Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to include multiple subnets in "LAN net"?

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    31 Posts 8 Posters 14.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GomezAddams
      last edited by

      How would one install or configure pfsense if you have multiple subnets connected to a router, and that router connects to pfsense?

      For example, if you have the following subnets connected to a router:

      10.10.0.0/16
      10.20.0.0/16
      10.30.0.0/16
      10.100.0.0/22

      pfsense LAN interface is connected on subnet 10.100.0.0/22

      The router has ip address 10.100.0.1 on the interface pfsense is connected to, and pfsense has the ip address 10.100.0.2

      Everything on the subnets have the router as their default gateway, the router has pfsense as its default gateway.

      I can get pfsense communicating with the whole network by manually creating a route in the command line, or I can create a gateway of 10.100.0.1

      What I can't figure out how to do is get the pseudo-interface "LAN network" to include all of my subnets (10.10.0.0, 10.20.0.0, etc). What am I missing?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Why on Earth would you do that?  Why the multiple /16s on one interface?

        Nevermind.

        Umm.  I just answered this somewhere else…

        https://forum.pfsense.org/index.php?topic=83402.msg456853#msg456853

        See if that's not enough info.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          You don't need a pseudo interface.

          What you need to do is edit your firewall rules on LAN to pass traffic not just from LAN net but from the other networks as well.

          If you want to NAT them you need to set manual outbound NAT and duplicate the rules for LAN for the other networks.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            GomezAddams
            last edited by

            I was hoping there was a way to consider all my internal subnets "LAN net" so that I didn't have to create umpteen versions (one for each subnet) of each rule for every rule I want.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              You can create an alias to include all the subnets.

              Steve

              1 Reply Last reply Reply Quote 0
              • G
                GomezAddams
                last edited by

                Thanks Steve.

                I did find a rather sneaky way of accomplishing the same thing: set the mask on my LAN interface to 255.0.0.0 and then let the router proxy arp for all the routed subnets. Ugly, but it does work as long as all my internal networks are 10.x.x.x

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    @Derelict:

                    No kidding. Wow… bad, bad, BAD idea.

                    It'd be faster, easier, and not require absurdly bad hacks to just use an alias instead of "LAN net".

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Ha. At least you recognise that as an ugly hack.  ;)
                      It's the sort of thing that can come back to bite you in the future though.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        @stephenw10:

                        It's the sort of thing that can come back to bite you in the future though.

                        If it's anything like the circumstances I end up getting into with support customers cleaning up disasters like this, it probably won't bite him. It'll bite his unfortunate successor after he moves on elsewhere in a few months or a year, and we'll probably get a frantic new support/professional services customer and have to clean up the mess when it explodes.

                        That's true dating back into my career years before this project existed, back when I did general network consulting. Cleaning up patched together messes that sort of worked…until they didn't.

                        1 Reply Last reply Reply Quote 0
                        • H
                          heper
                          last edited by

                          So you are planning to have around 200,000 clients behind your pfSense box ? (this based on your subnets)

                          What kind of hardware are you using for this ? I'm just curious what would be required for that.
                          How much bandwidth will you be pushing ?

                          1 Reply Last reply Reply Quote 0
                          • G
                            GomezAddams
                            last edited by

                            I don't have that many class B subnets because of the number of clients. I have it because of my routing design.

                            The company I work for has a datacenter, and several remote locations connected by MPLS and/or Internet VPN. To keep routing simple, each site has a 10.X.0.0/16 subnet assigned to it. For example:

                            Mothership: 10.10.0.0/16
                            Ultima Thule: 10.20.0.0/16
                            Timbuktu: 10.30.0.0/16

                            And so on.

                            At each location, their /16 subnet is subnetted into /22 networks for local use. For example:

                            10.10.0.0/22: network equipment
                            10.10.4.0/22: wireless access points
                            10.10.8.0/22: Servers, workstations, and printers
                            10.10.12.0/22: Wireless SSID #1
                            10.10.16.0/22 Wireless SSID #2

                            Because of company policy, all remote locations' Internet access must come back through the mothership for filtering, which is where I would put pfsense.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              So you want multiple properties all connected by some sort of WAN technology all on the same broadcast domain in one big, flat network, and depend on proxy arp to get traffic from each property to the others with multiple layer 3 networks on top of it.

                              All I can say is, "Good luck with that."

