PFrustration: multiple lans, same dhcp and broadcast, different services

  • You know how it works, you spent nights on a setup you wish since years, you finally try to have help on a good forum writing down in the best and short possible way and the wrong captcha that wasnt wrong send your message to hell forever, hitting back presents a blank message :'(

    So again: hi everybody I lurk since 2 years so I wish to say thanks. I really wrote a nice post with better words, hope you understand :)
    I am not a pro, just running pfs virtualized for fun since couple of years.

    bottom line is:
    can I have clients on 2 interfaces share same dhcp and broadcast, see each other, but have different policy to decide what services are available on each one?
    for example I with the internet gateway blocked on one lan but not the other, I wish that a specific client on LAN1 should not be reached from LAN2 or the nas available on LAN2 not available on LAN1 and the managment webgui of the nas only available from LAN3.

    Hope in some help from some smart mind, I am wandering :)
    thank you :)

  • LAYER 8 Netgate

    It's a disease going around, apparently.

    Separate your networks into different broadcast domains. That's how it works.

  • Thank you,
    I forgot to mention a thing when I rewrote the post..
    LAN1 needs 9k jumbo packets (storage network), LAN2 needs to be as usual (wifi and vpn clients here I can't control mtu). Bridge would kill that right?

    Also I need that the two segment can't even guess what services are in the other segment, I mean a backtrack distribution with the average user on LAN2 should not even guess what is behind the fw but still it should reach some specific clients on LAN1 and broadcast a port. Is a normal broadcast coming from bridge a leak of information in this case? can I filter broadcast to and from specific clients?

    MY first try was a NAT solution but I lost broadcast, I tried bridge but I lost jumbos.

  • LAYER 8 Netgate

    If you need broadcast they need to be on the same broadcast domain.

    As far as I know the whole infrastructure needs to be jumbo frame compatible if jumbos are enabled anywhere in the broadcast domain, so, yes, a bridge qualifies.

    Ditch jumbo frames and put everything on the same subnet. Or upgrade everything to support jumbos and put everything on the same subnet. Or figure out what voodoo you need to do (WINS, DNS, etc) to eliminate the reliance on broadcasts.

    Filtering broadcasts between clients in the same broadcast domain would have to be done at layer 2 - which is probably your switches.

    Maybe you should just say what it is you're trying to accomplish. There has to be a better way to do it.

  • After more than 1 year I solved a part of this..
    bridge never worked as expected because of…esxi pormiscous mode in vswitches involved in the bridge.
    thanks to danny boy on his 3rd post in 2011, I missed that for years!
    Now I discovered the real problem that was preventing bridges from working,this will be a long night..

    Anyway my goal is very simple:

    on vswitch0 I have some servers appliances (nas, proxy, vpn, etc) pfsense managed inside vsw0 only.

    on vsw1 is the only nic to outside world and here is the esxi managment port and this should remain isolated. my pc is connected here and should talk with the microsoft network on vsw0 (nas and other vm) and have the 3128 port of the proxy available. NOTHING ELSE, no webgui. here I NEED jumbos.

    on vw2 is working a VM that bridges a dongle wifi AP with vsw2
    wifi should only present my vpn port and the broadcast that samsung sidesync needs to receive (there is NO WAY to make it work inside the vpn and no way to make it work without broadcast message to discover the other device on the net) so it can connect to my pc. NOTHING else, not even arp traffic that can reveal the internal topology. I mean nothing, this is going to work in hostile environment to I want to keep my wifi really secure. I will appreciate every kind of advice.

    what will happen is wifi receives jumbos? what I have to do? I will discover now that bridges are really working.

    what a pain men, thank you to everybody, I will let you know how it goes

  • update:
    actually I have the bridge between wifi and ethernet fully working but:
    there is no way to tell the fw to pass connection to a server that resides on a 3rd lan over ethernet and block it over wifi.
    I mean the rule should be in the bridge tab so will work for both and filtering by ip or mac is not an option.
    rules on eth and wifi only works between the two (I can block any wifi from accessing a machine connected to eth for example).
    also sidesync does not work, I can see cp and smarphone tries to connect but no way.
    broadcast is the same because I had only assigned ip and dhcp to the bridge interface.

    should I assign ip and dhcp to both wifi and eth but on same broadcast?
    I can't try if it works because sidesync is not working so result will not change.
    I guess that if I do that I will have a gateway on each eth and wifi interface so I Can decide who can see server on the 3rd lan.

    IS this my fault or should this config work even if it does not?
    Also I am not abla to go over 600mbps without jumbos and with jumbo I trigger lot of problems in the wifi that is the only 1500mtu lan here (still not debugged)

    thank you for the time you put on this post  :)

Log in to reply