• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to keep networks separated

L2/Switching/VLANs
networking switch at&t modem lan
4
9
1.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    blake
    last edited by Apr 27, 2022, 9:59 PM

    New to using Pfsense. I have tried in the past to get it up and running in a vmware esxi environment but had been unsuccessful until now. Everything works but my pfsense is using a AT&T modem, the AT&T modem is configured for IP pass thru to allow Pfsense to get a public IP address. Pfense is configured for DHCP and is handing out 10.x.x.x IP address correctly and I can get out to the internet without any issues. I'm still using the AT&T modem for other devices and it is handing out IP address in the 192.x.x.x range and everything works as expected. I cant ping anything from the 192 to the 10 network which seems correct to me. But I can ping from the 10 to the 192 network which does not seem correct to me. I do not want the 10 to be able to reach the 192. Is there anything I can do to prevent the 10 from reaching the 192.

    J 1 Reply Last reply Apr 27, 2022, 10:01 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @blake
      last edited by Apr 27, 2022, 10:01 PM

      @blake said in How to keep networks separated:

      I do not want the 10 to be able to reach the 192. Is there anything I can do to prevent the 10 from reaching the 192.

      Yeah put in a rule on your lan that blocks access to 192.168/16 or whatever the /24 network is your using on pfsense wan.

      Seems odd to me that your saying pfsense is getting a public IP - but other devices are getting 192 - this isn't normally how a gateway in bridge mode works.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      A G 2 Replies Last reply Apr 28, 2022, 1:15 AM Reply Quote 0
      • A
        AndyRH @johnpoz
        last edited by Apr 28, 2022, 1:15 AM

        @johnpoz With my ATT modem in DMZ mode pfSense gets a public address, but hosts on the inside can still talk to 192.168.1.0/24 which is the ATT DHCP range. I cannot say how it works but it does.

        o||||o
        7100-1u

        J 1 Reply Last reply Apr 28, 2022, 3:57 AM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @AndyRH
          last edited by Apr 28, 2022, 3:57 AM

          @andyrh There is a difference between dmz mode where all traffic is sent to the dmz host, and actually having a public IP.

          Ah your doing this

          https://www.att.com/support/smallbusiness/article/smb-internet/KM1188700/

          You are on a business connection then I take it.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          A 1 Reply Last reply Apr 28, 2022, 7:03 PM Reply Quote 0
          • A
            AndyRH @johnpoz
            last edited by Apr 28, 2022, 7:03 PM

            @johnpoz That is what I did because my modem does not have bridge mode. I do not have a business connection.

            o||||o
            7100-1u

            J 1 Reply Last reply Apr 28, 2022, 7:29 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @AndyRH
              last edited by Apr 28, 2022, 7:29 PM

              @andyrh either way yeah makes sense that you would be able to access that network on your wan with such a setup.

              Just block that access on pfsense lan if you do not want your clients to access whatever 192.168.x.x network.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              B 1 Reply Last reply Apr 30, 2022, 1:01 PM Reply Quote 0
              • B
                blake @johnpoz
                last edited by Apr 30, 2022, 1:01 PM

                @johnpoz Thanks for your help, that worked. After restarting Pfsense it starting working.

                J 1 Reply Last reply Apr 30, 2022, 1:09 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @blake
                  last edited by johnpoz Apr 30, 2022, 1:10 PM Apr 30, 2022, 1:09 PM

                  @blake said in How to keep networks separated:

                  After restarting Pfsense it starting working.

                  You should not have had to restart pfsense, but if there was an existing state sure it would of still been allowed.

                  If you would of waited for that state to timeout, or if you would of killed the state then the rule would of kicked in. States are looked at before firewall rules.

                  So if pfsense had allowed traffic to X, and the state was still there - then yes traffic via that state would of still be allowed, until the state went away. Rebooting pfsense is one way of killing off states - but its a pretty heavy handed way of doing that ;)

                  login-to-view

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • G
                    GPz1100 @johnpoz
                    last edited by May 1, 2022, 11:29 PM

                    @johnpoz said in How to keep networks separated:

                    Seems odd to me that your saying pfsense is getting a public IP - but other devices are getting 192 - this isn't normally how a gateway in bridge mode works.

                    That's how the att garbage works. Their gateways have what's called passthrough mode. Via dhcp it assigned the public ip to a single device on the lan side.

                    However, the public ip still remains assigned to the gateway's wan as well. It's a pseudo passthrough mode of sorts, fake bridge.

                    The end result, customer's device (router, pfsense, etc) has what appears to be a public ip as well as the gateway. As such, the gateway can assign various private ip's to other devices (wired and wireless) connected its ethernet ports and/or wifi ssid. A traceroute behind the customer's router (pfsense or other), will show the gateway ip as the first hop (192.168.1.254) rather than the real wan gateway.

                    For those of us on fiber in areas not get upgraded to xg-pon, several bypass methods exist which eliminate the isp gateway box entirely. The best is extracting (or buying) the 802.1x certs then implementing them in software using wpa_supplicant. This gives customer full access and control of the network, no double nat, etc. Also a /60 PD for ipv6 vs /64 from the gateway box.

                    The other methods still rely on the gateway box in one manner or another.

                    1 Reply Last reply Reply Quote 0
                    6 out of 9
                    • First post
                      6/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.