Firebox X700 OPT1-4 to be like LAN



  • Hello,

    First off this is great software and forum, I am just a newb. I was able to get pfSense 2.1.4 installed, even got the LCD screen to work. I am just having a heck of a time with the interfaces.

    We will be connecting wireless access points to each interface of the firebox. I want to take the exact same config of LAN (re1) and apply it to OPT 1 - 4 (re2-re5). I am so lost. I tried setting the interfaces, mimicing the firewall rule except for source. I just can't get it…

    I have LAN as 192.168.24.1 / 24 . Can I get the other interfaces to use it? If not what is the simplest way? I just want all traffic to go out to the internet, also would like any interface to access the Admin UI.

    Thank you so much!
    Tinfoil


  • Netgate Administrator

    This shouldn't be too difficult.  :)
    Do you want wireless clients on different interfaces to be able to see each other?
    Each interface must have a different subnet otherwise pfSense cannot route traffic correctly. So if your LAN is 192.168.24.1/24 then the next interface (initially called OPT1) could be 192.168.25.1/24 for example. The only other things you need to get running are to create a firewall rule to allow out traffic as you've done and to add a DHCP server instance to the interface if you need DHCP.
    The only way to use a single subnet across all the interfaces would be to bridge them. You can do that but it's significantly more complicated and offers little advantage unless you really need a single subnet.

    When you try to connect to the internet from a wireless client what are you seeing?

    Steve



  • Thanks for the reply.

    Actually I don't have the WAPs yet. Just want to get the interfaces set correctly. Using different subnets is fine, actually will help me identify traffic from each WAP.

    I don't really need wireless clients to talk to one another, just out to internet. Would it be a big pain if I did?

    So let me type this down as I think about it.

    Go into OPT1 for example, name it LAN2 set it to static IP but use 192.168.25.1 / 24 . Go into DHCP server, make sure it is also going to serve up LAN2 (will make pfSense be the one handing out DHCP leases, even direct to the wireless clients). Finally go into firewall rules setup an allow all for outbound but set it as LAN2 subnet?

    When I did the final step is when it locked me out of the WebUI. Even the pre made LAN became unresponsive. Guess the same subnet thing messed me up. I need to realize these are fully seperate interfaces, not just some switch/hub. D'oh! lol.

    Finally, can I make the newly created subnets also access the WebUI? If so, how.


  • Netgate Administrator

    @TinFoil:

    I don't really need wireless clients to talk to one another, just out to internet. Would it be a big pain if I did?

    No. If you use the default 'lan to any' as a template for the rules on the other interfaces all the clients will be able to talk to each other. The default rule on LAN is very open, you can replace it with something much more restrictive or add block rules if you don't want that. However because the clients will be in different subnets they won't 'see' each other, in Windows Network Neighbourhood for example, even though the traffic is allowed.

    @TinFoil:

    Go into OPT1 for example, name it LAN2 set it to static IP but use 192.168.25.1 / 24 . Go into DHCP server, make sure it is also going to serve up LAN2 (will make pfSense be the one handing out DHCP leases, even direct to the wireless clients). Finally go into firewall rules setup an allow all for outbound but set it as LAN2 subnet?

    Looks good. The firewall rules in pfSense work to restrict only inbound traffic, with respect to the interface, so if you allow traffic with destination 'any' on LAN it will be able to reach the LAN2 subnet even if you haven't added rules on LAN2 to allow it.

    @TinFoil:

    Finally, can I make the newly created subnets also access the WebUI? If so, how.

    The webgui listens on all interfaces so it will be accessible from any interface that has firewall rules to allow it, which the default rule does.

    Put up a sceenshot of your rules if you're still having any trouble.

    Steve