Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN subnetting not allowed?

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 6 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      If you have an interface on 10.10.10.0/24 and and another interface on 10.10.10.192/26 they CANNOT talk to each other.

      When any device on the 10.10.10.0/24 network has any traffic for any device on the 10.10.10.192.0/26 network, it will (properly) think that network is on the same subnet as itself so it WILL NOT send the traffic to its default gateway for routing. It will, instead, ARP for that host on its local network and it will not be there.

      RFC1918 private addresses are free. Use another subnet for your IoT network. Why the resistance to using proper subnets on your network?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • J Offline
        Julf
        last edited by

        @Derelict:

        RFC1918 private addresses are free. Use another subnet for your IoT network. Why the resistance to using proper subnets on your network?

        Because it requires coordinating with other users. But Guess that is the best solution. Thanks everybody!

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          It's the only solution. It's how ethernet and IP work at layers 2 and 3.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            "Because it requires coordinating with other users"

            Huh??  Why would "users" have a clue or a care what rfc1918 address space they are on?  You hand them an IP and mask and dns to use via dhcp, this normally the extent of their involvement.  Make sure your client is set for dhcp.

            if your telling your users to set static.  Again what network and mask they given are completely irrelevant.  The only time using other networks outside of a block assigned to you would be an issues is if you were on say a corp network and corp said hey you can use 10.10.10/24 and you wanted to using other /24's. If that is the case then no I would not start using other /24 networks.

            Or if your in say a tenant sort of building and the building network guy said hey use this /24..

            But you can for sure subnet out your /24 into smaller chunks.. You just can not overlap them..  If you need more address space than /24 provides you and its been assigned to you by someone that manages your IP space in your network then your going to need to get with them and get more space.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • H Offline
              Harvy66
              last edited by

              Some firewall devices allow you to do this, but it breaks all kinds of rules and only works because of undefined implementation details of some network stacks. All kinds of crazy intermediate problems can occur by the way you're trying to do it.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                What firewall devices allows you to do this?  Please name it… Such a setup is BORKED.. What company would support such a setup.. Just because some device does not have checks in place from stopping you from shooting yourself in the foot does not mean its a support method.

                I can buy a gun and put it to my head and pull the trigger... Is that the maker of the guns problem??

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kpa
                  last edited by

                  I doubt you can see such set ups on commercial products or they even allow such. There are few threads here and on the FreeBSD user forums posted by Linux hipsters claiming that such setup is standard because it works on Linux and it should be by that argument a supported feature on FreeBSD/pfSense.

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    Julf
                    last edited by

                    @johnpoz:

                    Or if your in say a tenant sort of building and the building network guy said hey use this /24..

                    That is pretty much exactly my situation. This network is a subnetwork of a larger network I don't have control over.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      Put your IoT on its own subnet and NAT it. Yes, you'll be double-NAT but it sounds like you have no choice.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        Julf
                        last edited by

                        @Derelict:

                        Put your IoT on its own subnet and NAT it. Yes, you'll be double-NAT but it sounds like you have no choice.

                        Thanks - I was thinking about that, but would rather avoid the complexity. I will try to get another /24 allocated.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          Unless it's routed to you it will do you no good. You'll just be 1:1 NAT which is, again, double NAT. Better off probably running your own numbering scheme.

                          I think there's probably some lack of communication as to what you're actually facing. Not through any fault of yours.

                          Note that if you have a /24 routed to you you can do two (or more) inside interfaces such as 10.10.10.0/25 and 10.10.10.128/25.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • GruensFroeschliG Offline
                            GruensFroeschli
                            last edited by

                            What Julf is trying to do sounds to me a lot like a filtering bridge.

                            Basically:
                            Create a vlan100 for your device-group1.
                            Create a vlan200 for your device-group2.
                            Create a bridge containing vlan100 and vlan200.
                            Assign the bridge as interface.
                            Do all your IP configuration on the assigned bridge interface. (DHCP server?) –> No IP configuration on the vlan interfaces.
                            Create firewall rules on the vlan100/vlan200/bridge interfaces accordingly.

                            Now you have 2 vlans with the same subnet and the ability to create firewall rules which allowed you to defines how devices between these two vlan talk to each other.

                            However as the rest of this thread pointed out:
                            A less complicated solution would be to simply have 2 subnets.
                            If you have a single /24 assigned for your own use, simply use it as two /25.
                            To the outside you still appear as a /24, but internally you are two /25.

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • J Offline
                              Julf
                              last edited by

                              @GruensFroeschli:

                              What Julf is trying to do sounds to me a lot like a filtering bridge.

                              Hadn't thought about a bridge - that could be a solution.

                              However as the rest of this thread pointed out:
                              A less complicated solution would be to simply have 2 subnets.
                              If you have a single /24 assigned for your own use, simply use it as two /25.
                              To the outside you still appear as a /24, but internally you are two /25.

                              Indeed, as long as I can fit all the "normal" hosts in a /25 - should be possible.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                "Hadn't thought about a bridge - that could be a solution."

                                No it wouldn't it would be pretty much an abomination!!  So you can do exactly the same freaking thing.. Use part of your /24 network on 1 side ie your /25 and then subset of that /24 on your other side Ie /26..

                                Why do you not just do as we have be saying from the get go subnet your /24 down..  You can do exactly what you want, you just can not overlap..

                                The big question is how many hosts do you have??  As I mentioned before if you have more than /25 that need to be on same network and this /24 is assigned to you then your going to need more networks or bigger network.

                                I am very curious in what sort scenario your in were they are limiting you to 1 /24??  the 10 space is freaking HUGE.. How many sites/locations are you talking that you can only have 1 /24?? 65k of them?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • J Offline
                                  Julf
                                  last edited by

                                  @johnpoz:

                                  I am very curious in what sort scenario your in were they are limiting you to 1 /24??  the 10 space is freaking HUGE.. How many sites/locations are you talking that you can only have 1 /24?? 65k of them?

                                  Some times the problems are not technical but political. I will request a larger address space.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.