Pfsense with WAN (NIC 1) and routing between two networks(NIC 2 and 3)



  • I have a server with three NICs running PfSense. The first NIC connects to my ISP, the second NIC connects to local computers in my office (LAN-1). For the third NIC(LAN-2), i have connected it to a computer and i want it to be able to connect to the second NIC(LAN-1) as well as the first(WAN).

    NIC 1 = gateway  = WAN
    NIC 2 = LAN-1  = 172.30.0.3/16
    NIC 3 = LAN-2  = 172.40.0.3/16

    Problem is that is that i can ping LAN-2(172.40.0.3)  from LAN-1(172.30.0.0/16)  but i cannot ping or trace anything from LAN-2 to LAN-1, or even to the internet. When i ping from LAN-2, there is no reply, not even a timeout.. it stays blank till i disconnect and it give an destination host unreachable message.

    The pfsense version is 2.2.3-RELEASE (amd64)

    Kindly help me out.


  • Netgate

    You need firewall rules on LAN-2.  Mirror what is on LAN-1 for starters (adjusted for LAN-2 of course).

    And 172.40.0.0/16 is not private IP space.  You have 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)



  • Thanks so much .

    This worked for me, i changed the LAN-2 network to 10.30.0.0/16.
    And replicated the rules as you specified.
    Everything works fine, both networks are accessible and able to reach the internet on both LANs.

    Im grateful.


  • Rebel Alliance Global Moderator

    "i changed the LAN-2 network to 10.30.0.0/16."

    What is it with people and such HUGE as networks.. You have anything close to 65K devices.. Why would you use a /16 ???



  • Johnpoz, this network is experimental and being used to simulate a private cloud using Openstack.
    Therefore, we are expected to virtualize as many VMs as possible.
    So yes, we could possibly hit the 65k VM to test the strength of the infrastructure for the private cloud.


  • Rebel Alliance Global Moderator

    really - well I sure wouldn't put 65K anything on the same broadcast domain that is for sure!!!

    Just arp traffic alone would be freaking crazy!!

    Sure hope they are not windows machines – the announcements and searching for wpad  would be freaking nuts ;)

    Is that a summary and you have downstream routing going on?