How to route 2 subnets on separate NICS thru pfsense with PIX 515E?



  • Current setup is a single subnet with a windows domain.  We have another domain which we will bring in  and are putting them on a separate subnet.  Subnet A currently uses the PIX as its gateway.  If I want to use the pfsense to allow both subnets to talk to each other and also allow both of them to go out to the internet will I have to change Subnet A's configuration?

    Subnet A

    192.168.1.0
    255.255.255.0
    192.168.1.1 Gateway PIX

    Subnet B

    192.168.2.0
    255.255.255.0
    192.168.2.1 Gateway I want to use for subnet B.

    I am unsure of how I will be able to make the 2 subnets communicate back and forth and to allow both subnets access to the WAN.  Would I have to use 3 NICS in a pfsense?  Add a 3rd subnet?  Do I just give the pfsense NIC for subnet A an IP of 192.168.1.2, change the gateway for all subnet A to 192.168.1.2

    In a cisco router I would create the following routes:

    0.0.0.0 0.0.0.0 192.168.1.1 (PIX)
    192.168.1.0 255.255.255.0 192.168.1.2 (LAN Interface)
    192.168.2.0 255.255.255.0 192.168.2.1 (Other NIC Interface)

    Kinda unsure how I would do that with the pfsense.

    Thanks for the help.



  • more information.
    could you make a diagram?
    Do you want to keep your PIX?
    Or replace it with a pfSense?
    You could have multiple Interfaces (one for each subnet) or VLAN's.



  • @kapara:

    Subnet A  192.168.1.0/24
    Gateway  192.168.1.1

    Subnet B  192.168.2.0/24
    Gateway  192.168.2.1

    Actually, I don't see the show stopper here.

    Depending on the amount of traffic you want to push between the subnets you can do this with VLANs on a VLAN capable switch or with separate NICs in your pfSense.
    One for each subnet. I'd prefer that if you're not comfortable with VLANs or if there is too much traffic between the two subnets.
    With VLANs it has to pass a single NIC which could be saturated.

    Configure the interfaces (be it NICs or attached VLANs) with your gateway addresses and set firewall rules per interface approprietly.


Log in to reply