Have I got this right?

[PhilJ]

Hi

As a new pfSense user, I'm trying to understand how I would set up my pfSense box. As I understand it, one network port will be used for a WAN and another for a LAN - can I connect a separate switch to the LAN port and all other remaining network ports?

I currently have six switches throughout my house, all of which come from my 4-port router, ideally, I want each switch to have its own dedicated LAN port on the pfSense box.

Many thanks

Phil

[marcelloc]

How many ports do you have on your pfsense?

if you have one for wan and other for lan, then you need vlan tag on each switch plus trunking between then to work this way.

if you have one lan for each switch, then you can configure each interface with distinct network subnet for each switch.

[PhilJ]

Thanks for the reply.

I have four quad Intel PT cards (a friend had them spare and I gladly took them off his hands). Does each LAN port have to be on a different subnet, would this not prevent network devices communicating across different switches (as the devices are on a different subnet)?

I was hoping that I could connect a switch to each LAN port and that would be it, is it not as simple as this?

Thanks

Phil

[stephenw10]

Good friend you have!
You can connect each switch to a separate port. You will have to setup 3 additional interfaces but it's pretty easy. They would usually be on different subnets.
However, what are you trying to achieve by doing this?

Steve

[PhilJ]

Hi Steve

My main aim is to build a router with multiple LAN connections. I've never used pfSense before and don't want these network cards to go to waste. I was under the impression if network devices are on different subnets then they couldn't communicate with each other?

Thanks

Phil

[marcelloc]

don't want these network cards to go to waste.

Ebay can help you on making good money to prevent this waste 

I was under the impression if network devices are on different subnets then they couldn't communicate with each other?

It's up to you 

With a firewall you can block, permit, reject, nat, forward any balance any communication between networks.

Pfsense is a statefull firewall, so any rule you want to apply must be configured where traffic begins.

If you want to do not allow traffic from lan1 to lan2 , the deny rule stays in lan1.

And of course, welcome to pfSense.

[stephenw10]

pfSense will route between the different subnets.
So for example if you have one interface on subnet 192.168.100.* and another on 192.168.101.* then you could ping a machine on the first subnet, say 192.168.100.10, from another machine on the second subnet, say 192.168.101.10. You would have to put in place firewall rules to allow this though.

pfSense can also include dhcp leases in dns so that you can access local machines by name.

However some software, games for example, often only look on the local subnet for other machines.

You can bridge the interfaces such that they will all be on the same subnet. That can introduce other problems though.

The question is why you want to divide you network into subnets? If it's just for the learning experience then go for it!

Steve

[PhilJ]

Thanks for the replies.

Steve, I don't want to divide the network in to different subnets, but 'marcelloc' said:

if you have one lan for each switch, then you can configure each interface with distinct network subnet for each switch.

So are you saying that all LAN ports can be on the same subnet? As this is just for home use, albeit with quite a lot of network devices, I was hoping it would be a case of getting all the NICs up and running and connect a switch to each LAN port.

Thanks

Phil

[marcelloc]

all LAN ports can be on the same subnet?

Can be done if you configure all lan networks on a single bridge, just to use the hardware

[PhilJ]

OK, so what is normal for home use? Split the switches to different subnets/LAN ports or not? Steve, you say bridging the interface so all switches are on the same subnet can create problems, so what is the alternative?

I basically want a pfSense box (to simply use as a router) with a load of NIC cards that I can connect switches to, rather than daisychain switches throughout my house.

Cheers

[focalguy]

OK, so what is normal for home use?

What is normal for home use would be to have one WAN and one LAN on your pfSense router. Then connect the LAN port to a switch. From that switch, connect all your other switches throughout the house.

It sounds like you want to use your pfSense router as a router and a switch to connect to the rest of your switches. If that is the case, then you need to bridge the interfaces in pfSense so that they all use the same broadcast domain and act like a layer 2 device (a switch). It's just not as common but since you have all those network cards in one box it should work.

[PhilJ]

It sounds like you want to use your pfSense router as a router and a switch to connect to the rest of your switches.

Yes! That's exactly it.

...then you need to bridge the interfaces in pfSense so that they all use the same broadcast domain and act like a layer 2 device (a switch).

Is this done within the webGUI?


Apologies for all the questions, but I'm a bit clueless in the pfSense arena.

Cheers

[focalguy]

Yes, you can do it in the web GUI. I haven't done it myself but under "Interfaces -> Assign Interfaces -> Bridges" it looks promising... Poke around in there. You'll want all your LAN interfaces in the same bridge.

[stephenw10]

There's a load of good info on bridging: http://doc.pfsense.org/index.php/Category:Bridging

The problems I mentioned earlier are that when you bridge the interfaces together traffic between them has to be processed by pfSense. Usually this is a good thing as you can put firewall rules in place to restrict access. However if you just want all traffic to pass it is a serious bandwidth restriction. Just be aware of this. You don't want to be moving large amounts of data across the bridge if you can help it.

What sort of hardware are you planning to use?

Steve

[PhilJ]

The hardware I have is an Intel Core i3-2120 3.30GHz CPU and Intel DQ67 mobo. I have a max of 8GB of RAM available and a Crucial 128GB SSD.

Network cards are Intel Pro 1000 PT cards.

Also, the motherboard has integrated graphics - do you think this will cause any probs or should I consider a dedicated graphics card?


You mention not moving large amounts of data across the bridge - how much would cause a problem? HD video streaming?

Thanks