That config is a bit weired but doable with some changes. I would suggest making LAN1 and LAN2 seperate interfaces (if they are not already, from the line to the switch it seems to be one and virtual ips won't work for different subnets on the same nic) and different networks: Connect LAN1 to the one switch and LAN2 to the other one. Traffic between LAN1 and LAN2 will pass the firewall anyway, even if on the same switch with these subnets but you would get rid of some annoying Layer2-syslog-messages you should already see.
Create Rules for LAN1 and LAN2 to allow traffic in any direction with any protocoll to make them able to talk to each other. Your Clients are all in LAN2 but some have as gateway the LAN1 IP of the pfsense. This won't work and I wonder if an OS is accepting that config anyway. Do we have a Typo here? Create virtual IPs on you WAN interface to accept the /28 subnet on the same nic. I would suggest doing it with CARP as you this way can add a failoversystem easily later. However, you'll see some broadcast traffic derived from that configuration but it won't hurt. Then use Firewall>NAT>port forward to forward traffic from the different wan ips to the servers in LAN1. Use "Advanced Outbound NAT" at Firewall>NAT>Outbound to make the servers map to the virtual IPs on the WAN-Interface. If you have further problems come to the irc-channel to ##pfsense at freenode. There are some people (includig me) that are able to help you. To clarify CARP/ProxyARP/Other: CARP are virtal IPs that can be shared between systems (it's a fake layer2 mac that can be handed over). You can build a failoversystem with that. ProxyARP is if you need fake mac-adress replys on an interface to make another networkdevice send traffic to a virtual ip to that interface. Other is meant for IPs that come to your interface without the need to do layer2-magic to make it come to you. Holger -----Ursprüngliche Nachricht----- Von: Bastian Schern [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 24. August 2005 00:10 An: support@pfsense.com Betreff: [pfSense Support] Multiple LAN Subnets on one Interface (was: Virtual IPs not working) Hello, in the meantime I already fixed some Problems around the old Topic (Virtual IPs not working). So I will describe my open Problem more detailed. This a draft of my network configuration: WAN: 213.xxx.xxx.64/28 LAN1: 192.168.0.0/24 LAN2: 192.168.3.0/24 | | WAN +--------#-------+ | 213.xxx.xxx.66 | | | |----------------| | | | pfSense FW | | | |----------------| | | | 192.168.0.1 | | 192.168.3.1 | +--------#-------+ | LAN1,LAN2 | +--------+ | | +-----------------+ | | Switch | | +-#-#-#-#-#-#-#-#-+ | | | | | +---+ | | +---------+ | +--------------+ | +--+ | | | | | +----------#----------+ | | +-----------------+ | Mailserver | | | | Switch | | LAN: 192.168.0.2 | | | +-#-#-#-#-#-#-#-#-+ | WAN: 213.xxx.xxx.68 | | | | | | | +---------------------+ | +----+ | | | | | | | +-------------+ | | | | | | | +----------#----------+ | | | | SIP Server | | | | | LAN: 192.168.0.3 | | | | | WAN: 213.xxx.xxx.67 | | | | +---------------------+ | | | | | | +----------------------+ | | | | | +----------#----------+ | | | PC 1 | | | | IP: 192.168.3.21 | | | | Mask: 255.255.255.0 | | | | GW: 192.168.0.1 | +------------+ | +---------------------+ | | +----------#----------+ | | PC 2 | | | IP: 192.168.3.22 | | | Mask: 255.255.255.0 | | | GW: 192.168.0.1 | +-+ +---------------------+ | +----------#----------+ | PC 3 | | IP: 192.168.3.23 | | Mask: 255.255.255.0 | | GW: 192.168.3.1 | +---------------------+ It is Important, that all PCs can connect to the Server and other way around. There are three types of virtual IPs: Proxy ARP, CARP, Other. Which one is the right for my configuration and where are the differences. Regards Bastian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ____________ Virus checked by G DATA AntiVirusKit --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
