How to create logical subnets with a single Lan interface without VLAN?
-
Just because you can doesn't mean you should.
-
Hello Derelict,
I agree that it may not be a standard way. But still when a feature is there why not exploit it?
Look at the advantage it has… You don't need additional switches and additional nic for subnets.
Regards,
Raja -
And you will end up breaking your network, but go ahead.
And if you're using it for security, anyone with a sniffer can see what you're doing and just jump on the other "segment" at will.
And both "segments" are in the same broadcast domain.
And "routing" between the two requires ICMP redirects.
And, well, go ahead.
A managed, gigabit switch is like $60. I just don't get it.
-
Well Derelict beat me to some of the problems with doing something like this!!
My car works if I piss in the radiator vs a antifreeze/water mix as well - does that mean you should run it that way and save on coolant?
-
My car works if I piss in the radiator vs a antifreeze/water mix as well - does that mean you should run it that way and save on coolant?
What a great idea. Pity I don't have a car, or I would try it. :D
-
Guys,
Instead of "Why", if we can switch to "How", there may be a possibility to get a great budget network solution.
Regards,
Raja -
No. It's ugly, lousy design.
There is absolutely no reason to run multiple IP subnets in the same broadcast domain, other than, maybe, some temporary renumbering situations. Emphasis on temporary, as in ephemeral, as in get it finished and turned off as quickly as one can. (Migrating to a new VLAN is much, much better.)
Exactly what do you expect to gain? You get zero security enhancements. Your firewall can't firewall between them. All you can, maybe, do is tell your firewall to behave differently for traffic from subnet A and subnet B, but you can do exactly the same thing with a firewall rule than behaves one way for a specific /29 out of a /24 and a different way for the rest (not that it's not trivial to bypass for security - talking more about something like putting all your VOIP phones in the /29 for ease of shaping) - using sound design and without resorting to ugly hacks that really have no place at the table to even be discussed as viable.
But don't listen to us. Go for what you know.
-
There is no reason to avoid VLANs when you consider you can have it for about $30 or less.
-
Hi,
I believe it doesn't end up with one managed switch. I need to change all the end point switches so that it can do vlan.
I have a client who has network setup as attached. Currently sonicwall is there instead of pfsense and just works without vlan. And thats the reason why I am trying to replicate a similar setup with Pfsense.
I am ok in having vsphere+ vswitch + pfsense ( all in one box). Not sure if this works?
What would be the best way to achieve this?
Regards,
Raja
-
That will work just fine with one subnet. Why do you want multiple layer 3 subnets on a single layer2 segment again? What do you expect to gain from such a thing?
And you would not have to change all the edge switches IF all the hosts on each switch are on the same VLAN. You would tag three VLANS from pfSense to the "core" switch then put each edge switch on an untagged port on each of the three VLANs. They can be dumb, unmanaged switches.
-
Yep. Thats the way my network in Maryland works.
The reason I used multiple VLAN subnets is so I could firewall the LAN segments from "seeing" each other.If you are not trying to segregate things, I see no reason to have multiple subnets or VLANs
-
Hi,
Yes, the subnets has been created for firewalling ( Restricted Lan/Wan Access).
If you look at the diagram above, there are 3 groups of users connected to different switches.
Group A - Have access to all internet sites (WAN) + Full access to LAN
Group B - Full access to LAN + restricted internet access
Group C - Isolated users who can communicate between the same group but cannot communicate with other users/PCS and will have restricted WAN access.
Actually with the default route, iam able to do all these with pfsense(with deny rule). I have problem only when I configure Gateway groups for loadbalancing/failover. The moment I configure gateway groups, the local subnets gets disconnected.
Regards,
Raja -
Any security you think you're getting from your proposed solution is an illusion.
Any host can just change its IP address to one of the other subnet schemes and they're now on that "LAN."
Traffic among the "different LANs" is not dependent on pfSense's firewall to forward. Any host can also add VIPs on all three subnets and access any host on any subnet at any time and there's not a damn thing your firewall can do about it, because it's not being routed through.
-
Hi,
The client is ok with that.. Users are not given admin rights to the pcs/registry and hence can't change the IPs.
Mac ID for each PCs are also in place.
Believe me or not.. They have been running this setup for past 3 years without any issues.
Regards,
Raja -
OK. Good luck.
-
;D
-
Derelict - Are you saying that putting the 3 switches in 3 separate VLANs will not work for isolating them from each other?
-
No. That absolutely will, providing one doesn't want different VLANs on the same unmanaged edge switch.
Nothing wrong with the attached config if you can tolerate unmanaged switches in your network.
-
Cool - You scared me for a minute. Occasionally my thinking gets a correction here…
Last time I thought I knew something absolutely for sure, I ended up getting punked by CMB. haha.
I'm not sure why OP is so opposed to VLANS, but what he said about the client computers being locked down gave me this idea:Assuming he is correct and the network is PHYSICALLY secure. No one can plug/unplug things and the machines are truly secured and no config changes can be made, he could just control what can and can not be accessed on each client machine's firewall. Seems to me the only other way to do it. Other than running 3 separate LAN NICs or VLANs.
I wouldn't recommend that though.
-
VLANs are far easier than maintaining the necessary MAC address lists. And since MACs can be easily spoofed, far more effective.
US$500 gets managed switches all around (cheap ones, but light years better than the proposed hack).
Dude doesn't want to listen and that's fine with me. I'm not the one on call when it blows up.
