Multiple Subnet Setup



  • Hello and thank you for taking the time to read my post.  I'm currently new to pfsense.  Here is my environment:

    I'm running version 2.1.3 inside of a Hyper-V virtual machine.  Everything seems to have installed fine.  You can see a screenshot of the setup by viewing the attached pfsense.png.

    WAN is the uplink configured with 192.168.1.132/24

    LAN is configured with 192.168.2.2/24

    I have a Windows 7 test client virtual machine.  I assign this machine to my internal network assigned to the LAN dev1.  Everything works great.  The network configuration for that machine is:

    192.168.2.3
    255.255.255.0
    192.168.2.2

    DNS:  192.168.2.

    I would like to add one more subnet.  So I add a Legacy Network Adapter to the pfsense virtual machine.  This legacy network adapter is assigned to an internal virtual switch created by hyper-v.  It's created the same way that the working LAN interface is configured.

    You should be able to see this all from the attached screenshot.

    I switch over to another virtual machine running Windows 7, and assign the network adapter to the correct network 172.20.30.1 de3 in the screenshot.

    The tcp/ip configuration for the machine is as follows:

    172.20.30.2
    255.255.255.0
    172.20.3.1

    DNS:  172.20.3.1

    This does not work for me.  It shows as an unidentified network and cannot access the internet.  It cannot ping any machine on 192.168.2.0/24 subnet.

    Any idea what I'm doing wrong?




  • Do you have added firewall rules to allow traffic between the interfaces?
    You have to do that for each interface separately or by a floating rule and selecting the wanted interfaces.

    On a fresh installation there is only one rule to allow traffic from LAN to WAN, but traffic on any additional interface have to be allowed by rules manually.



  • @viragomann:

    Do you have added firewall rules to allow traffic between the interfaces?
    You have to do that for each interface separately or by a floating rule and selecting the wanted interfaces.

    On a fresh installation there is only one rule to allow traffic from LAN to WAN, but traffic on any additional interface have to be allowed by rules manually.

    No I did not modify this.  I found https://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf which talks about doing this.  The document is for an older version of pfsense, so I'm trying to figure it out using the version I have.

    If you have any guidance for how to setup these rules, please share with me.  I'm trying to figure it out on my own, and I think I got close.  Briefly I was able to ping and access the drives from 192.168.2.0/24 and 172.20.30.0/24.  It did not last, and stopped working.  On 172.20.30.0/24, I could not access the Internet.  So I'm still working on that.



  • I decided to start over.  On the pfsense virtual machine I added three legacy network adapters.  One adapter is set to my uplink NIC.  The other two network cards are assigned to an internal network set on the hyper-v manager virtual switch manager.  The subnets are as follows:

    WAN:  de0: 192.168.1.132/24

    LAN:  de1:  192.168.2.2/24

    OPT1:  de2:  192.168.3.2/24

    Virtual machine A is configured with 192.168.2.3 IP address.  This machine works fine and can access the internet.

    Virtual machine B is configured with 192.168.3.3 IP address.  This machine does not work.  It cannot ping 192.168.2.3, and it cannot access the internet.

    Interestingly enough I can ping from 192.168.2.3 to the IP address 192.168.3.3.  I can also resolve the hostname of 192.168.3.3 from 192.168.2.3.

    Through the web configuration I click on Firewall > Rules.  I clicked on OPT1 and it did say that I would need to create a rule for traffic to pass from this network.  So I did.  It is all set to (*), or any.

    I'm still not able to access anything from the 192.168.3.3 machine.  I'm going to mess around a little and see if I can't figure it out.  Any suggestions on what else I need to adjust, would be appreciated.  I believe I might need to change some NAT settings, which will be next on my list to do.



  • I finally figured this out.  So for anyone else that might be looking to accomplish the same thing, here is what I had to.

    • Open the web interface and click on Firewall > NAT.

    • Click on the Outbound tab.

    • Tick off the option for Manual Outbound NAT rule generation (AON-Advanced Outbound NAT).  Click Save.

    • Find in the list Auto created rule for OPT1 to WAN.  Click the plus (+) on the right.  It will say:  "add a new NAT based on this one"

    • You should now have a new rule that says OPT1 instead of WAN.  Edit that rule and set it to use Protocol of Any.  Source should be changed to the type Network.  Destination should be set to any.

    • Save and apply all changes

      • Next click on Firewall >  Rules > OPT1

      • Here you just need to enable the rule to allow traffic.

      Hope this helps someone.  Goodluck.


Log in to reply