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                Why would you use a /22 on transit network??  wouldn't something like a /30 be better?  If you used a segment outside the 10 range, you could just create 1 route 10/8 to your downstream router.  And then your lan rules could be something as simple as 10/8 as source as well.

                                Does pfsense have other other connections that lead to other 10.x networks?

                                So for example pfsense has 192.168.1.1/30 - your other router is 192.168.1.2/30, all its other networks are in the 10.whatever networks.  Your pfsense lan source allows 10/8 and you create an outbound nat that source is 10/8 as well.  You have 1 route on pfsense that says hey your going to 10/8 go to 192.168.1.2

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • R
                                  robi
                                  last edited by

                                  GomezAddams, you're going to run into big trouble sooner or later with that kind of network. Although it will work for some time, keep in mind that Ethernet was designed to be used in a different way than this.

                                  To make a comparison, your network topology looks pretty much like having a Ferrari at each location, trying to achieve maximum speed using the gearshift only in position 2.

                                  1 Reply Last reply Reply Quote 0
                                  • G
                                    GomezAddams
                                    last edited by

                                    @Derelict:

                                    So you want multiple properties all connected by some sort of WAN technology all on the same broadcast domain in one big, flat network, and depend on proxy arp to get traffic from each property to the others with multiple layer 3 networks on top of it.

                                    All I can say is, "Good luck with that."

                                    What? No.

                                    It is all routed. I don't understand why you would think it is all one big broadcast domain. I have a number of locations with a /16 for each location.

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      GomezAddams
                                      last edited by

                                      @robi:

                                      GomezAddams, you're going to run into big trouble sooner or later with that kind of network. Although it will work for some time, keep in mind that Ethernet was designed to be used in a different way than this.

                                      To make a comparison, your network topology looks pretty much like having a Ferrari at each location, trying to achieve maximum speed using the gearshift only in position 2.

                                      I must not be making myself clear. I'm not using ethernet in any strange way. I just have multiple locations with a /16 for each location. Each location is routed.

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        I did find a rather sneaky way of accomplishing the same thing: set the mask on my LAN interface to 255.0.0.0 and then let the router proxy arp for all the routed subnets. Ugly, but it does work as long as all my internal networks are 10.x.x.x

                                        Yes.  Yes you are.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          phil.davis
                                          last edited by

                                          Keep your LANnet with the proper mask for its real local range.
                                          Assuming the other subnets in your intranet are reachable through some internal router that is connected somewhere to pfSense, add a gateway that is the internal router, and static routes on pfSense to tell pfSense how to reach those other subnets.
                                          Add rules to allow traffic from those subnets into pfSense on the interface where it arrives, with destination whatever you want to allow (reaching all of LANnet, going through pfSense out to the internet or whatever you need…).

                                          For the rules you can make aliases to make it very easy to add all those subnets in 1 rule.

                                          In static routes you can also use the alias, and you pick the gateway from a list.

                                          So actually if your subnet list changes in future you just change the alias and it should take effect auto-magically in both rules and routes.

                                          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                          1 Reply Last reply Reply Quote 0
                                          • G
                                            GomezAddams
                                            last edited by

                                            @Derelict:

                                            I did find a rather sneaky way of accomplishing the same thing: set the mask on my LAN interface to 255.0.0.0 and then let the router proxy arp for all the routed subnets. Ugly, but it does work as long as all my internal networks are 10.x.x.x

                                            Yes.  Yes you are.

                                            AH, I think I see the misunderstanding. The place this hack would be in place is ONLY on the pfsense LAN interface. Everything else would have proper subnet masks. By setting the pfsense LAN interface mask to 255.0.0.0, pfsense thinks everything 10.0.0.0 is "LAN net" (as far as rules go). This would cause pfsense to think the whole internal network was on the local segment, but turning on proxy ARP on the router interface that pfsense is connected to would fix that. Everything else would use the normal routing mechanisms to communicate.

                                            It sounds like the solution to this problem is to create an alias wit hall the internal subnets and use that when creating rules instead of "LAN net". I was just somewhat surprised to find that pfsense doesn't have a built-in mechanism for expanding the scope of "LAN net" to more than just the subnet pfsense is connected to.

                                            In other words, it seems odd to me that pfsense equates the LAN subnet mask to the scope of what are internal networks.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.