Qain or Wendell: Configuring Multiple LANs, and Disabling DHCP and DNS in PfSense 2.1

Hey guys,

Back when you guys made the "build your own router" video I became very interested in building a PfSense box. Now that I am in college and the switches that they have us use are utter garbage, I wanted to put my newly built router to work. Then came the problems. I quickly learned that while I could get a single port up and running I had no clue how to set up multiple LANs. Also since the University uses its own DHCP servers I was told by the network team that I would need to disable both DHCP and DNS. I have spent the better part of what may very well total several days in man hours trying to solve this quandary.

I am in dire need of some serious help, else I will be forced to use my anemic 5-port 10/100 switch that seems to have a ghost connection on the 5th port. Any and all help would be very, VERY appreciated. Thanks again in advance.

Much obliged,

Well, I have no experience with Pfsense.

 

To get more LANs, you need to setup vLAN.

What exactly are you wanting to do?

To disable the DHCP server: Services -> DHCP Server -> uncheck "Enable DHCP server on LAN interface"

But I'm not really sure why you would be trying to connect the LAN side of your pfSense box to the university's network...

Ok taking a guess, you want to set up a pfSense box in your dorm because you have more than one computer and the switches you have available are total crap? So by multiple lans you mean you want to have several network interface cards or a multiport NIC so that you can use the pfSense box instead of the switch? Then you would create a bridge, assign it to the LAN interface, use one port to connect to the Uni's network and assign it to WAN, then add the rest of the ports to the bridge and connect them to your other computers. If your Uni policy does not allow NAT in dorms (because they want to be able to track the usage on a per device basis) then you would turn off the DHCP server, NAT, DNS forwarding, and all that fun stuff. If there is a captive portal that you have to log into to get access to the network, that could cause problems as well.

Thanks Freq,

your second guess is right on. I had no idea what the vLANs were used for. I am very new to networking. I won't be able to try that out until early next week because I am going out of town for the weekend. As soon as I get back I will try that out and get back to you. Thanks for the help man!

Ok in that case VLANs won't help you any. I spent a while trying to test my idea with some virtual interfaces, but strangely I've been hitting a bunch of unexpected behavior. I'll try to get a solid process tested if I have time, because there are a few peculiarities about pfSense that are different from how I would normally do things. I use bare FreeBSD without a web UI for my personal needs, and just configuring things with the command line doesn't work with pfSense.

Setting up a bridge as the LAN interface it turns out is a bit cumbersome. I'm going to try just bridging the LAN to the OPT interfaces instead of bridging a bunch of OPTs and having the bridge itself assigned as the LAN port. Anyway I'll post an update when I decide which way works better.

So all of my problems were just with the way I did my test setup. I was testing in a VM trying to use GIF tunnels for the LAN ports and that was a bust, so I just threw a NIC in and passed it to the VM, and everything seems to work now. I'm using a bridge as the LAN interface and a pair of NICs are attached to the bridge. I've got internet through one port, but haven't tested to verify that local traffic traverses the bridge to get from one port to the other. Once I have tested that, I'll post up my notes so that setup goes smooth for you :)

Sorry I couldn't get back to you until now, but thanks for all that you are doing to help me out. I really appreciate it. And if it helps I do not need to login to a portal to access the internet. It is plug and play. Hope that helps in some way.

Thanks again,

Heh I'm kinda messing around with the networking stuff for fun at this point. I've discovered so many ways to break things... Last night I accidentally made a loop of bridges and ended up doing a DoS on my whole network... hahah took me quite a while to figure out what I had done.

So anyway I guess I can give you a brief rundown of the steps now:

  1. Install pfSense (obviously)
  2. Skip configuring VLANs
  3. Assign the port that connects to your university's network to WAN, and assign another port to LAN. Connect this port to a computer so you can continue setup using the web interface. Don't assign any more interfaces at this point.
  4. You should have access to the webConfigurator at http://192.168.1.1, so go in and run through the initial setup, pretty much leaving the defaults for everything except admin password, hostname, and domain :) The initial default login is "admin" "pfsense".
  5. Once you're in, go to Interfaces->(assign) and add the rest of your NICs as OPT interfaces. Go through and click on the OPTn link in the Interface column for each one and check enable and then save at the bottom of the page as well. If you have only two ports on the LAN side, you'll be unable to to the shuffle necessary to set up the bridge. If this is the case, make a temporary VLAN interface on the VLANs tab and assign it to OPT2. Enable that as well. Don't worry about applying the configuration just yet.
  6. In the Bridges tab, add a bridge using all the OPTn interfaces. Click OPT1, hold shift, and click the last OPTn to select them all. Give it a description like "LAN bridge" and hit save.
  7. Back at the Interface assignments tab,  select the bridge as the LAN interface. If you created a temporary VLAN interface, change the NIC assigned to that OPT to the one displaced by the bridge. Then you can delete that VLAN from the VLANs page. Otherwise, you should be able to add one more OPT and assign it the displaced NIC. In this case you'll also have to go back and edit the bridge to include the new OPT.
  8. Success!

I will be trying this out tonight, I hope that all goes well though I'm sure that if I am unable to follow these steps then it is a sign that I should not be messing with pfsense haha. Anyway thanks again and I will get back to you soon.

 

I've done this about 20 times over the past couple of days so if you can't figure it out I can just do it again real quick and take screenshots of everything.

I am sad to report that I was unsuccessful in my attempt. At one point I lost my connection to the switch itself. That happened after I added the old LAN port to the bridge after I assigned the bridge as the LAN.

Also I still am unsure how to disable DHCP and DNS.

You don't have to disable DHCP and DNS most likely. They would interfere with your university's network only if you hooked the pfSense box up backwards. DNS actually wouldn't ever interfere so I'm not sure why they would want you to turn it off in any case.

I'll be right back with step by step screenshots...

By the way, how many network ports do you actually have in this box?

Also if you lost the connection when you reassigned the lan port, it's possible that you would have to switch to a different port with your computer because it would have kicked the one you were using off and when you reassigned it that command never makes it back. I didn't run into this glitch because I had both LAN ports hooked up to the same computer. 

I have a total of four ports on my pfsense machine

Ok I only have three ports and so I'm using the VLAN as a dummy port method and it for some reason crashes pfSense when I add it to a bridge, but you can just ignore that part of the screenshot dump when I post the link since it doesn't seem to have affected you.

I wonder if we actually are hitting the same bug... I added a second virtual NIC to my VM so that I could verify the procedure with 1x WAN and 3x LAN... and it's consistently crashing when I create the bridge! WTF! I wonder if this is just a bug with my configuration. Would you mind seeing if a page fault occurs on the console of the pfSense box when you create the bridge?

I don't think I get an error. When I check the console it says that bridge0 is being used as the LAN. No error

 

Right now the bridge is set up along with the WAN but I don't even have access to the switch at 192.168.1.1 even though when I looked at the console that is the IP it gives me for the LAN. Not sure what to make of that.