Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN and OPT1 routing on the same VLAN

    NAT
    2
    6
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jasonsfirewall
      last edited by

      Hello everyone. I'm having some difficulty configuring pfSense with a WAN/LAN/OPT1 and soon to be OPT2 interface. I've tried several things from the forum which have not worked for me.

      I'm running the latest code on a VM 2.2.3-RELEASE.

      The WAN link is a on a separate VLAN to the internet.

      The LAN link and OPT1 LINK are on the same VLAN with different subnets.

      WAN=10.243.40.0/24
      LAN=172.16.0.0/16
      OPT1=10.10.10.0/24

      I have two VM's connected on the 10.10.10.x network running Cisco IronPort asyncOS. One of them runs fine the other one drops all connectivity after 15 minutes or so. If I reboot pfSense it immediately restores connectivity to the VM?

      Also SSH gets dropped after about 15 minutes to both VM's even if the sessions are active. I can reconnect to VM1 fine via HTTPS, SSH and ICMP. VM2 is completely knocked out, however after some period of time like 1 hour the VM will come back for 15 minutes or so.

      Ideas from the forum I have tried:

      Set Firewall Optimization Options to conservative. (SSH was only lasting about 3-5 minutes before this change, now it lasts 15 minutes?)
      Disabled Firewall Scrub
      Enabled Clear invalid DF bits instead of dropping the packets
      Disable hardware checksum offload
      Disabled Static route filtering and I created two new GW's and routes which I'm not sure are correct but didn't change anything.

      This is the routes I created:

      Network Gateway Interface Description
      172.0.0.0/16  MGMTGW - 10.10.10.1  OPT1   
      10.10.0.0/24  LANGW - 172.16.0.1  LAN

      Does anyone have any ideas? thank you very much

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Why do you want two layer 3 networks on the same layer 2 network?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jasonsfirewall
          last edited by

          I've been using pfsense in my test lab using just the WAN/LAN and working great of course. I've added some appliances into the LAB and I'm wanting to simulate a management network and a DMZ (OPT1 and 2). Then I can test routing mail in my LAB ect.

          I guess now I don't really know if that is possible? However its working fine on one of the VM's and not the other?

          I was trying to keep it simply just using one NIC but as it turns out I guess its not so simple.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You can use one NIC.  The purpose of VLANs is to put multiple layer 2 networks on one physical port.

            With VMware you have two choices:

            Create multiple VLANs in the vSwitch and create NICs to give to pfSense.  You will not create VLANs on pfSense in that case - the vSwitch will put the traffic on the right VLAN.

            Create one interface on vlan 4095 and give that to pfSense.  The vSwitch will treat that as a tagged port and all VLANs will be tagged to pfSense.  You will create VLANs in pfSense and assign them to pfSense interfaces as if it was a physical port receiving tagged traffic from a switch.

            VLAN-pfSense.png
            VLAN-pfSense.png_thumb

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              jasonsfirewall
              last edited by

              oh  ::) I didn't think of using one NIC. ok thanks let me try that.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You still need two VLANs.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.