Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Do I need a DMZ ? a VLAN ? (only 2 physical interfaces)

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dplat
      last edited by

      Hi, I have a computer running pfSense firewall only, with 2 physical Ethernet interfaces (1 LAN, 1 WAN).

      Every LAN computers behind the firewall transparently access to the internet via OpenVPN.
      An OpenVPN client is configured in pfSense to access to a VPN server service transparently.
      (If the VPN service goes down, I even have a pfSense rule which automatically disable Internet access from the LAN).
      Everything works fine.

      Now the problem:
      I have a new computer which needs to access to the internet directly (without OpenVPN) from behind the firewall.
      Of course, I don't want to turn off OpenVPN which is used by the LAN computers behind the firewall.

      How should I proceed??
      Do I need to create a DMZ and put this new computer in it?
      Do I need a VLAN? (I remind you that I only have 2 physical Ethernet interfaces)

      Moreover, if the VPN service for LAN computers goes down, I don't want this new computer not to be able to access to the internet too.

      I would be grateful if someone could give me the step by step procedure to follow.

      Thank you & Happy New Year!

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Give that special computer a static-mapped DHCP address, so it always gets the same IP in LAN - "special LAN IP".
        Put a rule at the top of LAN that says source "special LAN IP", destination !LANnet, gateway WAN_GW
        That should direct traffic from that special IP to WAN, and all the rest can continue to follow the rules you have lower down for directing stuff to OpenVPN…

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • D
          dplat
          last edited by

          @phil.davis:

          Give that special computer a static-mapped DHCP address, so it always gets the same IP in LAN - "special LAN IP".

          Ok, I have given this special computer a static IP address.
          Can I put this new computer in the same LAN as the others?
          @phil.davis:

          Put a rule at the top of LAN that says source "special LAN IP", destination !LANnet, gateway WAN_GW

          Ok, so you mean "Firewall,Rules,LAN" and then I create a rule for this special computer IP before the others LAN computers rules, right?
          If yes, what do you mean by "!LANnet". Is it a special net I have to create? If yes, where in the menus?
          And "gateway WAN_GW"? Should I create a Gateway somewhere in the menus?
          Thank you Phil!

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Yes, the computer stays in the ordinary LAN with the others - it just has a fixed known IP that makes it easy to match in a rule.

            create a rule for this special computer IP before the others LAN computers rules

            Yes

            If yes, what do you mean by "!LANnet". Is it a special net I have to create? If yes, where in the menus?

            I mean, in the rule destination select LANnet from the dropdown list, and check the "not" checkbox.
            You do not want traffic from "special LAN IP" that is going to the pfSense LAN itself to be forced out WAN_GW

            And "gateway WAN_GW"? Should I create a Gateway somewhere in the menus?

            In the advanced section of rule definition there is a "Gateway" row - open that up and pick WAN_GW. That will force the matching traffic out WAN.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.