2 subnets on the same physical ethernet network.



  • Dear All,

    With your knowleadge  and wisdom  you can probably help me on this.

    I have 2 subnets, 10.0.0.0/24 and 192.168.1.0/24, operating on the same physical ethernet network (switch 10/100/1000), these are 2 Windows 2000 domains that don't see each other. On the 10.0.0.0/24 subnet I have a router, Cisco with dedicated line, that deliveries access to the internet to this network. On the 192.168.1.0/24 I've only a router that deliveries access to another office via a WAN connection. What I wanted, if possible, was to setup a pfSense machine with 2 lan nics, one with an IP of the 10.0.0.0/24 network working like the Internet connection (with the default gateway pointing to the Cisco router, using the ISP DNS's and a static route to the WAN router of the 192.168.1.0/24) and the other nic with an IP from the 192.168.1.0/24, both connected to the same switch, so that machines from the 192.168.1.0/24 network using the pfSense machine as default gateway can access the Internet and still have access to the WAN office connection. This was no problem if the 2 subnets were on different physical segments and pfSense worked like router/NAT device.

    My question is: thus this will work on the same physical network without any problems?

    Thanks in advance for your help and support, any tip, trick or something else will be higly appreciated.

    Best Regards,
    Joao



  • Mind explain:

    1. why you want to have both networks on the "same physical network"?

    2. Right now how machines in 192.168.1.0/24 connects to the Internet? Or they don't have Internet access at all????

    If you can draw two network diagrams (e.g. current situation, and what you like to change), it might help. Your description is VERY confusing. The only part I can understand is 10.0.0.0/24 has Internet connection through a Cisco router (e.g. 10.0.0.0/24 –> Cisco router --> ISP Gateway IP address --> Internet).

    What about 192.168.1.0/24?? Is it currently 192.168.1.0/24  --> router --> WAN VPN ---> remote office subnet (which doesn't have Internet connection).



  • is  this what you need? (see picture)

    that can pfsense do as a router





  • Hi namezero, jeroen234,

    You almost get there.

    I hope I can help you help me.

    1. At this time I can't physically separate both the 2 networks (subnets).

    2. My router in 10.0.0.0/24 as IP 10.0.0.1 and is the default gateway for this network, providing Internet access, the are a few machines here, includin an W2k server and some MAC's, all of them use static IPs, the DNS is provided by W2k server, no DHCP server on this subnet.

    3. My router in 192.168.1.0/24 as IP 192.168.1.254 and at this time is the default gateway for this network and it gives access to a remote office, DHCP and DNS are provided by a W2k server, clients use DHCP and have no Internet access.

    4. What I would like? Install a pfSense box with 2 NICs, one would have IP 10.0.0.2/24, would use this NIC like the WAN(Internet) link, static IP, default gateway to 10.0.01/24 and the DNS servers provided by 10.0.0.1. The 2nd NIC would have IP 192.168.1.2/24 and would work as the default gateway for the 192.168.1.0/24 with no aditional service except a static route for the remote office (ex. 192.168.0.0/24) via 192.168.1.254. The machines from 192.168.1.0/24 would access the internet via pfSense and the remote office via 192.168.1.254 (the pfSense would redirect the traffic for this network). The only problem that I can see arrising is having both the NICs from pfSense box conected to the same physical network???!!!

    5. I'll try to make a scheme (I'm not to good at this) to easy understand the concept.

    Hope this helps.

    Cheers,
    Joao



  • Hi again,

    Hope this helps to:

    Cheers,
    Joao







  • Hi Hoba,

    That's probably what I need, thanks for your tip, I'll get back to say if this worked after a lab test.

    Just one more question, is it wise/safe to use pfSense beta 2 in a prodution environment?

    Best Regards,
    Joao



  • I have several pfSense installs in production environments. One of my systems even has an uptime of http://pfsense.com/~hoba/145days.gif  ;D (I didn't fake anything, the syste just has no timeserver, that's why the systems time is not correct)
    My other systems are up to date and I have no issues with them either. However, there is of course no warrenty.



  • Hi Hoba,

    Thanks once more, it worked.

    By the way, in this test rig I installed the Squid Package (it would be very nice if I could use Squid)  and I'm having some problems:

    1. Squid is working with NO transparent, but without define the proxy at my Browser (firefox) I cannot access the Internet, at least port 80, also doing a telnet <site>80 doesn't work. With the proxy manually declared browsing is OK.

    2. Accessing a FTP site through Firefox with the proxy manually configured it gives access denied, even I can't see what could be preventing this, also accessing a FTP site via commnad prompt (ftp ftp.telepac.pt) works.

    Can you help me on this?

    Cheers,
    Joao</site>



  • Hi again,

    There are some problems with the Squid package (or maybe not) and probably the inerent rules it creates (that I don't know how to see them).

    To have access from a workstation to the Net (HTTP, HTTPS, FTP) with or without Squid I had to:

    1. configure Squid in transparent mode (still I can use it manually by chosing de IP from pfSense and the port 3128 (I usualy chnage the Squid port to 3328).

    2. Service -> Squid ->Network Access Control - Allowed Subnets -> 192.168.1.0/255.255.255.0

    3. Edit /usr/local/etc/squid/squid.conf and change the line "http_access deny !pf_networks" to "http_access allow pf_networks". This was the only way I found to get HTTPS and FTP, besides HTTP, working under Firefox with a manually configured proxy.

    I don't know if this helps anyone or anyone can help me.

    Best Regards,
    Joao


Locked