Thanks, but VLANs are not an option due to other hardware/switch limitations.
Having only a basic understanding of VLANs, I'm also not sure how that would apply (but would be happy to learn) since the underlying objective is to have pfSense support multiple LAN subnets (in this case, 3) on a single port -- ideally using the web-based interface for setup. This is all to avoid having to setup 3 different routers or put more NICs into the system running pfSense. Narrower version of original diagram included, below ... so it doesn't wrap 'n jumble [du-oh!] ______________________________________________________________________ Previous message from Sean Cavanaugh on 2008-02-07 at 10:58 AM -0500 ---------------------------------------------------------------------- |set the LAN interface to use VLANs? | |-Sean | | |> Date: Thu, 7 Feb 2008 04:36:40 -0800 |> To: [email protected] |> From: [EMAIL PROTECTED] |> Subject: [pfSense Support] Strategy for Multiple-Subnet LAN on Single Port |> |> After searching the archives, the forum and conferring with Mr. Google, |> I've not found anything about the best/correct strategy to use to support |> multiple LAN subnets on a single LAN port. |> |> The Questions |> ============= |> - is using address aliases the correct/optimal/best way to create the WAN |> aliases? |> |> - if using address aliases is *not* the best way, what is? |> |> - if using address aliases *is* the best way, I assume that the commands |> should be entered in a /etc/rc script: |> |> * if a /etc/rc script is the right way, what's the rc processing flow |> on FreeBSD ... i.e., usually there's a standard script naming that will |> automatically cause it to get included in the startup processing ... what |> is it on this *NIX? |> |> * if a /etc/rc script isn't the right way, what is (I'm not familiar |> with pearl or php but am very comfortable with shell scripting)? |> |> - are there any problems with the overall approach we're using, here? |> |> TIA |> |> Background Info |> =============== |> Graphically, we have (all addresses are "made up", LAN switches omitted) |> ... view in mono-spaced font: |> | Aliased IPs: Ultimately Mapped As: |+------+ 172.16.1.50 WAN : domain1.com : 4.4.8.4 || | 172.16.2.50 WAN2: domain2.com : 4.4.16.4 || | 172.16.3.50 WAN3: domain3.com : 4.4.32.4 ||Server|---+ WAN 4.4.8.4 || | | +------+ +-------+ domain1.com || | | 172.16.1.1| | |4.4.8.4| +-----+ +----------- |+------+ | 172.16.2.1| |-+ +-| | | | | 172.16.3.1| | WAN2 | | +---+ |domain2.com | +======+===+=======|pfSnse|-----------|Swtch|-|DSL|-+------------ | | | |1.2RC4| 4.4.16.4 | | +---| | 4.4.16.4 |+-----+ +-----+ | |-+ +-| | | || Mac | .... | PC | | | | WAN3 | +-----| +----------- |+-----+ +-----+ +------+ +-------+ domain3.com |172.16.1.10 172.16.1.20 4.4.32.4 4.4.32.4 |> |> |> Being 2 small offices, our pfSense setup and requirements are relatively |> simple: |> |> - we have a single LAN port and 3 WAN ports for 3 DHCP-assigned static |> public IP addresses |> |> - since the DHCP assignment relies on a MAC address, we have the "normal" |> WAN port plus WAN2 and WAN3 (i.e., OPT1 and OPT2) |> |> - Outbound NAT is set to "Automatic outbound NAT rule generation (IPsec |> passthrough)" |> |> - all 3 WANs have ports mapped onto a LAN-resident server that supports |> the web serving for the 3 different domain names via virtual hosts based |> upon IP:port binding using the 3 different subnets (the server's single |> port is aliased to reside on the 3 subnets) |> |> - the WAN port is the only one that sees any "general" LAN-resident |> traffic (i.e., other than the traffic that's mapped to/from the server) |> and the WAN2/WAN3 ports only see/allow traffic that's mapped onto the |> LAN-resident server |> |> - I split our DNS services for private/public address access so NAT |> reflection is not an issue (being a development shop, we have multiple |> internal-only servers as well) |> |> - we have a second basic LAN/WAN-only pfSense at another office with an |> IPSec tunnel running and we have PPTP configured |> |> What's Been Done |> ================ |> What I've done is simply added address aliases on the otherwise |> 172.16.1.1 LAN port via |> ifconfig sk0 alias 172.16.2.1/24 |> ifconfig sk0 alias 172.16.3.1/24 |> (the Web interface then reports it as the last-added alias) |> |> The only rules are: |> |> - Port Forward: for each of WAN/WAN2/WAN3, allow incoming HTTP/HTTPS ... |> e.g.: |> allow TCP to port 80 on WAN2/4.4.16.4/domain2.com into 172.16.2.50 port 80 |> |> - Firewall Rules: for each of WAN/WAN2/WAN3, allow inbound HTTP/HTTPS ... |> e.g.: |> allow TCP from any IP on any port in via |> gateway/WAN2/4.4.16.4/domain2.com to 172.16.2.50 port 80 |> |> - Firewall Rules: for each of the LAN subnets, allow all out via the |> mapped WAN/gateway ... e.g.: |> allow any protocol from 172.16.2.0/24 on any port to any destination out |> on any port via gateway/WAN2/4.4.16.4/domain2.com (this could be more |> restrictive for WAN2 & WAN3) |> |> This all seems to work quite well but I need to automate the aliasing, if |> that's the end solution.
