Secondary LAN IPs
I'm trying to switch from a NETGEAR ProSafe VPN Firewall to a pfSense box.
There is a setting on the NETGEAR router called "LAN Multi-homing". It has the following description:
Secondary LAN IP Setup
If you have computers using different IP networks in the LAN, (for example: 172.16.2.0, 10.0.0.0), then you can add "aliases" to the LAN port and give computers on those networks, access to the Internet.
I thought that Virtual IPs was the right setting for this on pfSense, but I could not get it to work. How can I mirror the settings from the NETGEAR router on pfSense? Currently, I have "192.168.11.1/255.255.255.0" as a secondary LAN IP on the NETGEAR router.
It's a bad setup to have two networks on one wire, but it can be done.
Add a virtual IP, type Alias to the LAN. Then you need to add a firewall rule on the LAN tab to let the traffic out- just copy the default LAN one and change the network to the alias one. If you are using advanced NAT, make a rule to nat the Alias network- again, copy the LAN one and change the subnet.
Under Virtual IP, I have an alias IP for 192.168.11.1/24. I'd also added rules for NAT and the firewall. I've attached a a screenshot of what I currently have.
Also, what would you suggest as a better alternative (and would I have to change any of the current clients' network settings)?
Those settings look correct.
As far as best practices go, if you want two separate networks, you should be using separate interfaces/vlans. If you don't care about them being separate, you should re-address so all machines are on one subnet.
There's a setting under "System: Advanced: Firewall and NAT" called "Static route filtering". It's described as:
Bypass firewall rules for traffic on the same interface
This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.
Would this help, and would it affect anything on the WAN/VPN side?
That is usually used where you have a site connected via another router, It shouldn't be needed in your situation.
Are machines on the 192.168.11 subnet still not able to get out? I assume you cleared states and made sure arp had flushed, etc.
I'll be trying it out tomorrow, I haven't changed anything yet (the pictures I posted were settings I had already applied). I did not clear firewall states because it was a new box, and I had spoofed the MAC to prevent any ARP issues. However, I only spoofed the WAN MAC and not the LAN MAC. When I test tomorrow, I'll make sure to delete any ARP entries on the client.
As for VLANs, I've never actually had to deal with them. From a quick glance, it seems I'd need to set up the switch for VLAN trunking. What if that wasn't an option; how would a VLAN work when different subnets are under the same (dumb) switch?
You can only use vlans if you have a smart (vlan capable) switch. In simple terms, it can treat ports like they are separate switches, so the machines are isolated. Roughly like having two interfaces each going to a different switch.
Good news! Everything is working. The settings were correct as you mentioned, except for one thing under Virtual IPs: The source interface was set to WAN instead of LAN. Changing it to LAN let me have both 20.0/24 and 11.0/24 subnets on the same LAN.