Multible subnets on pfsense?

billm

I more or less followed this, it would help to see a Visio or Dia diagram of the proposed network layout (with maybe only 2 or 3 vlans shown).  What it sounds like you want to do is just put the pfSense box in between the L3 switch and the PIX, putting it in each VLAN is just making your network more complex than it needs to be and isn't how the shaper works (LAN and WAN interface only - actually, any TWO interfaces now).

–Bill

blackbox

hi bill

i have made a quick jpg over the network

you can see it here

http://www.sundbynet.dk/forum/sundbynet.jpg

hope that i explains it better, otherwise feel free to ask any questions

sincerely Carsten Larsen

ZGamer

Check the firewall log and see if your missing any allow rules by chance.

Possibly assign virtual IP's within each of the given IP ranges to the pfsense box 2.1, 3.1, 4.1, ect and change the gateway ip for the separate vlans acordingly.

blackbox

hello

i looked in the firewall log, and could see that there was many "blocks" from all of my subnets, even though that pc´s from there subnets still could ping the firewall

i tried making a rule to allow the 192.168.3.0/24 net to any, and that stopped pc´s from this subnets of showing up in the firewall log, but still no internet, but it looks like we got a little further.

i dont understand exactly what you mean about the virtual ip, could you perhaps clarify this a little bit more

sincerely Carsten Larsen

ZGamer

Virtual IPs…..

On the internal interface on the firewall have the real ip address be what is currently is 192.168.1.1 and then goto Firewall-->Virtual IPs and add a virtual ip for each of the subnets

So you can assign virtuals for
192.168.2.1/24
192.168.3.1/24
192.168.4.1/24
and so forth....

blackbox

hey all

i got to work, it was the outbound nat, that i needed to enable, then eveything worked out fine
thanks alot for the help anyway

now i´m fooling alittle bit around with the trafiic shaper, but i dont think it works all that good for me, or perhaps i´m doing something wrong

we have a 10/10 mbit fwa connection from our isp, and in the traffic shaper wizard, i have typed that my lan is 10000 kbits/second and wan is 10000 kbits/second is this correct, i then tried to traffic shape p2p, especially direct connect, as only 1 % of the total bandwidth, but i could still download with almost 10mbit from dc++?

any ideas, guys?

sincerely Carsten

billm

@blackbox:

now i´m fooling alittle bit around with the trafiic shaper, but i dont think it works all that good for me, or perhaps i´m doing something wrong

we have a 10/10 mbit fwa connection from our isp, and in the traffic shaper wizard, i have typed that my lan is 10000 kbits/second and wan is 10000 kbits/second is this correct, i then tried to traffic shape p2p, especially direct connect, as only 1 % of the total bandwidth, but i could still download with almost 10mbit from dc++?

Check out this post:
http://forum.pfsense.org/index.php?topic=63.0

–Bill

Sharaz

ive seen this type of setup at a friends job location, and i dont mean to be an ass… but such a complex configuration, for a site that functions as a single lan?  if all computers can ping each other as if they were all on the same subnet... all that routing inside the site makes no sense to me.  wouldnt it be easier to jsut change the subnetmask to 255.255.252.0, and have 192.168.0.1 thru 192.168.3.254 as one giant subnet, and just do away with all the internal routing?  the gateway would surely then be a much simpler config.

im definatly interested in knowing the method of your madness :)

thinair

Well, judging by his picture a few reasons that I can see…..:

• 500 hosts won't fit into a /24 address
• why have 500 hosts worth of broadcast packets flying around when you can contain everything within each subnet
• management reasons

We have a similar setup here at work, although on a much larger scale (150 VLAN's, 4600 hosts).  Every building has it's own VLAN and subnet.  While we could theorhetically have the whole site under a /19 address, it's just much more practical from a management standpoint to use subnets.  Plus it makes it way easier to track down problems, etc, etc.

Sharaz

well, i was suggesting a /22 (or /23, for just 500).

in a windows environmet, the bulk of the broadcast traffic is quelled using a group policy to disable the computer browser service (which isnt needed on 2000 or greater, and i think even NT4 doesnt need it).

what management reasons?  thinair, does your site have 1 main internet connection?  i just dont see what the benefit is to have such a complex configuration for a single lan, that is connected as if its one contiguous lan.

thinair

One internet connection, two routers, one routes odd numbered VLAN's and the other routes even numbered VLAN's, and if one fails the other will route all VLANs (for load balancing and failover).

