
is something wrong in adv outbound, proxy, or firewall rules ? thanks
or do I need to take something out/ add?
Interface Network Gateway Description
LAN 192.168.1.0/24 192.168.1.254
LAN 192.168.7.0/24 192.168.7.1
Firewall: Rules OPT1
* OPT1 net * * * opt source
* * * * * opt any
Firewall: Rules LAN
* LAN net * * * Default LAN -> any
Firewall: Rules WAN
TCP/udp * * WAN address * (wan dest)
phil.davis last edited by
It would be easiest to keep this simple. Use automatic outbound NAT, so LAN, OPT1, OPT2… will get NAT applied on the way out of pfSense WAN. Doing it that way, the front-end modem, Netgear VPN router, whatever, do not need to have routes back to LAN, OPT1... subnets. Everything from your guest LANs behind pfSense will seem to come from the pfSense WAN IP.
I expect you do not want the guests to be able to access any of the company workstations or other guest LANs. So you want to block traffic to any of that. Since those are all in 192.168.0.0/16, make an alias "LocalIntranet" for 192.168.0.0./16, then:
Pass protocol TCP/UDP source LANnet destination LANaddress port DNS (53) - that lets them do DNS requests.
Block protocol all source LANnet destination LocalIntranet - stop any traffic directed to other places in the local intranet.
Pass protocol all source LANnet destination any - let everything else through - general internet access
Then OPT1 becomes the similar thing:
Pass protocol TCP/UDP source OPT1net destination OPT1address port DNS (53)
Block protocol all source OPT1net destination LocalIntranet
Pass protocol all source OPT1net destination any
And you don't need any rules on WAN, unless you want to manage pfSense from the WAN side, then you could Pass source "some WAN IPs" destination WANaddress port (22, 80, 443, whatever)