One WAN two LAN



  • Hello,

    Here is my configuration and the basic idea what I would like to achieve. I am new to pfSense so apologies are in order if I am doing something wrong. I ask you for comments and guidance so that I can finish what I have started.

    Configuration is:

    1. ISP goes to Cisco router, router has static LAN IP 10.10.20.4, DHCP disabled
    2. from Cisco LAN, Ethernet cable goes into pfSense box into WAN interface and has static IP 10.10.20.5, DHCP disabled
    3. pfSense box has two additional interfaces:
    a. LAN, same scope as WAN with static IP 10.10.20.6 and DHCP enabled
    b. DMZ 10.10.20.1 DHCP enabled

    In pfSense I have set only one Default Gateway and it is the Cisco router on 10.10.20.4. On LAN and DMZ interface IPv4 Upstream Gateway is None.

    Since OPT1/DMZ interfaces have no default pass through rules, I have added rule to pass OPT1/DMZ as follow
    icon   IPv4 * DMZ net * * * * none

    LAN rule is
    icon   IPv4 * LAN net * * * * none   Default allow LAN to any rule

    WAN rule is the one set by Default configuration
    block   * RFC 1918 networks * * * * *   Block private networks
    block   * Reserved/not assigned by IANA * * * * * * Block bogon networks

    I am on pfSense 2.1.2 Release amd64, and here are ping results:

    WAN address to LAN address ok
    WAN address to DMZ address ok
    WAN address to 8.8.8.8 ok

    LAN address to DMZ address ok
    LAN address to WAN address ok
    LAN address to 8.8.8.8 ok

    DMZ address to WAN address ok
    DMZ address to LAN address ok
    DMZ address to 8.8.8.8 NOT WORKING, in other words I can not get Internet connection to DMZ interface.

    Any help is appreciated.

    Thank you.



  • Not sure what you are trying to do, but you are doing it wrong.
    All of your interfaces should not be on the same subnet. They should be on separate subnets.
    If you just want filtering, you could set the firewall up in transparent mode.
    If you WAN lies in a private space, like 10.x.x.x, you should uncheck the box to block private networks.



  • my mistake, DMZ is on 192.168.10.x, so not all interfaces are on the same subnet

    does that changes anything?



  • All subnets should be different because routing depends on the fact that the subnets are all either distinct or if they overlap one of the subnets is of different size than the other. I'd recommend that you use the 192.168.10.0/24 subnet on the DMZ like you are already doing and then use 192.168.20.0/24 (for example) subnet on LAN. This way you can easily tell which set of addresses is on the "outside" and which ones are on the "inside".



  • If you have advanced outbound NAT enabled, make sure the DMZ interface has nat rules on the WAN.
    If the WAN has a gateway and LAN and DMZ do not, automatic NAT should work fine.



  • If you have advanced outbound NAT enabled, make sure the DMZ interface has nat rules on the WAN.
    If the WAN has a gateway and LAN and DMZ do not, automatic NAT should work fine.

    tried it before and tried it once again but no success, turned off block rules for private and bogon networks on WAN, and after turning off the rules on WAN interface i added

    icon   IPv4 * * * * * * none

    and yes, NAT is set on automatic, and WAN has a gateway and other two interfaces don't

    All subnets should be different because routing depends on the fact that the subnets are all either distinct or if they overlap one of the subnets is of different size than the other. I'd recommend that you use the 192.168.10.0/24 subnet on the DMZ like you are already doing and then use 192.168.20.0/24 (for example) subnet on LAN. This way you can easily tell which set of addresses is on the "outside" and which ones are on the "inside".

    i haven't tried this one because there are clients that are being served by the LAN DHCP server and i could give it a go later in the evening but that would complicate other things

    the goal is to use the egzisting 10.10.20.x subnet for LAN and to add DMZ on other subnet, it doesn't mater which one



  • You cannot have the WAN and LAN interfaces on the same subnet and expect the system to behave sanely.
    (Unless, as mentioned before, you were doing transparent bridging)



  • system is working fine for two months now with WAN and LAN setup as described, I just wanted to add DMZ interface on different subnet and apparently this is not possible using setup that I have imagined (based on comments of members on this forum)

    I will use your comments as a guide for future implementations

    thank you on your promptly replies and I will get back with my findings when I set things up properly and the system if fully functional



  • …everything is up and running now...

    dotdash you were right... wan and LAN on the same subnet = bad idea, i had to learn it the hard way, i have changed the LAN subnet and everything worked instantly

    thank you for @eyeopener@



  • @Aksa0110:

    …everything is up and running now...

    dotdash you were right... wan and LAN on the same subnet = bad idea, i had to learn it the hard way, i have changed the LAN subnet and everything worked instantly

    thank you for @eyeopener@

    Yep. I'm a little late in the game on this one, but you definitely want all of your interfaces on a router to be on separate subnets. Good work figuring that out.


Log in to reply