Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFrustration: multiple lans, same dhcp and broadcast, different services

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Overlan
      last edited by

      You know how it works, you spent nights on a setup you wish since years, you finally try to have help on a good forum writing down in the best and short possible way and the wrong captcha that wasnt wrong send your message to hell forever, hitting back presents a blank message :'(

      So again: hi everybody I lurk since 2 years so I wish to say thanks. I really wrote a nice post with better words, hope you understand :)
      I am not a pro, just running pfs virtualized for fun since couple of years.

      bottom line is:
      can I have clients on 2 interfaces share same dhcp and broadcast, see each other, but have different policy to decide what services are available on each one?
      for example I with the internet gateway blocked on one lan but not the other, I wish that a specific client on LAN1 should not be reached from LAN2 or the nas available on LAN2 not available on LAN1 and the managment webgui of the nas only available from LAN3.

      Hope in some help from some smart mind, I am wandering :)
      thank you :)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        It's a disease going around, apparently.

        Separate your networks into different broadcast domains. That's how it works.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • H
          heper
          last edited by

          @derelict yea it must be the golden gate flue

          https://doc.pfsense.org/index.php/Interface_Bridges

          1 Reply Last reply Reply Quote 0
          • O
            Overlan
            last edited by

            Thank you,
            I forgot to mention a thing when I rewrote the post..
            LAN1 needs 9k jumbo packets (storage network), LAN2 needs to be as usual (wifi and vpn clients here I can't control mtu). Bridge would kill that right?

            Also I need that the two segment can't even guess what services are in the other segment, I mean a backtrack distribution with the average user on LAN2 should not even guess what is behind the fw but still it should reach some specific clients on LAN1 and broadcast a port. Is a normal broadcast coming from bridge a leak of information in this case? can I filter broadcast to and from specific clients?

            MY first try was a NAT solution but I lost broadcast, I tried bridge but I lost jumbos.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              If you need broadcast they need to be on the same broadcast domain.

              As far as I know the whole infrastructure needs to be jumbo frame compatible if jumbos are enabled anywhere in the broadcast domain, so, yes, a bridge qualifies.

              Ditch jumbo frames and put everything on the same subnet. Or upgrade everything to support jumbos and put everything on the same subnet. Or figure out what voodoo you need to do (WINS, DNS, etc) to eliminate the reliance on broadcasts.

              Filtering broadcasts between clients in the same broadcast domain would have to be done at layer 2 - which is probably your switches.

              Maybe you should just say what it is you're trying to accomplish. There has to be a better way to do it.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • O
                Overlan
                last edited by

                After more than 1 year I solved a part of this..
                bridge never worked as expected because of…esxi pormiscous mode in vswitches involved in the bridge.
                thanks to danny boy on his 3rd post in 2011, I missed that for years!
                Now I discovered the real problem that was preventing bridges from working,this will be a long night..

                Anyway my goal is very simple:

                on vswitch0 I have some servers appliances (nas, proxy, vpn, etc) pfsense managed inside vsw0 only.

                on vsw1 is the only nic to outside world and here is the esxi managment port and this should remain isolated. my pc is connected here and should talk with the microsoft network on vsw0 (nas and other vm) and have the 3128 port of the proxy available. NOTHING ELSE, no webgui. here I NEED jumbos.

                on vw2 is working a VM that bridges a dongle wifi AP with vsw2
                wifi should only present my vpn port and the broadcast that samsung sidesync needs to receive (there is NO WAY to make it work inside the vpn and no way to make it work without broadcast message to discover the other device on the net) so it can connect to my pc. NOTHING else, not even arp traffic that can reveal the internal topology. I mean nothing, this is going to work in hostile environment to I want to keep my wifi really secure. I will appreciate every kind of advice.

                what will happen is wifi receives jumbos? what I have to do? I will discover now that bridges are really working.

                what a pain men, thank you to everybody, I will let you know how it goes

                1 Reply Last reply Reply Quote 0
                • O
                  Overlan
                  last edited by

                  update:
                  actually I have the bridge between wifi and ethernet fully working but:
                  there is no way to tell the fw to pass connection to a server that resides on a 3rd lan over ethernet and block it over wifi.
                  I mean the rule should be in the bridge tab so will work for both and filtering by ip or mac is not an option.
                  rules on eth and wifi only works between the two (I can block any wifi from accessing a machine connected to eth for example).
                  also sidesync does not work, I can see cp and smarphone tries to connect but no way.
                  broadcast is the same because I had only assigned ip and dhcp to the bridge interface.

                  should I assign ip and dhcp to both wifi and eth but on same broadcast?
                  I can't try if it works because sidesync is not working so result will not change.
                  I guess that if I do that I will have a gateway on each eth and wifi interface so I Can decide who can see server on the 3rd lan.

                  IS this my fault or should this config work even if it does not?
                  Also I am not abla to go over 600mbps without jumbos and with jumbo I trigger lot of problems in the wifi that is the only 1500mtu lan here (still not debugged)

                  thank you for the time you put on this post  :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.