Is this config OK? 'Cause it works… Two WANs: 1 no NAT, 1 bridged, no VLANs



  • Hey there guys and a Happy New Year!

    Just wanted to check with people here if this is OK, it works, don't see anything alarming in the logs except I can't ping a server behind one of them, when connected via VPN…

    So I have the integrated NIC (the pfSense runs on an 1U HP server) with 32 IPs, a /27 subnet from ISP 1:
    -WAN-ISP1 - 1.1.1.1
    -LAN-ISP1 - 1.1.1.2/27 this one goes into a managed switch, in VLAN 300
    This is just fine, working for a long a time,  no VLAN created in the pfSense box.

    I added today a second card to pfSense, where I plugged the second ISP, my intent being to somehow just pass through everything, no NAT, and not to "waste" the 3 static IPs they gave me (I mean those 3 IPs I would like them to be assigned directly to the machines, and those connected to the switch), but to still make good use of the firewall, snort, etc, aka "Transparent firewall":
    -WAN-ISP2 - no IP ie "Configuration Type: none" < the ISP2 line
    -LAN-ISP2 - no IP ie "Configuration Type: none" < hooked into the same switch as LAN-ISP1, but configured with a separated VLAN, 400, in the switch only.
    -created a bridge with these two - where I also didn't assigned an IP and still no VLANs;
    -created rules for WAN and LAN to allow everything;

    So… this one works too, and my secondary 2.2.2.2 DNS server on ISP2 is now free of the hammering it was taking, pfSense and the packages are doing their job. But it occurred to me (everything is VLAN isolated at the switch level, I just love it that way) that maybe I should involve some VLANS on the pfSense box, are those necessary in such a scenario? What should I do exactly, and why? Things seem fine, but it's not the most orthodox setup you might find out there...I just want to protect a server, previously hardwired to ISP2 directly.

    Also when I am connected via VPN to the pfSense machine (an internal IP 192.168.1.6 that has outside connection, through ISP1 of course) I can't ping/access the server behind the bridged ones, using ISP2... I unchecked "Block private network" & "Block bogon networks" just to be sure... the same, can't ping the damn thing. Everything is fine if I am NOT connected through VPN: I can ping it, access stuff, does it's job asa DNS server, from anywhere.

    Am I fine or not?

    Hope it makes some sense :)


Log in to reply