Why do you need multiple LAN NICs on a firewall?

Hi all – I read people talking about needing multiple LAN NICs for firewalls like pfSense and maybe Untangle. And I see emphasis on good NICs, on their quality or performance.

This seems to apply most to commodity servers or PCs where you’d install the firewall software. What are these NICs for? Why would you need more than one on the LAN side?

I thought routers and firewalls just needed one LAN port and one WAN port, and anything downstream on the LAN side can be handled by a switch. What are people doing with extra LAN NICs?

Also, I don’t think routers and switches typically have “NICs”, at least not discrete NICs for each 1GbE port. They seem to centrally handle their processing. So why would multiple NICs on a generic box be important? Is it about hardware offload?


They usually bond the links together for more bandwidth or redundancy across an HA pair of switches.

Also for separate network / subnets instead of using VLANs.

Or in conjuction with VLANS. I have a couple of networks set up where I’m using dedicated NICs for VLAN parents so that I’m not loading one NIC with all the traffic.

1 Like

Here’s another example:

First, understand that we have some extremely sensitive (paranoid) clients! So, we designed a network with significant physical separation, which keeps auditors happy. In addition, all desktops and laptops only execute application code in a virtual machine, all of which are killed at least once each day.

We use a pfSense firewall with four NICs, each of which serves a separate physical network:

– The primary network, connected only to internal desktop computers, where users are required to use a 2-factor authentication device that must remain in a USB port to continue connectivity and is connected to the user by a cord. We very heavily control both inbound and outbound traffic on that network, which causes some problems, particularly with Microsoft updates and telemetry. On this network a database server and a large NAS which has dual ports. Only one of those ports connects to the primary network. (The db server journals to the NAS.)

– The data backup network has a second large NAS. The second port on the primary network NAS is connected to this network, but that connection is controlled by rules in the firewall. The connection is only opened when backups to the primary NAS have completed, when we then backup the primary NAS to the secondary one. The only external access allowed on this network is to the NAS vendor’s update site. There is no inbound access.

– The remote worker network is accessed through a specific open port in the firewall and requires the same 2-factor authentication used on the primary network. Read-only access is provided to the primary network and, consequently, to the db server and primary NAS. None of the machines used for remote access are ever allowed in the office!

– The “guest” network has a single wifi AP in the main conference room. There are a few firewall rules controlling this network, although not many, and we are careful not to inspect any packets. (It’s better protected than wifi at Starbucks, but not by a lot.)

This works reasonably well, at least so far, other than the problems with accessing some vendor sites where the IP addresses cannot be resolved to a domain using reverse lookup. (This happens a lot with content delivery networks.)

All four networks use only HTTPS DNS queries to Cloudflare. Except on the guest network, all domains other than .com are banned, which also causes some vendor update problems.

Yes, this could have been done with VLANs, but explaining VLANs to an auditor is beyond my skill level!