Mulitple lan with dual wan

g10

1 lan nic has internet with dhcp given as 192.168.4.100, the 2nd lan nic there is no internet but i do get a dhcp for my laptop 192.168.3.10 I have been searching forums and trying things for 4 days, but no luck.

pfsense in dashboard
DNS server(s) 127.0.0.1
192.168.1.254
208.67.222.222
208.67.220.220

dual wan is load balanced by shared / grouped gateway. and its green working.

my opt1 and opt2 are bridged to lan
if there is any better way of doing this please let me know, I'm new to pfsense, but have used other routers/tools for many years?
(eventually i will go all the way to opt6 once i get 1 of the multiple lans to work)

Interface Network port
WAN ue2
LAN  bridge0
OPT1 ue0
OPT2 em0
OPT3 ue1

eventually i will have opt4 opt5 and op6 each going to a different switch/ap for a different floor.
Goal is to have 250 different dhcp ips available per floor. (if your thinking why )

sys > adv : turn tables

net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. 1

net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface 1

if i set net.link.bridge.pfil_member =0 then both laptops get internet but they get the same ip address subnet of 192.168.4.# (4.100 for laptop1, 4.101 for laptop2) but I need them to get their own subnet ip.

ps. Sabrent Usb to Network works and linksys usb nic works, but etekcity and monoprice brands don't work for anyone else trying to add nic's via usb.

lan snapshot:

ID Proto Source Port Destination Port Gateway Queue Schedule Description
add
  pass   * * * LAN Address 443
80
22 * *   Anti-Lockout Rule
move edit
add
avanced icon   IPv4 * LAN net * * * LoadBalWan none   Default allow LAN to any rule 
edit
delete add
icon   IPv6 * LAN net * * * * none   Default allow LAN IPv6 to any rule

if you need any snapshots or configuration files i will be happy to show.

thanks again

james

phil.davis

If you want clients on different subnets (a good thing) then you do not need any bridging. You will likely create OPT1, OPT2,… assigned to each of the NICs, then connect that NIC to a switch on the appropriate floor of your building. Then enable OPTn, give it an IP in a subnet different to the others (192.168.2.1/24 192.168.3.1/24 ...), enable DHCP on each OPTn and add rule/s on each OPTn to allow source OPTn net destination "wherever you want to let them reach".

Also, I would choose private IP space other than 192.168.[0|1|2..].* just because so many other people use that space and it creates hassles if you end up having OpenVPN clients connecting in future from random cafe WiFi that uses those Ips.

g10

Yep that's what I did, lan, opt1 and opt2 have different subnets, with dhcp, with firewall ruling exactly like LAN outbound, but the internet doesn't work on opt2, or opt1 devices, only lan devices have internet working.
all of my OPTn have dhcp working, just no internet. is their a special gateway or advanced routing outbound that needs to be done? / am I missing a silly step somewhere?

( Modem) 192.168.1.254
                            |
                  Netgear VPN Router - 192.168.7.0
                            |
                  –---------------------------------------------------
private ip (wan) |                                                  |
  Pfsense (strictly for guests)                company workstations
                            |

|                                              |                                                                  |
(LAN) (private LAN)              (opt1) (private LAN)                                  (Optn max = 5)
  192.168.2.*                                      192.168.3.*
with dhcp                                            with dhcp
laptop1 via switch                            laptop2 via switch

my goal is to have more than 250 dhcp leases and not communicate with each other's subnets.

If I Bridge opt1 with lan1 everything works. but i'm limited to 248 leases.
so my setup is with the diagram above, I cant get laptop2 connected to the internet, no pings, but I do get dhcp ip addresses and I can ping 192.168.7.1 and 192.168.1.254

is something wrong in adv outbound, proxy, or firewall rules ? thanks
or do I need to take something out/ add?

Static routes
Interface Network Gateway Description
LAN  192.168.1.0/24  192.168.1.254
LAN  192.168.7.0/24  192.168.7.1

Firewall: Rules OPT1
  *  OPT1 net  *  *  *  opt source 
  *  *  *  *  *  opt any

Firewall: Rules LAN
  *  LAN net  *  *  *  Default LAN -> any

Firewall: Rules WAN
  TCP/udp  *  *  WAN address  *  (wan dest)

thanks.

phil.davis

It would be easiest to keep this simple. Use automatic outbound NAT, so LAN, OPT1, OPT2… will get NAT applied on the way out of pfSense WAN. Doing it that way, the front-end modem, Netgear VPN router, whatever, do not need to have routes back to LAN, OPT1... subnets. Everything from your guest LANs behind pfSense will seem to come from the pfSense WAN IP.
I expect you do not want the guests to be able to access any of the company workstations or other guest LANs. So you want to block traffic to any of that. Since those are all in 192.168.0.0/16, make an alias "LocalIntranet" for 192.168.0.0./16, then:

LAN:
Pass protocol TCP/UDP source LANnet destination LANaddress port DNS (53) - that lets them do DNS requests.
Block protocol all source LANnet destination LocalIntranet - stop any traffic directed to other places in the local intranet.
Pass protocol all source LANnet destination any - let everything else through - general internet access

Then OPT1 becomes the similar thing:
Pass protocol TCP/UDP source OPT1net destination OPT1address port DNS (53)
Block protocol all source OPT1net destination LocalIntranet
Pass protocol all source OPT1net destination any

And you don't need any rules on WAN, unless you want to manage pfSense from the WAN side, then you could Pass source "some WAN IPs" destination WANaddress port (22, 80, 443, whatever)