Multi lan (VLAN) and multi wan
robik last edited by
Iˇm very frustrating with configuring our building with pfsense. Now we have new requirements and I can't configure it.
- 1 LAN NIC with configured VLANS (3 VLANS via OPT iface, assigned on NIC)
- 3 wan nic - 2 ISP
We have lot of clients.
LAN_INTERNAL - internal clients - VLAN 10 - using LAN (servers, printers etc) and WAN 1 for internet access.
LAN_VYT internal clients - VLAN 15 - one department do internal clients - using LAN (servers, printers - the same as VLAN 10 clients), and WAN 2
LAN_PUBLIC - public - VLAN 20 - public wifi for public clients to WAN 3
LAN_PUBLIC is good, it use own IP and own DHCP - I can set gateway to WAN 3. No problem.
However, because I need connect VLAN 10 and VLAN 15 because they both using same printers, servers, and need to see each others I configured bridge - members are ifaces with VLAN 10 and VLAN 15 assigned - and assigned this to new LAN_BRIDGE iface. This iface have own address (10.8.1.1/14) and own DHCP (10.8.4.1 - 250). All working well - clients on both VLANS are in same subnet, they see each others, servers, printers etc. But I cannot setup using WAN 1 for VLAN 10 clients (LAN_INTERNAL) and WAN 2 for VLAN 15 clients (LAN_VYT) because all request to internet is sending from LAN_BRIDGE and I can't distinguish by something who are from VLAN 10 and who from VLAN 15. I can setting firewall rule on LAN_INTERNAL and LAN_VYT, but only on inter-LAN connection (they are requested from LAN_INTERNAL and LAN_VYT) but no for internet - connections are requested from LAN_BRIDGE.
So - how can I setting other gateway for users on LAN_VYT bridged interface?
Sorry for my bad english and my cunfused description. I hope it's understandable.
Thank you toooooooo much.
You can put filter rules on the member interfaces. You can just pass the traffic and set a mark, say INTERNAL and VYT, as appropriate. (Setting and matching marks is in the Advanced section, Advanced button of the rule settings)
Then, on your pass rules on the bridge interface, just make two. One that matches the mark INTERNAL and sets the gateway and one that matches the mark VYT and sets the other gateway. Or maybe one that matches a mark then below it another one for all other traffic regardless of mark so you don't bang your head against the wall later forgetting about all the marks.
Pretty sure you need net.link.bridge.pfil_member and net.link.bridge.pfil_bridge both set to 1 for this to work.
Never tried this. Seems like it should work.
There are probably a bunch of different ways to do it.
robik last edited by
Thanks a lot for reply.
wow, nice feature, I never heard about this in pfsense, thanx for info
but unusable in this case - I don't know why, but all packets from member interface to internet, bypass member interface firewall rule. For example, if I set deny rule for ICMP to 220.127.116.11 in member interface, ping still working, and in firewall log is sourece iface LAN_BRIDGE.
I logging all rules now on member iface and LAN_BRIDGE, and seems like all internal traffic beteween LANs has source iface LAN_VYT or LAN_INTERNAL, but if it's traffic to internet, source iface in log is LAN_BRIDGE.
For example 2 - if i delete any-any-any pass rule from member iface, cannot access form LAN_INTERNAL to LAN_VYT and vice versa. But still I can access to internet..
EDIT: And yes, I have net.link.bridge.pfil_member and net.link.bridge.pfil_bridge both set to 1