Using subnets with pfsense
-
i am subnetting my network to reduce the broadcasts
i've got more than 100 pc's on my lan and some use internet and some does not, so i will keep those pc's which use internet in one subnet and those who don't use internet will be kept in other subnetin this way i can control the traffic on my lan
this is what i want to do.. -
HP managed switches can block multicast traffic just FYI.
:)
If you plan to do it the easy way…..BUT. I would use VLANS to reduce traffic like that, if I did'nt have a switch that could....
-
The subnetting alone won't reduce the amount of broadcasts on that network. It will just change the destination addresses. It will still be delivered to all of the nodes unless you actually divide the network using VLANs or separate hardware.
-
i don't have managed switch
i have only one 3com's managed switch and other switches are not managed, can i create the vlan in this scenario, i mean how can i use one manged switch to control the trafficthanks
sandeep -
If the switch has VLAN option, it is no problem.
-
thanks very much
i'll give it a try -
[rant]
This seems to be one of the major features missing in pfsense; the ability to assign more than one IP address to an interface. Yes, I know you can do so by modifying the config file manually, but I seem to have issues with this, especially when doing so on one of my WAN interfaces. Most of the linux firewall distros have the ability to do this easily and effectively, why can't pfsense?
[/rant] -
Even if you never use more than one pFsense, you can still add CARP virtual IP's to it to get "secondary" addresses on your WAN.
That way you can map inbound and outbound NAT to the CARP address as well as port forward statements, etc.
This is how I utilize more than a single IP in a block assigned by my ISP.
Not sure if this is the right way, but it allows me to have users port translate to address .2 and my mail server nat translate to .3 which is a CARP virtual IP.
-
Pls. explain more of that…..
-
Say for example, my ISP assigns me an external address of 207.46.193.24/29 (255.255.255.248).
They describe it to you as 5 usable. Its really 6 but your ISP takes one for their router to be your default gateway leaving you 5 for your router(s).
So, your ISP uses 25 and you get 26-30 usable.
Put 207.46.193.26/29 on your WAN
Add 207.46.193.27/29 through 207.46.193.30/29 as Virtual IP's "CARP" types.
Optionally label each address with something that tells you what you intended it for like…
.26 = WAN Interface = Default outbound NAT translation for LAN network (Disable auto
.27 = EMAIL Server = Outbound translation of 192.168.x.x (Mail Server IP) to .27 (Carp virtual) and inbound port translations for TCP 25 (SMTP), TCP 110 (POP3), TCP 80,443 (Webmail)
.28 = Web server= Inbound port translations for TCP 80,443etc...
Disable automatic outbound rule generation and use manual outbound rule generation for NAT to use the CARP virtual IP's out outbound for particular inside hosts.
This way, reverse DNS for .26 could be users.mydomain.com and the reverse DNS for .27 could be mymailserver.mydomain.com and the forward DNS for .27 could match mymailserver.mydomain.com. This way forward and reverse matches so you dont get penalized by some spam solutions for your outbound mail.
All this magical goodness because you can set more IP's on virtual IP CARP interfaces.
If you decide later to add a second pfSense for redundancy, you could set .30 on your second pfSense, set up replication from your current one and they will share those secondary addresses.
This makes it WAY better than Linux being able to have secondary addresses on its firewalls with ifconfig eth0:0 eth0:1, etc...
Cheers ;D
-
Yeah, I think a virtual IP on your LAN interface for each subnet would do the job here. You might need to tweak the rules a bit, but I think it should work fine.
Like everyone else though I question why you're doing it this way. Without VLANs or separate physical segments it doesn't buy you anything. Either upgrade your switches (or rearrange them so you have a VLAN-capable 'core' and unmanaged edge) or flatten it out since all it does is complicate your setup needlessly.