LAN subnetting not allowed?
-
If you have an interface on 10.10.10.0/24 and and another interface on 10.10.10.192/26 they CANNOT talk to each other.
When any device on the 10.10.10.0/24 network has any traffic for any device on the 10.10.10.192.0/26 network, it will (properly) think that network is on the same subnet as itself so it WILL NOT send the traffic to its default gateway for routing. It will, instead, ARP for that host on its local network and it will not be there.
RFC1918 private addresses are free. Use another subnet for your IoT network. Why the resistance to using proper subnets on your network?
-
RFC1918 private addresses are free. Use another subnet for your IoT network. Why the resistance to using proper subnets on your network?
Because it requires coordinating with other users. But Guess that is the best solution. Thanks everybody!
-
It's the only solution. It's how ethernet and IP work at layers 2 and 3.
-
"Because it requires coordinating with other users"
Huh?? Why would "users" have a clue or a care what rfc1918 address space they are on? You hand them an IP and mask and dns to use via dhcp, this normally the extent of their involvement. Make sure your client is set for dhcp.
if your telling your users to set static. Again what network and mask they given are completely irrelevant. The only time using other networks outside of a block assigned to you would be an issues is if you were on say a corp network and corp said hey you can use 10.10.10/24 and you wanted to using other /24's. If that is the case then no I would not start using other /24 networks.
Or if your in say a tenant sort of building and the building network guy said hey use this /24..
But you can for sure subnet out your /24 into smaller chunks.. You just can not overlap them.. If you need more address space than /24 provides you and its been assigned to you by someone that manages your IP space in your network then your going to need to get with them and get more space.
-
Some firewall devices allow you to do this, but it breaks all kinds of rules and only works because of undefined implementation details of some network stacks. All kinds of crazy intermediate problems can occur by the way you're trying to do it.
-
What firewall devices allows you to do this? Please name it… Such a setup is BORKED.. What company would support such a setup.. Just because some device does not have checks in place from stopping you from shooting yourself in the foot does not mean its a support method.
I can buy a gun and put it to my head and pull the trigger... Is that the maker of the guns problem??
-
I doubt you can see such set ups on commercial products or they even allow such. There are few threads here and on the FreeBSD user forums posted by Linux hipsters claiming that such setup is standard because it works on Linux and it should be by that argument a supported feature on FreeBSD/pfSense.
-
Or if your in say a tenant sort of building and the building network guy said hey use this /24..
That is pretty much exactly my situation. This network is a subnetwork of a larger network I don't have control over.
-
Put your IoT on its own subnet and NAT it. Yes, you'll be double-NAT but it sounds like you have no choice.
-
Put your IoT on its own subnet and NAT it. Yes, you'll be double-NAT but it sounds like you have no choice.
Thanks - I was thinking about that, but would rather avoid the complexity. I will try to get another /24 allocated.
-
Unless it's routed to you it will do you no good. You'll just be 1:1 NAT which is, again, double NAT. Better off probably running your own numbering scheme.
I think there's probably some lack of communication as to what you're actually facing. Not through any fault of yours.
Note that if you have a /24 routed to you you can do two (or more) inside interfaces such as 10.10.10.0/25 and 10.10.10.128/25.
-
What Julf is trying to do sounds to me a lot like a filtering bridge.
Basically:
Create a vlan100 for your device-group1.
Create a vlan200 for your device-group2.
Create a bridge containing vlan100 and vlan200.
Assign the bridge as interface.
Do all your IP configuration on the assigned bridge interface. (DHCP server?) –> No IP configuration on the vlan interfaces.
Create firewall rules on the vlan100/vlan200/bridge interfaces accordingly.Now you have 2 vlans with the same subnet and the ability to create firewall rules which allowed you to defines how devices between these two vlan talk to each other.
However as the rest of this thread pointed out:
A less complicated solution would be to simply have 2 subnets.
If you have a single /24 assigned for your own use, simply use it as two /25.
To the outside you still appear as a /24, but internally you are two /25. -
What Julf is trying to do sounds to me a lot like a filtering bridge.
Hadn't thought about a bridge - that could be a solution.
However as the rest of this thread pointed out:
A less complicated solution would be to simply have 2 subnets.
If you have a single /24 assigned for your own use, simply use it as two /25.
To the outside you still appear as a /24, but internally you are two /25.Indeed, as long as I can fit all the "normal" hosts in a /25 - should be possible.
-
"Hadn't thought about a bridge - that could be a solution."
No it wouldn't it would be pretty much an abomination!! So you can do exactly the same freaking thing.. Use part of your /24 network on 1 side ie your /25 and then subset of that /24 on your other side Ie /26..
Why do you not just do as we have be saying from the get go subnet your /24 down.. You can do exactly what you want, you just can not overlap..
The big question is how many hosts do you have?? As I mentioned before if you have more than /25 that need to be on same network and this /24 is assigned to you then your going to need more networks or bigger network.
I am very curious in what sort scenario your in were they are limiting you to 1 /24?? the 10 space is freaking HUGE.. How many sites/locations are you talking that you can only have 1 /24?? 65k of them?
-
I am very curious in what sort scenario your in were they are limiting you to 1 /24?? the 10 space is freaking HUGE.. How many sites/locations are you talking that you can only have 1 /24?? 65k of them?
Some times the problems are not technical but political. I will request a larger address space.
