Multiple Subnet Access - Help



  • Hi all, hoping I can get some help on this config I am doing. I have a network with a bunch of Subnets floating around. The two I use at this location are 192.168.113.0/24 and 192.168.116.0/24 but we have Subnets ranging from 1 through 200.

    What I am trying to do is have the PFSense box act as a gateway to the internet, which it works great for now, if you are on the 192.168.113.0/24 Subnet. The 116 subnet cannot access the GUI for configuration or use it as a gateway and the 113 subnet, when using the PFSense box as a gateway and a DNS server to get out to the internet, cannot access other internal assets like our internet DNA servers et cetera.

    Normally we access the internet via our corporate gateway of 192.168.100.1 and our DNS servers et cetera. The PFSense is connected to a stand alone DSL line and is used if our main connection goes down. So I would like people to be able to just change their gateway on their NIC to point to the PFSense box and be able to access the internet and resolve internal resources, but I cannot figure out how to get the PFSense all allow connections between the multiple subnets and allow clients to access internal DNS servers to resolve local resources as well.

    Here are some screenshots of rules and natting I have now and a basic diagram of the setup. If anyone can help I'd appreciate it.

    Diagram of network:

    https://drive.google.com/open?id=0BzsKCe89GscxbGU2UlJiNzM0bFU&authuser=0

    NAT:

    https://drive.google.com/open?id=0BzsKCe89GscxVHlNUmU3UDNySUk&authuser=0

    RULES:

    https://drive.google.com/open?id=0BzsKCe89GscxNEQ4bkhkZXN2RTQ&authuser=0

    All of these were made from reading up on the issue and trying to resolve it before coming here for help.

    Thanks!


    ![PFSense Firewall.jpg](/public/imported_attachments/1/PFSense Firewall.jpg)
    ![PFSense Firewall.jpg_thumb](/public/imported_attachments/1/PFSense Firewall.jpg_thumb)


  • LAYER 8 Netgate

    Yeah that's not going to work.

    Create VLAN 113 and 116 on pfSense and assign two interfaces to that each with addresses on those networks.

    What kind of device is the other router?  I'd look at getting rid of it entirely and get pfSense doing Multi-WAN with failover.

    If you can't completely get rid of it then I would look at putting a "WAN" port on pfSense connecting to it and your LAN ports behind pfSense.

    ![Multi-WAN with Router.png](/public/imported_attachments/1/Multi-WAN with Router.png)
    ![Multi-WAN with Router.png_thumb](/public/imported_attachments/1/Multi-WAN with Router.png_thumb)



  • OK, I'll work on that setup. I was actually following a post of yours about not needing the vlans and just increasing the subnet ranges because NAT's were handled by the switch, but I'll look at setting it up this way.

    I can't change the rest of the network, it's a Cisco network that is in place already. This PFSense box was just setup as an alternate internet point if the main goes out so the dispatchers could use the VPN clients on their consoles to connect to the NCIC database to continue to run folks interacting with the police.



  • Sorry, I typed up a large reply and it timed out, so I have to start over, so I'll make this shorter. I am having a tough time getting the setup in my head, so I was hoping you could help.

    I have three NIC's in the system. I could use them as WAN1 WAN2 and LAN or another combination. I can't change the setup as it stands now, it's a Cisco network and it's setup routing a bunch of different networks for radio traffic, the City and County networks et cetera. So I was thinking of something like this or some other way.

    The whole point of adding the PFSense was as an alternative internet access for the 113 subnet to get out when the main circuit goes down, which is often as this is the boonies and Windstream is the worst internet provider in the world.

    Appreciate the help:

    ![PFSense Firewall - DA2.jpg](/public/imported_attachments/1/PFSense Firewall - DA2.jpg)
    ![PFSense Firewall - DA2.jpg_thumb](/public/imported_attachments/1/PFSense Firewall - DA2.jpg_thumb)


  • LAYER 8 Netgate

    I don't see why that won't work if you really want to run around changing default gateways in all your clients during an outage.

    Or you could do a manual high-availability-style maneuver.  If the primary link goes down, unplug the cisco from your LAN and change the pfSense interface IPs to 192.168.113.6 and 192.168.116.1.

    When it comes back up, change the pfSense interface IPs back and plug the primary back in.

