Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Mulitple lan with dual wan

    NAT
    2
    4
    1442
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      g10 last edited by

      1 lan nic has internet with dhcp given as 192.168.4.100, the 2nd lan nic there is no internet but i do get a dhcp for my laptop 192.168.3.10 I have been searching forums and trying things for 4 days, but no luck.

      pfsense in dashboard
      DNS server(s) 127.0.0.1
      192.168.1.254
      208.67.222.222
      208.67.220.220

      dual wan is load balanced by shared / grouped gateway. and its green working.

      my opt1 and opt2 are bridged to lan
      if there is any better way of doing this please let me know, I'm new to pfsense, but have used other routers/tools for many years?
      (eventually i will go all the way to opt6 once i get 1 of the multiple lans to work)

      Interface Network port
      WAN ue2
      LAN  bridge0
      OPT1 ue0
      OPT2 em0
      OPT3 ue1

      eventually i will have opt4 opt5 and op6 each going to a different switch/ap for a different floor.
      Goal is to have 250 different dhcp ips available per floor. (if your thinking why )

      sys > adv : turn tables

      net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. 1

      net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface 1

      if i set net.link.bridge.pfil_member =0 then both laptops get internet but they get the same ip address subnet of 192.168.4.# (4.100 for laptop1, 4.101 for laptop2) but I need them to get their own subnet ip.

      ps. Sabrent Usb to Network works and linksys usb nic works, but etekcity and monoprice brands don't work for anyone else trying to add nic's via usb.

      lan snapshot:

      ID Proto Source Port Destination Port Gateway Queue Schedule Description
      add
        pass   * * * LAN Address 443
      80
      22 * *   Anti-Lockout Rule
      move edit
      add
      avanced icon   IPv4 * LAN net * * * LoadBalWan none   Default allow LAN to any rule 
      edit
      delete add
      icon   IPv6 * LAN net * * * * none   Default allow LAN IPv6 to any rule

      if you need any snapshots or configuration files i will be happy to show.

      thanks again

      james

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        If you want clients on different subnets (a good thing) then you do not need any bridging. You will likely create OPT1, OPT2,… assigned to each of the NICs, then connect that NIC to a switch on the appropriate floor of your building. Then enable OPTn, give it an IP in a subnet different to the others (192.168.2.1/24 192.168.3.1/24 ...), enable DHCP on each OPTn and add rule/s on each OPTn to allow source OPTn net destination "wherever you want to let them reach".

        Also, I would choose private IP space other than 192.168.[0|1|2..].* just because so many other people use that space and it creates hassles if you end up having OpenVPN clients connecting in future from random cafe WiFi that uses those Ips.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • G
          g10 last edited by

          Yep that's what I did, lan, opt1 and opt2 have different subnets, with dhcp, with firewall ruling exactly like LAN outbound, but the internet doesn't work on opt2, or opt1 devices, only lan devices have internet working.
          all of my OPTn have dhcp working, just no internet. is their a special gateway or advanced routing outbound that needs to be done? / am I missing a silly step somewhere?

          ( Modem) 192.168.1.254
                                      |
                            Netgear VPN Router - 192.168.7.0
                                      |
                            –---------------------------------------------------
          private ip (wan) |                                                  |
            Pfsense (strictly for guests)                company workstations
                                      |

          |                                              |                                                                  |
          (LAN) (private LAN)              (opt1) (private LAN)                                  (Optn max = 5)
            192.168.2.*                                      192.168.3.*
          with dhcp                                            with dhcp
          laptop1 via switch                            laptop2 via switch

          my goal is to have more than 250 dhcp leases and not communicate with each other's subnets.

          If I Bridge opt1 with lan1 everything works. but i'm limited to 248 leases.
          so my setup is with the diagram above, I cant get laptop2 connected to the internet, no pings, but I do get dhcp ip addresses and I can ping 192.168.7.1 and 192.168.1.254

          is something wrong in adv outbound, proxy, or firewall rules ? thanks
          or do I need to take something out/ add?

          Static routes
          Interface Network Gateway Description
          LAN  192.168.1.0/24  192.168.1.254
          LAN  192.168.7.0/24  192.168.7.1

          Firewall: Rules OPT1
            *  OPT1 net  *  *  *  opt source 
            *  *  *  *  *  opt any

          Firewall: Rules LAN
            *  LAN net  *  *  *  Default LAN -> any

          Firewall: Rules WAN
            TCP/udp  *  *  WAN address  *  (wan dest)

          thanks.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis last edited by

            It would be easiest to keep this simple. Use automatic outbound NAT, so LAN, OPT1, OPT2… will get NAT applied on the way out of pfSense WAN. Doing it that way, the front-end modem, Netgear VPN router, whatever, do not need to have routes back to LAN, OPT1... subnets. Everything from your guest LANs behind pfSense will seem to come from the pfSense WAN IP.
            I expect you do not want the guests to be able to access any of the company workstations or other guest LANs. So you want to block traffic to any of that. Since those are all in 192.168.0.0/16, make an alias "LocalIntranet" for 192.168.0.0./16, then:

            LAN:
            Pass protocol TCP/UDP source LANnet destination LANaddress port DNS (53) - that lets them do DNS requests.
            Block protocol all source LANnet destination LocalIntranet - stop any traffic directed to other places in the local intranet.
            Pass protocol all source LANnet destination any - let everything else through - general internet access

            Then OPT1 becomes the similar thing:
            Pass protocol TCP/UDP source OPT1net destination OPT1address port DNS (53)
            Block protocol all source OPT1net destination LocalIntranet
            Pass protocol all source OPT1net destination any

            And you don't need any rules on WAN, unless you want to manage pfSense from the WAN side, then you could Pass source "some WAN IPs" destination WANaddress port (22, 80, 443, whatever)

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post