One WAN two LAN
-
Hello,
Here is my configuration and the basic idea what I would like to achieve. I am new to pfSense so apologies are in order if I am doing something wrong. I ask you for comments and guidance so that I can finish what I have started.
Configuration is:
1. ISP goes to Cisco router, router has static LAN IP 10.10.20.4, DHCP disabled
2. from Cisco LAN, Ethernet cable goes into pfSense box into WAN interface and has static IP 10.10.20.5, DHCP disabled
3. pfSense box has two additional interfaces:
a. LAN, same scope as WAN with static IP 10.10.20.6 and DHCP enabled
b. DMZ 10.10.20.1 DHCP enabledIn pfSense I have set only one Default Gateway and it is the Cisco router on 10.10.20.4. On LAN and DMZ interface IPv4 Upstream Gateway is None.
Since OPT1/DMZ interfaces have no default pass through rules, I have added rule to pass OPT1/DMZ as follow
icon IPv4 * DMZ net * * * * noneLAN rule is
icon IPv4 * LAN net * * * * none Default allow LAN to any ruleWAN rule is the one set by Default configuration
block * RFC 1918 networks * * * * * Block private networks
block * Reserved/not assigned by IANA * * * * * * Block bogon networksI am on pfSense 2.1.2 Release amd64, and here are ping results:
WAN address to LAN address ok
WAN address to DMZ address ok
WAN address to 8.8.8.8 okLAN address to DMZ address ok
LAN address to WAN address ok
LAN address to 8.8.8.8 okDMZ address to WAN address ok
DMZ address to LAN address ok
DMZ address to 8.8.8.8 NOT WORKING, in other words I can not get Internet connection to DMZ interface.Any help is appreciated.
Thank you.
-
Not sure what you are trying to do, but you are doing it wrong.
All of your interfaces should not be on the same subnet. They should be on separate subnets.
If you just want filtering, you could set the firewall up in transparent mode.
If you WAN lies in a private space, like 10.x.x.x, you should uncheck the box to block private networks. -
my mistake, DMZ is on 192.168.10.x, so not all interfaces are on the same subnet
does that changes anything?
-
All subnets should be different because routing depends on the fact that the subnets are all either distinct or if they overlap one of the subnets is of different size than the other. I'd recommend that you use the 192.168.10.0/24 subnet on the DMZ like you are already doing and then use 192.168.20.0/24 (for example) subnet on LAN. This way you can easily tell which set of addresses is on the "outside" and which ones are on the "inside".
-
If you have advanced outbound NAT enabled, make sure the DMZ interface has nat rules on the WAN.
If the WAN has a gateway and LAN and DMZ do not, automatic NAT should work fine. -
If you have advanced outbound NAT enabled, make sure the DMZ interface has nat rules on the WAN.
If the WAN has a gateway and LAN and DMZ do not, automatic NAT should work fine.tried it before and tried it once again but no success, turned off block rules for private and bogon networks on WAN, and after turning off the rules on WAN interface i added
icon IPv4 * * * * * * none
and yes, NAT is set on automatic, and WAN has a gateway and other two interfaces don't
All subnets should be different because routing depends on the fact that the subnets are all either distinct or if they overlap one of the subnets is of different size than the other. I'd recommend that you use the 192.168.10.0/24 subnet on the DMZ like you are already doing and then use 192.168.20.0/24 (for example) subnet on LAN. This way you can easily tell which set of addresses is on the "outside" and which ones are on the "inside".
i haven't tried this one because there are clients that are being served by the LAN DHCP server and i could give it a go later in the evening but that would complicate other things
the goal is to use the egzisting 10.10.20.x subnet for LAN and to add DMZ on other subnet, it doesn't mater which one
-
You cannot have the WAN and LAN interfaces on the same subnet and expect the system to behave sanely.
(Unless, as mentioned before, you were doing transparent bridging) -
system is working fine for two months now with WAN and LAN setup as described, I just wanted to add DMZ interface on different subnet and apparently this is not possible using setup that I have imagined (based on comments of members on this forum)
I will use your comments as a guide for future implementations
thank you on your promptly replies and I will get back with my findings when I set things up properly and the system if fully functional
-
…everything is up and running now...
dotdash you were right... wan and LAN on the same subnet = bad idea, i had to learn it the hard way, i have changed the LAN subnet and everything worked instantly
thank you for @eyeopener@
-
…everything is up and running now...
dotdash you were right... wan and LAN on the same subnet = bad idea, i had to learn it the hard way, i have changed the LAN subnet and everything worked instantly
thank you for @eyeopener@
Yep. I'm a little late in the game on this one, but you definitely want all of your interfaces on a router to be on separate subnets. Good work figuring that out.