Adding second network, 10.0.0.0
-
Did you actually ping something on one network from the other, except for from pfSense? The way IP works, that shouldn't be possible. When you try to connect with IP, the destination address is compared with the local address & subnet mask. If the destination is on the same network, then you can connect directly. If not, you have to go through a router. However, with both networks on the same interface, the router (pfSense) will send an ICMP redirect, advising to connect directly. But you can't, as describe above. The way around that is more aliases, so that a computer has addresses on both networks. You'll need an addresss on every device you want to be able to use either network.
-
Yes, you are right. I pinged the firewall only, not a device on the LAN.
I thought being able to ping the firewall meant I could now reach anything on the 10.x.x.x network.I recall it was very simple when I did this a long time ago. I simply added an alias or something, I believe I only needed to add one rule to allow the 192.168.x.x network to communicate with devices on the 10.x.x.x network.
And, if I wanted more security, I could also set up separate rules instead of one single rule as above.
-
So, can someone direct me to a url/document that can help me with this? I had found one once but can't seem to find one now.
I basically just want to have 192.168.x.x. as the default network with 10.0.0.0/8 as a secondary network. -
@Rico said in Adding second network, 10.0.0.0:
There is no clean/proper way to run two networks at the same layer2.
Create VLANs or use more physical NICs.-Rico
-
I'm not trying to argue but I had this working up until last year and it worked perfectly. I could either have one rule that allowed traffic to flow between the two networks or I could create separate rules to keep them separated. It was a one minute setup.
I was not using a vlan either. Maybe I'm not asking the question correctly which is why I'm not finding anything on Google either.
-
you can't find anything on google, because it's not supported & in fact very bad practice to run multiple subnets on the same interface.
you either use a separate network card or you use vlans.
whatever it was you had working up until last year, it probably wasn't what you think it was.
-
As others have said this is just borked.. Running multiple layer 3 networks on the same layer 2 network is just WRONG!! Can it be done - yeah, but it provides no security, no isolation.. its just utterly freaking pointless from every point of view..
If you want to isolate devices onto different networks for security... Then do it physically with different nics in pfsense, and different switches and APs... Or go the vlan route... Get a switch and APs that actually support vlans.
A 40$ 8 port gig switch can do vlans... If you don't want to spend money on wireless AP that do them or your current wifi router can not run 3rd party like ddwrt that will allow vlans - then you could use some 20$ wifi router as AP and connect it to a specific vlan on your switch..
-
I understand why it's not a good idea but as I said, it's not to route traffic, it's just to scan devices I work on that come in with fixed IPs and the only way to find them is to nmap a range.
All my switches can do VLANs and other tricks but I'm not looking for anything like that. Not looking to set up separate networks. I'm not looking to isolate anything, I do want all three on the same interface, there is no security issue in this case.
-
As has been mentioned, you can't get from one network to the other, without going through pfSense or other router. But a router won't do that when both networks are on the same interface. You could install nmap on pfSense and then use it to check those devices, provided you put an alias on the pfSense LAN port.
-
@lewis said in Adding second network, 10.0.0.0:
it's just to scan devices I work on that come in with fixed IPs
What devices - so you can not log into these devices.. No console or screen.. And you don't know what their IP is to say telnet/ssh to them.. But you have the login creds?
Why would think you should do this from your firewall?
Set the IP on your PC your working from.. Scan whatever you want... I would do such things on an isolated vlan anyway.. I wouldn't be plugging random shit into my normal lan..
-
@johnpoz said in Adding second network, 10.0.0.0:
@lewis said in Adding second network, 10.0.0.0:
it's just to scan devices I work on that come in with fixed IPs
What devices - so you can not log into these devices.. No console or screen.. And you don't know what their IP is to say telnet/ssh to them.. But you have the login creds?
Why would think you should do this from your firewall?
Set the IP on your PC your working from.. Scan whatever you want... I would do such things on an isolated vlan anyway.. I wouldn't be plugging random shit into my normal lan..
The random 'shit' are IoT devices that I need to recover. I know where they come from, I know there are no security risks, just that someone lost access to it by setting up a static IP and it cannot be reset. When arp -s IP MAC doesn't work, the only thing left is to scan the IP ranges. Nothing will be routing on those networks, it's only to find IPs that might be using one of these.
I keep telling you, this is not a security issue, I'm not trying to isolate anything, I had a simple config on the pfsense some time back that gave me exactly this. It allowed me to set up two additional networks on the default 192.168.x.x. The two additional networks were 10.0.0.0/8 and 172.16.0.0/16.
Anyhow, if no one here know what it was I might have had, no need to continue this thread. I just thought it was something simple and well known.
-
I think I'll just add a couple more interfaces and do it that way. I got to thinking about how I might be able to use the separate lans anyhow.
Thanks to all for the input.