We have a lot of buildings on site, right now we only have fibre run to 148 buildings, so we have 148 VLAN's.  Each building has it's own VLAN.  If someone does something that they shouldn't do (like plug a personal laptop into our network), we can quickly narrow it down to which building it is just by looking at it's IP address, then shut down the port on that switch.  We have roughly 250 switches by the way.  Also it keeps the broadcast domain within the building itself.  Plus it's a fairly secure network, so we don't need someone on the opposite end of our site to sniff broadcasts.

Our smaller networks don't have VLAN's yet, although our second largest network will soon be NAT'd and VLAN'd, we're getting near our 510 IP address limit.

blackbox

the config of our network, is just as thinair says, configured by this way, to get a better manament and diagnostic situation

having a differetn vlan and subnet pr. building, we currently have 15 buildings, makes it easier to identify a computers location, by its ip.

also since none of the users are on the 192.168.1.0 subnet, we are also protected from someone that plugs a access point or a router that has 192.168.1.1 as default ip into our network, and bringing the whole thing down, or if someone accidently adds a dhcp server to the network, it´s only building that goes down, and not the whole network.

sure, they can ping across the vlans, but they cant see eachother in network neighbourhood, so that adds a little extra protection.

but anyway, thanks for all the nice inputs.

sincerely Carsten

ZGamer

Well as it's been stated before. Subnetting is dumb for in your house or in a small business(assuming it's not IT-related) but if you are in a larger business or a IT-related small business(aka….ISP/co-location firm) then it makes lots of sense.

ie...(here's an example)

At one of my jobs I work for the IT department at a college(small school), there are about 1200 students on the campus network besides about 1,000 desktops/servers, 100 printers, and 100 or so switches. Last year this was a flat network (ie....just one vlan) and it bit us in the ass, the network went down for a couple of days (oh, by the way....I'm not incharge of the network..just the intern) so they subnetted the students off into a class-b non-routable network because of the broadcast traffic...(klez/mydoom/....insert virus of choice) after subnetting the students off from the rest of the network everything was fine till there was a fence-jumper....killed the network in the spring. Did it get fixed? not yet....running 3 vlans now but still having issues every-other-week. Why because people didn't plan for grow years ago and now it's a huge project to change everything over.

Moral of the story....in business if your wonder if you should subnet the network or not, seriously consider it as it can come back to bite you in the ass a couple years down the road.

billm

@Sharaz:

ive seen this type of setup at a friends job location, and i dont mean to be an ass… but such a complex configuration, for a site that functions as a single lan?  if all computers can ping each other as if they were all on the same subnet... all that routing inside the site makes no sense to me.  wouldnt it be easier to jsut change the subnetmask to 255.255.252.0, and have 192.168.0.1 thru 192.168.3.254 as one giant subnet, and just do away with all the internal routing?  the gateway would surely then be a much simpler config.

im definatly interested in knowing the method of your madness :)

Large broadcast domains suck ass, keep your subnets small (especially if you have Windows boxes as they are EXTREMELY chatty).

–Bill

billm

@ZGamer:

Well as it's been stated before. Subnetting is dumb for in your house or in a small business(assuming it's not IT-related) but if you are in a larger business or a IT-related small business(aka….ISP/co-location firm) then it makes lots of sense.

Ohhh, subnetting at home has a LOT of uses, none of which the AVERAGE user needs (especially when you consider that the average user has a whopping one peeeceee).

–Bill

blackbox

by the way, i forgot to mention that this is not a office network, but 500 apartments and groving, that are sharing the same internet connection, together with cheap telephone, and cheap tv here in denmark

when we began to make this network, be did a lot of thinking about the structure before we implemented it, and i think today, we are happy with our subnetting, cause we get bigger and bigger with more apartments all the time, so its nice to have done things the right way from scratch.

anyway thanks for the replyes

sincerely
Carsten
www.sundbynet.dk