    Option 1 and option 2 are functionally identical, just set up a bit differently.  Once either is set up your options remain the same.



  • I would create a trunk port from your Cisco network and connect that to Pfsense as the WAN. Then I would add your second ISP to Pfsense and make sure that was working. You could check this out by manually assigning the default gateway of your client to your Pfsense box. If you have access to your DHCP server you could use option 003 which is a alternate Gateway that way if the main gateway goes down your clients would use the backup (maybe?). However it seems to me that your network should probably be re engineered from the core to support two gateways. Why not just add the second ISP to the Cisco router? You might have to sub-interface the port and use a switch depending on the model and number of physical ports you have. More information is need about your in place network.


  • LAYER 8 Netgate

    I'd probably do something like this.  It's a pretty simple change.  It could probably be done without anyone noticing in the span of one 15-minute outage of the primary WAN.

    ![Multi-WAN with Router.png](/public/imported_attachments/1/Multi-WAN with Router.png)
    ![Multi-WAN with Router.png_thumb](/public/imported_attachments/1/Multi-WAN with Router.png_thumb)



  • @mikeisfly:

    I would create a trunk port from your Cisco network and connect that to Pfsense as the WAN. Then I would add your second ISP to Pfsense and make sure that was working. You could check this out by manually assigning the default gateway of your client to your Pfsense box. If you have access to your DHCP server you could use option 003 which is a alternate Gateway that way if the main gateway goes down your clients would use the backup (maybe?). However it seems to me that your network should probably be re engineered from the core to support two gateways. Why not just add the second ISP to the Cisco router? You might have to sub-interface the port and use a switch depending on the model and number of physical ports you have. More information is need about your in place network.

    @mikeisfly:

    I would create a trunk port from your Cisco network and connect that to Pfsense as the WAN. Then I would add your second ISP to Pfsense and make sure that was working. You could check this out by manually assigning the default gateway of your client to your Pfsense box. If you have access to your DHCP server you could use option 003 which is a alternate Gateway that way if the main gateway goes down your clients would use the backup (maybe?). However it seems to me that your network should probably be re engineered from the core to support two gateways. Why not just add the second ISP to the Cisco router? You might have to sub-interface the port and use a switch depending on the model and number of physical ports you have. More information is need about your in place network.

    Honestly, I would love to redesign the network from the ground up and change our ISP (now that a couple of local ISP's have real fiber to the residence) but I only have control over the 911 dispatch building, all the rest of the network is managed by the county IT folks and they don't know much.

    I already upgraded the network here to the 3750x switch stack and the 2911, before they were using simple GB switches, no VLANS and nothing, it was a broadcast collision nightmare.

    I did want to get a fiber circuit here and drop the windstream point to point and just setup a VPN tunnel over the fiber, then setup another cheap circuit as an alternative gateway, but I can't get them to sign off on it.

    So I just took an old server I had, put PFSense on it and used one of the extra IP;s I have on an old DSL circuit and that's where i am now.


  • LAYER 8 Netgate

    But all you have to change is the interface from pfSense to the 2911 and add a couple routes.

    They don't even have to know you did it.  And it will all be proper and have multi-wan with failover.

    The only route they would need to add is one for the new interface addresses and that's only if they want to talk to them directly.  You could also just ask them for a third subnet out of 192.168.0.0/16 for your interface network between 2911 and pfSense.



  • @Derelict:

    But all you have to change is the interface from pfSense to the 2911 and add a couple routes.

    They don't even have to know you did it.  And it will all be proper and have multi-wan with failover.

    The only route they would need to add is one for the new interface addresses and that's only if they want to talk to them directly.  You could also just ask them for a third subnet out of 192.168.0.0/16 for your interface network between 2911 and pfSense.

    You're right and I am going to look into setting it up like you suggested. The issue I have right now is that they will notice as soon as I make the changes to the interface on the 2911, which will server the connections the the SO and the Jail, which will set a whole string of annoying calls et cetera. So what I am going to do is configure the 2911 to feed both the 113 and 116 subnets over one trunked port instead of two separate ones that they are feeding them over now. That will take a couple of minutes of downtime to reconfigure the interfaces which I can schedule. Then I will have an extra interface on the 2911 I can use to setup the routs and the PFSense box and then switch it all over when I have determined it is working. So first i need to fix their old routing issue then do what you suggested!


Log in to reply