Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
No Worries Adrian, I am confident I won't be the only one to benefit, thank you. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Sunday, March 01, 2009 6:22 AM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) My apologies, I meant Network layer, not Transport. Sheesh. Serves me right for spamming the list with general info (as I spam it again with my correction ;) snip So there 4 bits in the 2nd octet, 8 bits in the 3rd octet, and 8 bits in the 4th octet that are valid for use as IPs on the local subnet (the +'s represent bits that, if changed, would tell the Transport layer that the IP is not local... the -'s are bits you can change to give yourself IPs local to your subnet. Note that they correspond to the 1's and 0's of the netmask). /snip - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Actually, this is the first time I've heard subnetting explained in a way that actually made sense. Kudos! And thank you! - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 9:22 AM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) My apologies, I meant Network layer, not Transport. Sheesh. Serves me right for spamming the list with general info (as I spam it again with my correction ;) snip So there 4 bits in the 2nd octet, 8 bits in the 3rd octet, and 8 bits in the 4th octet that are valid for use as IPs on the local subnet (the +'s represent bits that, if changed, would tell the Transport layer that the IP is not local... the -'s are bits you can change to give yourself IPs local to your subnet. Note that they correspond to the 1's and 0's of the netmask). /snip - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Hi Adrian Thank you so much for your response. I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a default and start over (I hate that!) I have since tried configuring as: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.(aaa+1).bbb.ccc/9 I presume I have still got it wrong. I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course they can be changed if necessary) Also I assume I will need to do some LAN2 rules to 1) give access to the Internet and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... Still as you say we need to get LAN2 working for a start. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 7:05 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct differentiate the subnets and allow routing to occur ;) We can get into separating your LANs to disallow your desired access after this is working. Thanks, Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi I have been trying to setup a WAN and two LAN. (3 NIC's) I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. i.e. visitors can connect to the Public LAN2 and browse the Internet etc while not having any access to LAN1 LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. WAN is a static IP to Cable. LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie I lose Internet connection from LAN things become unresponsive. As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the config there? I was using the ee editor. Has anyone done this sort of thing and what am I missing to get it working? In anticipation many thanks indeed. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
The rules are the easy part. I had to do a similar thing for a pfSense box that had 4 interfaces. I'm just going to share my advice now, but you'll need to get the subnetting figured out before you can add these rules. One the LAN2 interface, create a block rule that goes at the very top of the rules list that prevents any connection originating in LAN2 from connecting to LAN1. Then after that you can have the standard LAN2 - any rule and everything should work as expected. On the LAN1 interface, you shouldn't have to add any rules except the default LAN - any rule. I understand I may have misunderstood your needs, but as I understand them, that is the rule set-up you will want. It should still allow LAN1 to print to a printer on LAN2, but not allow LAN2 to access LAN1. - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:53 AM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi Adrian Thank you so much for your response. I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a default and start over (I hate that!) I have since tried configuring as: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.(aaa+1).bbb.ccc/9 I presume I have still got it wrong. I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course they can be changed if necessary) Also I assume I will need to do some LAN2 rules to 1) give access to the Internet and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... Still as you say we need to get LAN2 working for a start. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 7:05 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct differentiate the subnets and allow routing to occur ;) We can get into separating your LANs to disallow your desired access after this is working. Thanks, Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi I have been trying to setup a WAN and two LAN. (3 NIC's) I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. i.e. visitors can connect to the Public LAN2 and browse the Internet etc while not having any access to LAN1 LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. WAN is a static IP to Cable. LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie I lose Internet connection from LAN things become unresponsive. As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the config there? I was using the ee editor. Has anyone done this sort of thing and what am I missing to get it working? In anticipation many thanks indeed. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Apologies for the repeat post, ISP email problem seemed to have lost it, then later on spat it out (Not sure if you guys want yet another email to explain!?) Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
I think I've moved this on some. What I did was avoid the subnet issues which I was clearly running into (and not fully understanding), I opted to use a 172.10.x.x/16 private range for the 2nd LAN. I entered the rules as per DarkFoon (Thank you) Using the rules as suggested are preventing LAN2 access to LAN while allowing Internet access. LAN does not yet seem to have LAN2 access yet though, in terms of no pings and no WINS access, which I was hoping for one way (LAN to LAN2 only) but perhaps that is just not going to happen in this dual LAN setup? Any further guidance would be appreciated please. Kind regards David - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 8:17 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi Adrian Thank you so much for your response. I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a default and start over (I hate that!) I have since tried configuring as: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.(aaa+1).bbb.ccc/9 I presume I have still got it wrong. I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course they can be changed if necessary) Also I assume I will need to do some LAN2 rules to 1) give access to the Internet and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... Still as you say we need to get LAN2 working for a start. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 7:05 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct differentiate the subnets and allow routing to occur ;) We can get into separating your LANs to disallow your desired access after this is working. Thanks, Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi I have been trying to setup a WAN and two LAN. (3 NIC's) I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. i.e. visitors can connect to the Public LAN2 and browse the Internet etc while not having any access to LAN1 LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. WAN is a static IP to Cable. LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie I lose Internet connection from LAN things become unresponsive. As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the config there? I was using the ee editor. Has anyone done this sort of thing and what am I missing to get it working? In anticipation many thanks indeed. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
