How to include multiple subnets in "LAN net"?
-
How would one install or configure pfsense if you have multiple subnets connected to a router, and that router connects to pfsense?
For example, if you have the following subnets connected to a router:
10.10.0.0/16
10.20.0.0/16
10.30.0.0/16
10.100.0.0/22pfsense LAN interface is connected on subnet 10.100.0.0/22
The router has ip address 10.100.0.1 on the interface pfsense is connected to, and pfsense has the ip address 10.100.0.2
Everything on the subnets have the router as their default gateway, the router has pfsense as its default gateway.
I can get pfsense communicating with the whole network by manually creating a route in the command line, or I can create a gateway of 10.100.0.1
What I can't figure out how to do is get the pseudo-interface "LAN network" to include all of my subnets (10.10.0.0, 10.20.0.0, etc). What am I missing?
-
Why on Earth would you do that? Why the multiple /16s on one interface?Nevermind.
Umm. I just answered this somewhere else…
https://forum.pfsense.org/index.php?topic=83402.msg456853#msg456853
See if that's not enough info.
-
You don't need a pseudo interface.
What you need to do is edit your firewall rules on LAN to pass traffic not just from LAN net but from the other networks as well.
If you want to NAT them you need to set manual outbound NAT and duplicate the rules for LAN for the other networks.
-
I was hoping there was a way to consider all my internal subnets "LAN net" so that I didn't have to create umpteen versions (one for each subnet) of each rule for every rule I want.
-
You can create an alias to include all the subnets.
Steve
-
Thanks Steve.
I did find a rather sneaky way of accomplishing the same thing: set the mask on my LAN interface to 255.0.0.0 and then let the router proxy arp for all the routed subnets. Ugly, but it does work as long as all my internal networks are 10.x.x.x
-
-
No kidding. Wow… bad, bad, BAD idea.
It'd be faster, easier, and not require absurdly bad hacks to just use an alias instead of "LAN net".
-
Ha. At least you recognise that as an ugly hack. ;)
It's the sort of thing that can come back to bite you in the future though.Steve
-
It's the sort of thing that can come back to bite you in the future though.
If it's anything like the circumstances I end up getting into with support customers cleaning up disasters like this, it probably won't bite him. It'll bite his unfortunate successor after he moves on elsewhere in a few months or a year, and we'll probably get a frantic new support/professional services customer and have to clean up the mess when it explodes.
That's true dating back into my career years before this project existed, back when I did general network consulting. Cleaning up patched together messes that sort of worked…until they didn't.
-
So you are planning to have around 200,000 clients behind your pfSense box ? (this based on your subnets)
What kind of hardware are you using for this ? I'm just curious what would be required for that.
How much bandwidth will you be pushing ? -
I don't have that many class B subnets because of the number of clients. I have it because of my routing design.
The company I work for has a datacenter, and several remote locations connected by MPLS and/or Internet VPN. To keep routing simple, each site has a 10.X.0.0/16 subnet assigned to it. For example:
Mothership: 10.10.0.0/16
Ultima Thule: 10.20.0.0/16
Timbuktu: 10.30.0.0/16And so on.
At each location, their /16 subnet is subnetted into /22 networks for local use. For example:
10.10.0.0/22: network equipment
10.10.4.0/22: wireless access points
10.10.8.0/22: Servers, workstations, and printers
10.10.12.0/22: Wireless SSID #1
10.10.16.0/22 Wireless SSID #2Because of company policy, all remote locations' Internet access must come back through the mothership for filtering, which is where I would put pfsense.
-
So you want multiple properties all connected by some sort of WAN technology all on the same broadcast domain in one big, flat network, and depend on proxy arp to get traffic from each property to the others with multiple layer 3 networks on top of it.
All I can say is, "Good luck with that."
-
Why would you use a /22 on transit network?? wouldn't something like a /30 be better? If you used a segment outside the 10 range, you could just create 1 route 10/8 to your downstream router. And then your lan rules could be something as simple as 10/8 as source as well.
Does pfsense have other other connections that lead to other 10.x networks?
So for example pfsense has 192.168.1.1/30 - your other router is 192.168.1.2/30, all its other networks are in the 10.whatever networks. Your pfsense lan source allows 10/8 and you create an outbound nat that source is 10/8 as well. You have 1 route on pfsense that says hey your going to 10/8 go to 192.168.1.2
-
GomezAddams, you're going to run into big trouble sooner or later with that kind of network. Although it will work for some time, keep in mind that Ethernet was designed to be used in a different way than this.
To make a comparison, your network topology looks pretty much like having a Ferrari at each location, trying to achieve maximum speed using the gearshift only in position 2.
-
So you want multiple properties all connected by some sort of WAN technology all on the same broadcast domain in one big, flat network, and depend on proxy arp to get traffic from each property to the others with multiple layer 3 networks on top of it.
All I can say is, "Good luck with that."
What? No.
It is all routed. I don't understand why you would think it is all one big broadcast domain. I have a number of locations with a /16 for each location.
-
GomezAddams, you're going to run into big trouble sooner or later with that kind of network. Although it will work for some time, keep in mind that Ethernet was designed to be used in a different way than this.
To make a comparison, your network topology looks pretty much like having a Ferrari at each location, trying to achieve maximum speed using the gearshift only in position 2.
I must not be making myself clear. I'm not using ethernet in any strange way. I just have multiple locations with a /16 for each location. Each location is routed.
-
I did find a rather sneaky way of accomplishing the same thing: set the mask on my LAN interface to 255.0.0.0 and then let the router proxy arp for all the routed subnets. Ugly, but it does work as long as all my internal networks are 10.x.x.x
Yes. Yes you are.
-
Keep your LANnet with the proper mask for its real local range.
Assuming the other subnets in your intranet are reachable through some internal router that is connected somewhere to pfSense, add a gateway that is the internal router, and static routes on pfSense to tell pfSense how to reach those other subnets.
Add rules to allow traffic from those subnets into pfSense on the interface where it arrives, with destination whatever you want to allow (reaching all of LANnet, going through pfSense out to the internet or whatever you need…).For the rules you can make aliases to make it very easy to add all those subnets in 1 rule.
In static routes you can also use the alias, and you pick the gateway from a list.
So actually if your subnet list changes in future you just change the alias and it should take effect auto-magically in both rules and routes.
-
I did find a rather sneaky way of accomplishing the same thing: set the mask on my LAN interface to 255.0.0.0 and then let the router proxy arp for all the routed subnets. Ugly, but it does work as long as all my internal networks are 10.x.x.x
Yes. Yes you are.
AH, I think I see the misunderstanding. The place this hack would be in place is ONLY on the pfsense LAN interface. Everything else would have proper subnet masks. By setting the pfsense LAN interface mask to 255.0.0.0, pfsense thinks everything 10.0.0.0 is "LAN net" (as far as rules go). This would cause pfsense to think the whole internal network was on the local segment, but turning on proxy ARP on the router interface that pfsense is connected to would fix that. Everything else would use the normal routing mechanisms to communicate.
It sounds like the solution to this problem is to create an alias wit hall the internal subnets and use that when creating rules instead of "LAN net". I was just somewhat surprised to find that pfsense doesn't have a built-in mechanism for expanding the scope of "LAN net" to more than just the subnet pfsense is connected to.
In other words, it seems odd to me that pfsense equates the LAN subnet mask to the scope of what are internal networks.
