Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Subnetting theory for added security

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jgraham5481
      last edited by

      I'm trying to build as much security as possible in to a public wireless segment. I've got some ports/service blocked, layer 7 filtering etc. What I'm trying to prevent is a device, scanning it's subnet and trying to attack them all. Is there no way to define this network as 192.168.88.1/23 and then have DHCP hand out many /31 leases within that subnet? ie: Many gateways within that subnet that could just be aliases for 192.168.88.1? So i might get a lease of 192.168.88.3/31 with .2 is my gateway and .4 is the broadcast, the next device gets .6, with .5 as the gateway and .7 broadcast? that way any device that could be infected would think there's no other devices in it's subnet?

      I know there are so many attack vectors, the thought is keep your area subject to attack small. What do you think?

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        DHCPv4, to my knowledge, cannot issue a subnet.

        What you want is private VLAN/private VLAN edge coupled with isolation among wireless clients done in the APs.

        Your switching layer prevents traffic from one AP to another and the APs prevent traffic among wireless clients associated with that AP.

        Everyone connecting to public wireless should be wearing their own condom anyway.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M Offline
          marvosa
          last edited by

          Just enable the AP isolation feature on your AP… done.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Yeah, that works for one AP.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.