Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Having 2 subnets

    Scheduled Pinned Locked Moved Hardware
    8 Posts 6 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nambi
      last edited by

      Scenario. My pfsense with DHCP has 2 nics one external 1 internal, with a 192.168.1.* network (office)

      I want to now add a 192.168.5.network would I need add another NIC for this (ip cameras) , therefore

      1 external, 1 int for 192.168.1.* and the 2nd for 192.168.2.* network.

      My goal is to create another subnet for ipcams with hopes this new subnet will not bog down the 192.168.1.* network

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Bog down?

        If anything having to go through your firewall to get at the cameras would slow things down.

        If you're approaching 100Mbit/s on 100Mbit ethernet, go gigabit.  If not, don't hassle it.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • N
          nambi
          last edited by

          I really only plan on using PF sense for DHCP to send out addresses and to conenct the cams to the wan for external viewing.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I don't know why you would want two separate interfaces.  It's easier to traffic shape on one, should that be necessary.

            Put your cameras on specific IP addresses on your LAN and you can put rules in just for them without having to deal with separate interfaces.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • stan-qazS
              stan-qaz
              last edited by

              I'd be tempted to do just one LAN too, use a switch instead of hubs to keep the camera data from clogging up your network. Good switches are cheap these days.

              If you do two LANs then the camera traffic can be put on the second one as long as the camera's host is also on the second LAN. The only traffic you'd see on your primary LAN would be from you viewing the camera data. If the host is on your primary LAN then all the camera data would have to pass through the firewall and both LANs.

              1 Reply Last reply Reply Quote 0
              • J
                JimPhreak
                last edited by

                Why not just put the cameras on a separate VLAN sharing the same interface as your current LAN?  You just need a switch that can pass VLAN tags which you can get for pretty cheap these days.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  I would probably choose a VLAN here. If only because it isolates your LAN from the cameras which I would have to consider a security risk if they're externally accessible. Also that means you don't need seperate cabling back to the firewall.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    Hello,

                    I really would in normal suggest, to place the Cameras and a storage like a NAS inside of
                    a DMZ and let them then there able to connect to the Internet, this is not affecting the
                    LAN side and is also more secure as I see it right.

                    But related to the missing ports to do so, I would also recommend to set up VLANs and
                    then only connecting via VPN to the pfSense from the outside, this will be securing the entire
                    LAN but otherwise you are able to connect to the cameras also.

                    It must not be that the pfSense is routing alone the entire LAN traffic. A DGS-1500-20 Switch
                    from D-Link is offering much more ports then others and also 2 SFP+ Ports for under 200 €!
                    DGS-1500-20
                    20 x 10/100/1000 RJ45 Ports
                    2 x SFP Ports
                    2 x SFP+ Ports
                    1 x RJ45 Console Port

                    Layer3 feature set and able to route the VLANs selfs!
                    This can also be taking load from the pfSense firewall.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.