• Scenario. My pfsense with DHCP has 2 nics one external 1 internal, with a 192.168.1.* network (office)

    I want to now add a 192.168.5.network would I need add another NIC for this (ip cameras) , therefore

    1 external, 1 int for 192.168.1.* and the 2nd for 192.168.2.* network.

    My goal is to create another subnet for ipcams with hopes this new subnet will not bog down the 192.168.1.* network

  • LAYER 8 Netgate

    Bog down?

    If anything having to go through your firewall to get at the cameras would slow things down.

    If you're approaching 100Mbit/s on 100Mbit ethernet, go gigabit.  If not, don't hassle it.

  • I really only plan on using PF sense for DHCP to send out addresses and to conenct the cams to the wan for external viewing.

  • LAYER 8 Netgate

    I don't know why you would want two separate interfaces.  It's easier to traffic shape on one, should that be necessary.

    Put your cameras on specific IP addresses on your LAN and you can put rules in just for them without having to deal with separate interfaces.

  • I'd be tempted to do just one LAN too, use a switch instead of hubs to keep the camera data from clogging up your network. Good switches are cheap these days.

    If you do two LANs then the camera traffic can be put on the second one as long as the camera's host is also on the second LAN. The only traffic you'd see on your primary LAN would be from you viewing the camera data. If the host is on your primary LAN then all the camera data would have to pass through the firewall and both LANs.

  • Why not just put the cameras on a separate VLAN sharing the same interface as your current LAN?  You just need a switch that can pass VLAN tags which you can get for pretty cheap these days.

  • Netgate Administrator

    I would probably choose a VLAN here. If only because it isolates your LAN from the cameras which I would have to consider a security risk if they're externally accessible. Also that means you don't need seperate cabling back to the firewall.


  • Hello,

    I really would in normal suggest, to place the Cameras and a storage like a NAS inside of
    a DMZ and let them then there able to connect to the Internet, this is not affecting the
    LAN side and is also more secure as I see it right.

    But related to the missing ports to do so, I would also recommend to set up VLANs and
    then only connecting via VPN to the pfSense from the outside, this will be securing the entire
    LAN but otherwise you are able to connect to the cameras also.

    It must not be that the pfSense is routing alone the entire LAN traffic. A DGS-1500-20 Switch
    from D-Link is offering much more ports then others and also 2 SFP+ Ports for under 200 €!
    20 x 10/100/1000 RJ45 Ports
    2 x SFP Ports
    2 x SFP+ Ports
    1 x RJ45 Console Port

    Layer3 feature set and able to route the VLANs selfs!
    This can also be taking load from the pfSense firewall.