Routing when pfSense is being used as a "bridge"
Is there a way to do any type of routing when pfSense is being used as a "bridge" ?
On my current setup I have the WAN and LAN interfaces "bridged" together, and everything is working as expected.
ie: current bridge IP addesss is 10.27.1.1 with a gateway of 10.27.0.254.
Clients setup on the IP range (10.27.x.x) fly through the bridge with no problems, and firewall rules act as expected.
I would like to add a static rout or two to take care of some additional LAN routing.
I am currently trying to migrate from a 10.1.x.x over to the 10.27.x.x range (for a number of reasons….I won't go into the gory details)
and would like to have some communications between the two IP ranges while I migrate clients.
Mostly so I don't have to try and do all 2,000 + workstations, switches, AD, WSUS, FOG, etc etc etc... all in one fell swoop.
I would like to be able to (somewhat) take my time on a lot of the equipment, and save the "big switch" for a weekend in the future.....
The problem is that pfSense does not seem to be the gateway of your network, so first of all, you would need static routes on every device (no way) or a static route on your gateway, routing that network to pfSense.
Anyway, what is your idea? Do you want to keep both network segments on the same physical network and do some routing in between? (quite ugly)
Sorry about the slow response georgeman !! got tied up in a couple other projects….plus I think I forgot to check the "notify" box :-[
"Do you want to keep both network segments on the same physical network and do some routing in between? (quite ugly)"
Yes...if possible ...that's the idea. I know it's ugly... it would only be temporary.
My Active Dir. DC is on the 10.1.x.x range, as are all of the workstations. I would like to (somehow) be able to start migrating workstations over to the new address range without having to "pull the trigger" and switch my entire network over to the new range in one fell swoop.
(I realize that "just do it" may be the easiest answer, but, I'm more of a careful, methodical, one-step-at-a-time, admin.....)
I decided to start over and try adding a OPT1 interface and bind it to the 10.1.x.x range.
So I now have WAN (10.27.1.1), bridge to WAN (no IP) , and OPT1 (10.1.1.251) (see pic1)
From my pfSense box, I can see/ping everything on both 10.1.x.x and 10.27.x.x.
From a workstation setup on the 10.27.x.x address range (w/10.27.1.1 as def. gateway), I can ping 10.27.1.1 and 10.1.1.251. I can't ping any workstations/servers on the 10.1.x.x range.
any reasonable way to get these two network to see to each other ??
I've attached a few screen shots to kind of show what I've done already....
I guess that 10.1.1.251 is not the default gateway for that network. I'm sure the pings are getting to the destination but are not getting back. If this is case, you need a static route on the default gateway of that network, routing 10.27.x.x through 10.1.1.251
Anyway, don't you have a VLAN capable switch? Can't you move one PC at a time by switching them to a different VLAN? Having several layer3 domains within the same layer2 domain is never a good idea