2 subnets on the same physical ethernet network.

  • Dear All,

    With your knowleadge  and wisdom  you can probably help me on this.

    I have 2 subnets, and, operating on the same physical ethernet network (switch 10/100/1000), these are 2 Windows 2000 domains that don't see each other. On the subnet I have a router, Cisco with dedicated line, that deliveries access to the internet to this network. On the I've only a router that deliveries access to another office via a WAN connection. What I wanted, if possible, was to setup a pfSense machine with 2 lan nics, one with an IP of the network working like the Internet connection (with the default gateway pointing to the Cisco router, using the ISP DNS's and a static route to the WAN router of the and the other nic with an IP from the, both connected to the same switch, so that machines from the network using the pfSense machine as default gateway can access the Internet and still have access to the WAN office connection. This was no problem if the 2 subnets were on different physical segments and pfSense worked like router/NAT device.

    My question is: thus this will work on the same physical network without any problems?

    Thanks in advance for your help and support, any tip, trick or something else will be higly appreciated.

    Best Regards,

  • Mind explain:

    1. why you want to have both networks on the "same physical network"?

    2. Right now how machines in connects to the Internet? Or they don't have Internet access at all????

    If you can draw two network diagrams (e.g. current situation, and what you like to change), it might help. Your description is VERY confusing. The only part I can understand is has Internet connection through a Cisco router (e.g. –> Cisco router --> ISP Gateway IP address --> Internet).

    What about Is it currently  --> router --> WAN VPN ---> remote office subnet (which doesn't have Internet connection).

  • is  this what you need? (see picture)

    that can pfsense do as a router

  • Hi namezero, jeroen234,

    You almost get there.

    I hope I can help you help me.

    1. At this time I can't physically separate both the 2 networks (subnets).

    2. My router in as IP and is the default gateway for this network, providing Internet access, the are a few machines here, includin an W2k server and some MAC's, all of them use static IPs, the DNS is provided by W2k server, no DHCP server on this subnet.

    3. My router in as IP and at this time is the default gateway for this network and it gives access to a remote office, DHCP and DNS are provided by a W2k server, clients use DHCP and have no Internet access.

    4. What I would like? Install a pfSense box with 2 NICs, one would have IP, would use this NIC like the WAN(Internet) link, static IP, default gateway to 10.0.01/24 and the DNS servers provided by The 2nd NIC would have IP and would work as the default gateway for the with no aditional service except a static route for the remote office (ex. via The machines from would access the internet via pfSense and the remote office via (the pfSense would redirect the traffic for this network). The only problem that I can see arrising is having both the NICs from pfSense box conected to the same physical network???!!!

    5. I'll try to make a scheme (I'm not to good at this) to easy understand the concept.

    Hope this helps.


  • Hi again,

    Hope this helps to:


  • This will suppress ARP messages when interfaces share the same physical network". This is exactly what you need. pfSense has no problems being connected to the same layer2 network with multiple interfaces and this option will prevent your logs from being spammed about notices.

  • Hi Hoba,

    That's probably what I need, thanks for your tip, I'll get back to say if this worked after a lab test.

    Just one more question, is it wise/safe to use pfSense beta 2 in a prodution environment?

    Best Regards,

  • I have several pfSense installs in production environments. One of my systems even has an uptime of http://pfsense.com/~hoba/145days.gif  ;D (I didn't fake anything, the syste just has no timeserver, that's why the systems time is not correct)
    My other systems are up to date and I have no issues with them either. However, there is of course no warrenty.

  • Hi Hoba,

    Thanks once more, it worked.

    By the way, in this test rig I installed the Squid Package (it would be very nice if I could use Squid)  and I'm having some problems:

    1. Squid is working with NO transparent, but without define the proxy at my Browser (firefox) I cannot access the Internet, at least port 80, also doing a telnet <site>80 doesn't work. With the proxy manually declared browsing is OK.

    2. Accessing a FTP site through Firefox with the proxy manually configured it gives access denied, even I can't see what could be preventing this, also accessing a FTP site via commnad prompt (ftp ftp.telepac.pt) works.

    Can you help me on this?


  • Hi again,

    There are some problems with the Squid package (or maybe not) and probably the inerent rules it creates (that I don't know how to see them).

    To have access from a workstation to the Net (HTTP, HTTPS, FTP) with or without Squid I had to:

    1. configure Squid in transparent mode (still I can use it manually by chosing de IP from pfSense and the port 3128 (I usualy chnage the Squid port to 3328).

    2. Service -> Squid ->Network Access Control - Allowed Subnets ->

    3. Edit /usr/local/etc/squid/squid.conf and change the line "http_access deny !pf_networks" to "http_access allow pf_networks". This was the only way I found to get HTTPS and FTP, besides HTTP, working under Firefox with a manually configured proxy.

    I don't know if this helps anyone or anyone can help me.

    Best Regards,