Multi lan subnet on same physical interface
-
just 2 clients at max
-
For just 2, I would just set them up with static IPs pointing to 2.1/24. Are they Laptops or something that requires the IP to be more dynamic?
-
but dhcp wont allow giving those ip out of the 0.1/24 subnet nor can i assign static maps in dhcp for 2.1/24 subnet. yes one is a laptop and the other a PC
-
That is because pfSense goes by the DHCP standard very strictly. You are only allowed to use one subnet per interface and it will only let you use the one assigned to the interface.
-
so i guess its more suited for SOHO type of networks without the extra flexibility
-
No it can do enterprise and complex installs but you will find in those environments they have switches that do Vlans and use Vlans to seperate the network
-
so i guess its more suited for SOHO type of networks without the extra flexibility
Usually SOHO is where you have those crazy requirements like this. In the enterprise, like anthonysomerset said, they would use VLANs. They could also just use another NIC.
pfSense is quite flexible. You can use it at home all the way to a datacenter to an enterprise office. -
considering datacenter, pfsense still cant give out subnet mask as 255.255.255.255 which usually isps do
-
I have been in 5 different datacenter setups and none handed out /32 addresses. Now I do know a couple of ISPs on DSL that did that, but they were home setups.
Update:
Actually none used DHCP even. They expected you to hard set an IP. -
No worthwhile colocation datacenter uses DHCP, they assign a dedicated VLAN to each customer. No ISPs assign /32 masks with the exception of point to point types of connectivity (PPP, PPPoE, etc.) where that's just how things work.
Real, serious networks don't put multiple subnets on the same broadcast domain. It's nuts the OP starts out with "i dont have a VLAN tagging switch", then goes on to claim this is some kind of "datacenter config". No, a datacenter would be using VLANs and doing things right, what you're describing is an amateur hack attempt that no one should ever do.
-
1and1 gives out /32, multacom used to earlier i guess and there r many data centers that give out /32 ips using dhcp
-
the part about VLAN, the reason i said that is coz i wanted to know if pfsense is capable of doing such a thing without a VLAN switch coz i dont have that as of now but would have to get one if it wasnt able to do the thing i wanted
-
Some large super low rent hosting providers will hand out /32s but very few. In that case it's a matter of doing things to scale a network extremely cheaply, it's still questionable, but it's one method you may see if you have a $5/month web hosting account. Most of us aren't thinking a $5/month web hosting account when you say "datacenter", no reputable colocation facility hands out IPs via DHCP. That's a technique to provide cheap crappy web hosting at large scale.
There are OSes including BSDs and others that will not function with a /32 IP because they will not ARP their gateway because ARPing something off a locally connected subnet is technically wrong.
What you're trying to do is a bad idea and to some degree impossible (serving multiple scopes off the same interface without statically defining everything in all but one scope isn't doable with anything). Handing out /32 DHCP IPs also doesn't do anything to prevent hosts from talking to each other where the person controls the host.
-
ok got it.
now can some1 tell me which is the cheapest VLAN switch i can find for home networks.
i wonder y switch firmware cant be hacked to enable VLAN tagging, most small switches use a realtek or broadcom chip -
Netgear GS108T is my personal favorite for a cheap managed fanless gigabit switch.
What features a switch supports depends on what its hardware supports, it's not like a typical firewall or router box where you can run basically everything on a CPU, the hardware itself has to support such things. In an unmanaged switch, that hardware support isn't there and you can't hack the hardware short of completely replacing it.
-
well true and not true, most SOHO switches use a realtek chip which by default doesnt support managing it but its fairly easy to supply a signal to one of its pin and make it manageable using an external ic and i have seen many guys do it after which it starts supporting VLAN. most modern chips r a stripped down cpu and to make better use of it, most is done at the software level but in this case the chip firmware, if the chip were a dumb hardware without software it would do very limited number of tasks but would perform it much quicker thats y the need for a software is there. hardwrae might not support new technology but it definitely can if its just a software feature
-
there is 2 different versions of the Netgear GS108 switch. the Unmanaged one and the Managed version..
i have Never liked the Managed version myself as there GUI is Horrible but for the price its a Good switch.
(im spoiled by Enterprise grade gear for switches)we have Servers in DataCenters all over the globe and I have never encountered one that does DHCP
for us NOR would I want one. and Yes all of ours are on there OWN Vlan provided to the TOR (Top
Of Rack) switch of ours that Feeds the PFsense box and then 60U worth of Gear..also there would be no way to seperate the subnets on the same Nic without Vlans let alone getting
it to work.2 minutes with wireshark and you could be around any block unless you Vlan off stuff…
i have personally seen the damn 255.255.255.255 netmask done in the enterprise and spent damn
near a month undoing all the static configs. it was causing more nightmares for the IT staff than anything
else. -
could u explain what specific issues can 255.255.255.255 netmask cause so i know if those issues r a great deal on a SOHO network?
-
when i got to my current job , thats how over 4000 machines were. DHCP was handing out that damn netmask
some of our machines needed access to other server / etc and the 255.255.255.255 netmask was a nightmare
until i figured it out and then started adding Vlans to the core switches and then working down from there. took well
over a month of me working on it to get things correct. now all machines can see whatever servers its suppose
to and not others it NOT suppose to see.we also had well over 40 IPSEC tunnels to our servers in colo's and some of them had issues which came down
to the Netmask.at home im using Vlans. when my kid comes home. tries to raid my pictures. NOW he cant cause his
machine in a different vlan that goes directly to the interenet and cant see my 2 FreeNAS boxes.:-)
-
well in my case i dont want my clients to get access to other servers or devices that y i was looking for such a netmask