On Sat, Feb 28, 2009 at 01:53, Tortise tort...@paradise.net.nz wrote: I have since tried configuring as: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.(aaa+1).bbb.ccc/9 I presume I have still got it wrong. Yes. Any /9 is still a subset of a /8 with the same prefix, and unless you really know what you're doing will always create routing problems. For that matter, you can generalize that to any /n is a subset of /n-X with the same prefix. It operates the same in the other direction: a /n subnet consists of two /n+1 subnets. The solution is to use another address space (as you did with the 172.x) or to use parallel spaces: 10.0.0.0/9 and 10.128.0.0/9. Unless you have a truly monstrous user network, you really should consider using much narrower bands of addresses - /20 (which still contains 4000 addresses) or smaller. That way when you start adding new subnets you don't have to screw around with allocations so much. Also, to stay within RFC1918 (private) IP space, you need to move that 172.x up into the 172.16.0.0/12 range. Finally, once you have the two LANs with non-overlapping IP space, you can create the rules. If LAN1's rules are unchanged from the default, it should probably already be allowed LAN2 access; if not, you'll need to add a rule on LAN1 allowing a source of LAN1 subnet to a destination of LAN2 subnet. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Hello, I'm glad you've made some progress. I'd like to help explain private subnets, and since I don't know how much you already know, please don't be offended! (I realize at this point I'm not helping you accomplish your task, but just trying to helpful in general.) There are three subnets allocated as private (for internal network use): 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 I've listed these in CIDR notation, meaning the /xx at the end denotes the number of bits in the netmask that are 1s. For example: /8 means 255.0.0.0 or in binary: ... /12 means 255.240.0.0 or in binary: ... The purpose of the netmask is to determine what bits of an IP address make up the network address, and what bits make up the host address (ie, determining whether the IP is local or if requests should be made through a router). A host with an IP of 172.16.0.1 and a netmask of 255.240.0.0 (or /12) would mean that these IPs would be local: 172.16-31.xxx.xxx as shown by comparing the IP to the netmask: ... IP: 10101100.0001..0001 netmask: ... 1st 2nd 3rd 4th So there 4 bits in the 2nd octet, 8 bits in the 3rd octet, and 8 bits in the 4th octet that are valid for use as IPs on the local subnet (the +'s represent bits that, if changed, would tell the Transport layer that the IP is not local... the -'s are bits you can change to give yourself IPs local to your subnet. Note that they correspond to the 1's and 0's of the netmask). I hope this is somewhat understandable. Also, keep in mind that these private subnets are referenced by the greatest possible netmask, but you're not required to use this as your netmask (in fact, you almost always shouldn't). So, for your LAN2 subnet, you could use the following: IP: 172.16.0.1 netmask: 255.255.255.0 (ie, /24) This will give you 253 IPs available for your hosts (172.16.0.2-254). As RB said, it's good to get these private subnets right, since accidentally using a subnet outside of these will cause you to lose access to any hosts on the internet that use the subnet (your hosts will think the IPs are local, and won't send their requests to the router to be forwarded). Feel free to email me off-list if you have any more IP related questions. Sounds like RB's answered your routing questions. Enjoy! -Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 6:36:01 AM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) I think I've moved this on some. What I did was avoid the subnet issues which I was clearly running into (and not fully understanding), I opted to use a 172.10.x.x/16 private range for the 2nd LAN. I entered the rules as per DarkFoon (Thank you) Using the rules as suggested are preventing LAN2 access to LAN while allowing Internet access. LAN does not yet seem to have LAN2 access yet though, in terms of no pings and no WINS access, which I was hoping for one way (LAN to LAN2 only) but perhaps that is just not going to happen in this dual LAN setup? Any further guidance would be appreciated please. Kind regards David - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 8:17 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi Adrian Thank you so much for your response. I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a default and start over (I hate that!) I have since tried configuring as: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.(aaa+1).bbb.ccc/9 I presume I have still got it wrong. I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course they can be changed if necessary) Also I assume I will need to do some LAN2 rules to 1) give access to the Internet and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... Still as you say we need to get LAN2 working for a start. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 7:05 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
My apologies, I meant Network layer, not Transport. Sheesh. Serves me right for spamming the list with general info (as I spam it again with my correction ;) snip So there 4 bits in the 2nd octet, 8 bits in the 3rd octet, and 8 bits in the 4th octet that are valid for use as IPs on the local subnet (the +'s represent bits that, if changed, would tell the Transport layer that the IP is not local... the -'s are bits you can change to give yourself IPs local to your subnet. Note that they correspond to the 1's and 0's of the netmask). /snip - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct differentiate the subnets and allow routing to occur ;) We can get into separating your LANs to disallow your desired access after this is working. Thanks, Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi I have been trying to setup a WAN and two LAN. (3 NIC's) I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. i.e. visitors can connect to the Public LAN2 and browse the Internet etc while not having any access to LAN1 LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. WAN is a static IP to Cable. LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie I lose Internet connection from LAN things become unresponsive. As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the config there? I was using the ee editor. Has anyone done this sort of thing and what am I missing to get it working? In anticipation many thanks indeed. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
