Why can't configure LAN + WAN on same subnet?



  • Hi folks,

    I've been many days trying to configure the following networking schema:

    Pfsense
    LAN: 192.168.10.1/24
    WAN_1: 192.168.10.11/24 => Ethernet cable => ADSL Router 192.168.10.10/24
    WAN_2: 192.168.10.21/24 => Ethernet cable => ADSL Router 192.168.10.20/24

    I have gone nuts for many days cause neither in pfsense local console or GUI there is any advice configuring the interfaces for having any trouble with this config, except for PfSense stopped any networking or other issues.

    Finally I found today in these forums many guys saying that it's not possible on PfSense -and any other device- to have different interfaces with the same subnet. And my main question is: why not?

    I gotta explain here that I needed it for testing purposes. Imagine that I want to set up load balancing in PfSense and in a certain moment in production time I need to test the connectivity (if there is ping loss, bandwidth test…) from one of the routers only. There are as far as I know only the following ways to achieve this:

    1- You've the Router connected to PfSense only

    • Connect another eth. cable from the router to a laptop to make the tests

    2- You've the router connected to PfSense and the LAN (many people here would want to ask Why, mainly for security reasons)

    • The router is in different subnet than the LAN subnet: Configure your ip for each subnet to ping each router. Configure also GW for BW test
    • The router is in the same subnet of the LAN: Ping without doing changes. Configure only GW for BW test

    Reading what I'm writing, It seems to me that the reasons I'm exposing aren't strong enough to defend my question, but, anyway what do you guys think about all of it?

    All oppinions will be much well appreciated :)


  • Rebel Alliance Global Moderator

    So you don't understand why the same network on multiple interface would be an issue for a router??

    So router gets something for 192.168.10.103 – which interface does it send that traffic.  All of them?  Why should it even be seeing that traffic in the first place..  Because a box connect to its lan interface on 192.168.10.0/24 is not even going to send traffic to the pfsense interface 192.168.10.1 since hey that is my network -- why do I need to send it to the gateway..  So router would never even see that traffic.

    What do you need for testing purposes?  You sure an the hell do not need 3 interfaces in the same network and expect to route and by default NAT between them?  You can have your 2 wan interfaces the same network - that is not a problem your not routing between them.  But you can not put your lan network on the same..  If your wan interfaces are in 192.168.10.0/24 then put your lan in say 192.168.20.0/24



  • If the same town, has 2 or 3 identical streetnames ; then it would be very hard for postal services to get the letter to the right person.

    for that reason, it's also impossible to ROUTE (ie deliver a letter) between identical subnets (streetnames) in the same network (town)



  • @heper:

    If the same town, has 2 or 3 identical streetnames ; then it would be very hard for postal services to get the letter to the right person.

    for that reason, it's also impossible to ROUTE (ie deliver a letter) between identical subnets (streetnames) in the same network (town)

    Hey that's a very clear and simple example. Thank you.

    johnpoz many thanks to you too. I understood your explanation and I've found it very helpfull. Also I'll take note about configuring all routers on the same subnet differed from LAN's.


  • Netgate Administrator

    Looking at your test scenario it appears you want to be able to access your WAN side modem/routers from a client on the pfSense LAN, yes? You don't have to be in the same subnet as the modem to do that. The main issue is that most modem/routers don't have a facility to add a route to the pfSense LAN subnet so they don't know where so send traffic back to your client. There are several ways around that though:
    https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

    Edit: The above assumes you're using some sort of bridge mode for your modems like PPPoE pass-through. If they are still routing/NATing then you should be able to access the modems dierctly via their IP.

    Steve



  • I Think you are mismatching between routing ang gateway role of your PFSense.

    In Datacenter envireonment, we tried to manage the WAN Acces from 3 different operators. We wanted to manage the whole solution through VLAN Interfaces instead of physical interfaces. And we faced many problems, concerning routing, nating and IP Aliasing (VIP), because we wanted PF to act as a gateway role, not a simple routing role.

    We Believe PF loves 1 Interface = 1 physical interface when you want your PF behaving as a gateway. In a routing only configuraiton, no problem dealing with Vlans insteads of physical interfaces.

    If you want a gateway mode, i'd suggest you to dédicate 1 phys interface for Public side (WAN), and another phys interface for the Private side (LAN). You can still use VLANs for your LAN phys interface…

    Be sure of what you want to NAT beside of what you want to route.
    ...Or deal with AON - Manual OUtbound NAT....