How to get 3 networks routing
-
Hidy ho all,
I have a virtual box network, where I have 3 machines on the LAN of my virtual box PF sense machine. These 3 machines access the internet through the LAN interface on the pf-sense machine I setup.
I use these 3 machines for testing various software before installing that software on clients machines.
Now, I wanted to try and create a virtual network with 1 server, and a few clients, using the same PF sense vm as the router between that network and my physical WAN. Trouble is, I can't seem to find how to add another LAN port to the pf-sense vm.
Is this something that can be done? If so then how?
-
Add another NIC to your pfSense VM and link it to a new instance of intnet. I usually use VMware but when I was playing with VB I had my WAN bridged to real LAN, LAN was intnet1 and my DMZ for servers was intnet2. When adding your new server VMs, make sure to specify their NICs are on intnet2.
-
Thanks for this reply.
my vm's wan interface is using a bridged adapter to my local LAN. And the current LAN interface is using virtual box's internal network 1. I wanted this second interface to use internal network 2 (I'm not great at naming things).
So how do you link that third interface to intnet?
-
I haven't played with VBox in a while but don't you just edit the virtual machine and add a network adapter, then select the network it's on?
-
Yea, its that simple. And I did setup the new interface for that already. But the trouble is, its not routing to the wan interface.
-
Since you have set up the default gateway in pfSense already, there is no special routing necessary for the additional interfaces.
You just have to add a firewall rule to it to permit access to internet. On LAN interface there is a default any to any rule. On additional interfaces you have to add it by yourself.Consider that these rules permit also traffic between both LAN interfaces. If you don't want this you have to edit your ruleset to block it.
-
Ah, now I see. I'll give that rule a go and see what happens.
Edit:
Just so I'm clear on this rule I need to create.
I need to pass data from this third interface Network (I called it "3rdInterface") to the wan network.
And I need to pass data from the wan network to the third interface network. Do I have about right? -
And I need to pass data from the wan network to the third interface network. Do I have about right?
If you have servers that you want to be accessible from WAN then yes, you need rules on the WAN interface to allow it. Otherwise, all return traffic from your LANs is automatically allowed back in WAN.
-
So I only need a rule on the interface to send traffic to the WAN, then all return traffic will be automatically allowed back through?
Also, should the rule be interface to interface, network to network, 3rd interface's network to the wan interface, or some other combination?
-
So I only need a rule on the interface to send traffic to the WAN, then all return traffic will be automatically allowed back through?
Yes. That's what a stateful firewall does, is track the states between two communicating endpoints and allow them to talk without having to have strictly-defined rules for everything.
Also, should the rule be interface to interface, network to network, 3rd interface's network to the wan interface, or some other combination?
That depends on what you want to accomplish.
-
So I only need a rule on the interface to send traffic to the WAN, then all return traffic will be automatically allowed back through?
Yes, this is the default behaviour on a firewall.
Also, should the rule be interface to interface, network to network, 3rd interface's network to the wan interface, or some other combination?
That depends on what you really want.
If you want access to anywhere, to WAN addresses and also to the other LAN, than add a any to any rule.
If you don't want to allow access to the other LAN, you may except it by check "not" at destination and enter the LAN net below.Don't select "WAN address" or "WAN net" at destination! This would just allow access to the interface address itself or the subnet you have defined on it.
-
See now, that second question was more of a best practices question then anything else.
So the best practices would be saying where you don't want a network to have access to? Instead of saying where you want it to have access to?
I thought there was an implicit deny where you didn't expressly tell it to allow through traffic. Or is that only on Cisco routers?
-
No, also on pfSense everything is denied if it isn't explicitly allowed.
The mentioned case is just a exception in an allow-rule. This will be the shortest way to reach your goal.
You may also add an additional block rule for the other LAN and set it on the top of the rule set. -
Ok, well I think I might need to clarrify something. The wan address is what my local lan DHCP server gives to the shared inferface.
That said, my goal is to get network traffic to flow from the 3rd interface network through the wan interface, onto my local lan. So that it can then get to the internet.
This is acutally been very educational on how pfsense works thusfar. Thats for the help up to this point everyone!
I'm trying to get a generic rule setup to where that 3rd interface allows all traffic to flow through it.
Edit: whelp, I managed to mess something up. I was messing around in the management portal, and started updating interfaces. Never touched the ip address, but I used the 'add local mac address' link to get all the interface feilds as filled out as I could. And now none of my interfaces can connect to anything.
So very glad this is a virtual machine and not a production machine. I can just do a factory reset when I mess up something like this.
-
Just add an Allow All rule for you new network just like what you see under Firewall - Rules - LAN.
-
Figured out what my problem was! It was the fact that I choose the wrong network card in the Vbox Settings.
I forgot to change the card to the intell 1k desktop card. The moment I did, I was able to get out to the interweb on both interfaces.
Thanks for your help all.
-
Okay. Thanx for clearing up.
