set the LAN interface to use VLANs? -Sean
> Date: Thu, 7 Feb 2008 04:36:40 -0800> To: [email protected]> From: [EMAIL > PROTECTED]> Subject: [pfSense Support] Strategy for Multiple-Subnet LAN on > Single Port> > After searching the archives, the forum and conferring with > Mr. Google,> I've not found anything about the best/correct strategy to use > to support> multiple LAN subnets on a single LAN port.> > The Questions> > =============> - is using address aliases the correct/optimal/best way to > create the WAN> aliases?> > - if using address aliases is *not* the best way, > what is?> > - if using address aliases *is* the best way, I assume that the > commands> should be entered in a /etc/rc script:> > * if a /etc/rc script is > the right way, what's the rc processing flow> on FreeBSD ... i.e., usually > there's a standard script naming that will> automatically cause it to get > included in the startup processing ... what> is it on this *NIX?> > * if a > /etc/rc script isn't the right way, what is (I'm not familiar> with pearl or > php but am very comfortable with shell scripting)?> > - are there any > problems with the overall approach we're using, here?> > TIA> > Background > Info> ===============> Graphically, we have (all addresses are "made up", LAN > switches omitted)> ... view in mono-spaced font:> > Aliased IPs: Ultimately > Mapped To:> +------+ 172.16.1.50 WAN : domain1.com> | | 172.16.2.50 WAN2: > domain2.com> | | 172.16.3.50 WAN3: domain3.com> |Server|----+ WAN> |4.4.8.4> > | | | +-------+ +-----------+> |domain1.com> | | | 172.16.1.1| | | 4.4.8.4 | > +------+> |+------------> +------+ | 172.16.2.1| |--+ +--| | |> | 172.16.3.1| > | WAN2 | | +---+ |> domain2.com> > > +=======+===+=========|pfSense|--------------+--|Switch|--|DSL|--+------------> > | | | 1.2RC4| 4.4.16.4 | | +---| |> 4.4.16.4> +-----+ +-----+ | |---+ +--| | > |> | Mac | .... | PC | | | | WAN3 | +------|> +------------> +-----+ +-----+ > +-------+ +----------+> domain3.com> 172.16.1.100 172.16.1.200 4.4.32.4> > 4.4.32.4> > > Being 2 small offices, our pfSense setup and requirements are > relatively> simple:> > - we have a single LAN port and 3 WAN ports for 3 > DHCP-assigned static> public IP addresses> > - since the DHCP assignment > relies on a MAC address, we have the "normal"> WAN port plus WAN2 and WAN3 > (i.e., OPT1 and OPT2)> > - Outbound NAT is set to "Automatic outbound NAT > rule generation (IPsec> passthrough)"> > - all 3 WANs have ports mapped onto > a LAN-resident server that supports> the web serving for the 3 different > domain names via virtual hosts based> upon IP:port binding using the 3 > different subnets (the server's single> port is aliased to reside on the 3 > subnets)> > - the WAN port is the only one that sees any "general" > LAN-resident> traffic (i.e., other than the traffic that's mapped to/from the > server)> and the WAN2/WAN3 ports only see/allow traffic that's mapped onto > the> LAN-resident server> > - I split our DNS services for private/public > address access so NAT> reflection is not an issue (being a development shop, > we have multiple> internal-only servers as well)> > - we have a second basic > LAN/WAN-only pfSense at another office with an> IPSec tunnel running and we > have PPTP configured> > What's Been Done> ================> What I've done is > simply added address aliases on the otherwise> 172.16.1.1 LAN port via> > ifconfig sk0 alias 172.16.2.1/24> ifconfig sk0 alias 172.16.3.1/24> (the Web > interface then reports it as the last-added alias)> > The only rules are:> > > - Port Forward: for each of WAN/WAN2/WAN3, allow incoming HTTP/HTTPS ...> > e.g.:> allow TCP to port 80 on WAN2/4.4.16.4/domain2.com into 172.16.2.50 > port 80> > - Firewall Rules: for each of WAN/WAN2/WAN3, allow inbound > HTTP/HTTPS ...> e.g.:> allow TCP from any IP on any port in via> > gateway/WAN2/4.4.16.4/domain2.com to 172.16.2.50 port 80> > - Firewall Rules: > for each of the LAN subnets, allow all out via the> mapped WAN/gateway ... > e.g.:> allow any protocol from 172.16.2.0/24 on any port to any destination > out> on any port via gateway/WAN2/4.4.16.4/domain2.com (this could be more> > restrictive for WAN2 & WAN3)> > This all seems to work quite well but I need > to automate the aliasing, if> that's the end solution.> > > ---------------------------------------------------------------------> To > unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: > [EMAIL PROTECTED]> _________________________________________________________________ Connect and share in new ways with Windows Live. http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
