How to create logical subnets with a single Lan interface without VLAN?
-
Hi,
Is it possible to create logical LAN subnets (172.16.4.0/16, 10.1.9.0/16) without VLAN in pfsense. I was able to do something like this in Sonicwall. Just wanted to know if this is possible with Pfsense.
All I need is both the subnets should be able to communicate and I should be also be able to give restricted internet access to these subnets.
I tried these but for some reasons my ping between these two lan subnets works intermittently. But there is no issue with internet. The rules that I have created for these two subnets for internet works well.
1. Set the Bypass firewall rules for traffic on same interface
2. Set the lan g/w as 172.16.4.254 and created a virtual IP 10.1.9.254
3. Created a static route 10.1.0.0/16 to use LANGW 172.16.4.254
4. Set firewall rule to allow * for these two subnets.
Regards,
Raja
-
This is a broken configuration.. Your trying to run two layer 3 networks over the same physical network.
If you need two segments, get a 2nd nic for pfsense and use a different dumb switch for the other segment. Or get a switch that does vlans and run vlans on pfsense phy interface.
-
Hi,
Thanks for the info. But it looks like pfsense version 2.1.5 supports this type of network.
Actually it is working fine for me with a single WAN. I am able to create logical subnets with restricted internet access to these logical subnets. No issues.
The problem occurs only in dual wan (WAN and OPT). When I configured the WAN failover, the WAN part is working fine without any issues. I am able to view the websites when the line switches to OPT. But for some reasons the LAN subnets gets disconnected when the line switches to OPT.
When I did a tracert on a LAN IP while on OPT, the first hop always goes to WAN IP instead of pfsense LAN Interface IP.
Is there a way to forcibly route through pfsense lan ip?
Any help would be greatly appreciated.
Regards,
Raja
-
Just because you can doesn't mean you should.
-
Hello Derelict,
I agree that it may not be a standard way. But still when a feature is there why not exploit it?
Look at the advantage it has… You don't need additional switches and additional nic for subnets.
Regards,
Raja -
And you will end up breaking your network, but go ahead.
And if you're using it for security, anyone with a sniffer can see what you're doing and just jump on the other "segment" at will.
And both "segments" are in the same broadcast domain.
And "routing" between the two requires ICMP redirects.
And, well, go ahead.
A managed, gigabit switch is like $60. I just don't get it.
-
Well Derelict beat me to some of the problems with doing something like this!!
My car works if I piss in the radiator vs a antifreeze/water mix as well - does that mean you should run it that way and save on coolant?
-
My car works if I piss in the radiator vs a antifreeze/water mix as well - does that mean you should run it that way and save on coolant?
What a great idea. Pity I don't have a car, or I would try it. :D
-
Guys,
Instead of "Why", if we can switch to "How", there may be a possibility to get a great budget network solution.
Regards,
Raja -
No. It's ugly, lousy design.
There is absolutely no reason to run multiple IP subnets in the same broadcast domain, other than, maybe, some temporary renumbering situations. Emphasis on temporary, as in ephemeral, as in get it finished and turned off as quickly as one can. (Migrating to a new VLAN is much, much better.)
Exactly what do you expect to gain? You get zero security enhancements. Your firewall can't firewall between them. All you can, maybe, do is tell your firewall to behave differently for traffic from subnet A and subnet B, but you can do exactly the same thing with a firewall rule than behaves one way for a specific /29 out of a /24 and a different way for the rest (not that it's not trivial to bypass for security - talking more about something like putting all your VOIP phones in the /29 for ease of shaping) - using sound design and without resorting to ugly hacks that really have no place at the table to even be discussed as viable.
But don't listen to us. Go for what you know.
-
There is no reason to avoid VLANs when you consider you can have it for about $30 or less.
-
Hi,
I believe it doesn't end up with one managed switch. I need to change all the end point switches so that it can do vlan.
I have a client who has network setup as attached. Currently sonicwall is there instead of pfsense and just works without vlan. And thats the reason why I am trying to replicate a similar setup with Pfsense.
I am ok in having vsphere+ vswitch + pfsense ( all in one box). Not sure if this works?
What would be the best way to achieve this?
Regards,
Raja
-
That will work just fine with one subnet. Why do you want multiple layer 3 subnets on a single layer2 segment again? What do you expect to gain from such a thing?
And you would not have to change all the edge switches IF all the hosts on each switch are on the same VLAN. You would tag three VLANS from pfSense to the "core" switch then put each edge switch on an untagged port on each of the three VLANs. They can be dumb, unmanaged switches.
-
Yep. Thats the way my network in Maryland works.
The reason I used multiple VLAN subnets is so I could firewall the LAN segments from "seeing" each other.If you are not trying to segregate things, I see no reason to have multiple subnets or VLANs
-
Hi,
Yes, the subnets has been created for firewalling ( Restricted Lan/Wan Access).
If you look at the diagram above, there are 3 groups of users connected to different switches.
Group A - Have access to all internet sites (WAN) + Full access to LAN
Group B - Full access to LAN + restricted internet access
Group C - Isolated users who can communicate between the same group but cannot communicate with other users/PCS and will have restricted WAN access.
Actually with the default route, iam able to do all these with pfsense(with deny rule). I have problem only when I configure Gateway groups for loadbalancing/failover. The moment I configure gateway groups, the local subnets gets disconnected.
Regards,
Raja -
Any security you think you're getting from your proposed solution is an illusion.
Any host can just change its IP address to one of the other subnet schemes and they're now on that "LAN."
Traffic among the "different LANs" is not dependent on pfSense's firewall to forward. Any host can also add VIPs on all three subnets and access any host on any subnet at any time and there's not a damn thing your firewall can do about it, because it's not being routed through.
-
Hi,
The client is ok with that.. Users are not given admin rights to the pcs/registry and hence can't change the IPs.
Mac ID for each PCs are also in place.
Believe me or not.. They have been running this setup for past 3 years without any issues.
Regards,
Raja -
OK. Good luck.
-
;D
-
Derelict - Are you saying that putting the 3 switches in 3 separate VLANs will not work for isolating them from each other?
