Multiple non tagged subnets
-
@johnpoz and I often have fun debating some points. I also like to push points that many people misunderstand or don't understand at all. However, as has been pointed out, while doable, 2nd subnets on a LAN are generally not a good idea unless you know what you're doing and why. Your question is not so much a pfsense issue as network configuration. As I mentioned, I would have put cameras on their own separate network. One reason for that is their security is poor, so you want to protect them. As for your rules, you don't have a specific interface to assign them to. The best you can do is assign them to the interface those addresses share, which can get tricky.
-
Like stated before. I am willing to go against the grain and do things not according to the 'rules' / 'convention'
Is one willing and/or able to tell me how to do it? Or perhaps can I conclude that this software and/or community and my goals are not a match?
No disrespect intended and I am still very fond of what you guys have setup. I am just confused at the moment
-
I have already told you what you need to configure a 2nd subnet on an interface and why you don't have a specific interface for your rules. Am I missing something else you need?
-
@jknott said in Multiple non tagged subnets:
I don't, but it is supported with IPv6.
NO IT ISN'T!! You do not use multiple different subnets/prefixes that are suppose to be isolated on the same L2..
If you want to use multiple L3 address ranges on a device that are all in the same L2.. But thinking you can have L3 address range A, and L3 address B on the same L2 and that some how isolates these networks - your doing it WRONG!!! They are NOT isolated if you they are in the same L2.
If you want to use gua range A, along with ula range A on some device in L2 A - have at it.. But you don't then put device B in gua range B, ula range B on this same L2 and think you have actually isolated anything..
@pf_checker if you run multiple L3 on the same L2 your not isolating anything - if you want devices on the same L2 then put them in the same L3 range.. While you can - use a vip if you want to run multiple L3 ranges on the same L2.. But your not going to be able to use dhcp to hand out multiple IP ranges. How would dhcp know that this device is suppose to get range A, while other device gets B?
What your trying to do makes no sense and not the correct way to run a network. If you want to use multiple networks - then isolate them at layer 2, either physically or with vlans. If your going to put all the devices in the same L2 then use the same L3 network on them - since you have not actually isolated anything anyway if they are on the same L2.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
-
Sorry if your taking my tone the wrong way - yes I am passionate about networking and security. Your not isolating anything if the devices are on the same L2. So running different L3 ranges is pointless - even if you "can" do it.
If your desire is to isolate iot devices from other devices.. Then isolate them.. Either on different physical networks to isolate the L2s, or via vlans to isolate them on different L2s
It makes no sense to try and run multiple L3s on the same network if you goal is isolation.
jknott is providing BAD information.. IPv6 is no different than IPv4 with some magic sauce to isolate devices on the same L2 just because they using different subnets/prefixes
If you have your heart set on running different L3 networks on the same L2 - yes it can be done. But dhcp is not going to function with this.. You could hand IPs for devices in range A, and setup mac blocking to not hand out IPs to the device you want in range B.. But it makes no sense to do such a thing other than busy work with the false sense of security that you think these devices are somehow isolate because they are using different IP but are actually on the same network.
If want to keep your iot devices away from the rest of your network - then put them on their own "network". Some other L3 range is not another network.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in Multiple non tagged subnets:
If you want to use multiple L3 address ranges on a device that are all in the same L2.. But thinking you can have L3 address range A, and L3 address B on the same L2 and that some how isolates these networks - your doing it WRONG!!! They are NOT isolated if you they are in the same L2.
If you want to use gua range A, along with ula range A on some device in L2 A - have at it.. But you don't then put device B in gua range B, ula range B on this same L2 and think you have actually isolated anything..Last week you mentioned your IPv6 prefix from an earlier ISP would change and I pointed out that this was one situation where you might want to use ULA, so that you'd have stable addresses for use with DNS. That right there is one valid reason for having both ULA and GUA on the same LAN. Also, since ULA is not allowed on the Internet, it does provide some isolation, not from your network, but from the rest of the world. I also mentioned cameras that were used with a DVR, where the cameras were on an entirely separate network that connects only to the DVR. This increases the security of those cameras, as there is no way they can be reached, other than through the DVR. While not physically separate, having a 2nd subnet on the same LAN will provide similar logical isolation, with the limitations discussed earlier. I think this is what the OP is trying to achieve.
So, yes there are reasons for 2 (or more) subnets on a LAN, both with IPv4 and IPv6. IPv4 has aliases, but IPv6 was designed from the ground up to support it.
-
gentlemen, are you seriously still hijacking my thread while not resolving it?
-
Your question has been answered multiple multiple times already.
-
@JKnott your not getting - at a loss to how anyone could be this dense..
What part do you not understand that running different L3s on the same L2 provides no isolation. I don't care if its ipv4, ipv6 or some new IPvX -- you are not isolating anything if your just changing the IP address used.
You can run multiple IP schemes on the same L2, but these are all meant to be the same network - your not attempting to isolate this from another network.. They are all the "same" network - just using different L3 schemes..
Device A having IPv4, IPv6 (gua and ula) link-local etc.. makes no difference when they are all the same L2 and meaning to talk to each other, and not trying to isolate them from device B.
But if you put device B on this same L2, and just giver it some different IPv4, or IPv6 either ula or gua - your not actually isolating anything! This is the basic concept you just don't seem to grasp..
You stating that you can run multiple Address schemes and provide anything is FUD!! There is ZERO point to running multiple address schemes on the same L2 if your goal is isolation.. If you want to run gua or ula or link-local be it ipv4 or ipv6 have at it - but don't think just using some different IP scheme on the same L2 provides anything in the way of security.. And if your not trying to secure anything - its pointless to run multiple different addresses in the same family be IPv4 or IPv6, gua or ula..
If your not trying to isolate then just use 1 address scheme since your not actually isolating anything.. This is the point the OP seems to be missing.
It can be done - not with any sort of easy way to dhcp.. Nor can you make firewall rules between an native address and some vip you put on the interface - why, because its POINTLESS because you can not secure devices from each other on the same L2 no matter what address you put on the devices.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in Multiple non tagged subnets:
jknott is providing BAD information.. IPv6 is no different than IPv4 with some magic sauce to isolate devices on the same L2 just because they using different subnets/prefixes
Please see the link I provided in the other message about multi homing with IPv6. It is designed to support it. Why is it there, in RFC7157, if it's bad info?
John, I know you have a lot of experience in networks, but I get the impression you don't do a lot of research on the details. I knew about multi homing being built into IPv6 years ago, because I have made a point of learning as much about IPv6 as I can. For example, if you were to read IPv6 Essentials 3rd ed. (O'Reilly), on page 23 you would find:
"The global routing prefix identifies the address range allocated to a site. This part of the address is assigned by the international registry services and the Internet Service Providers (ISPs) and has a hierarchical structure. The subnet ID identifies a link within a site. A link can be assigned multiple subnet IDs."
Or Cisco's IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6 2nd e. pg. 127:
A global unicast address is configured on an interface, which can be configured with one or multiple GUA addresses. The GUA addresses can be on the same or different subnets, and they can be configured manually or obtained dynamically.
So, yes multiple subnets, on the same interface, are part of how IPv6 was built.
-
YOU DO NOT GET IT --- where in that RFC does it state that using address X scheme vs Y on the same L2 provide any sort of security..
Sorry but device A on same L2 as device B you can not secure them from each other by just changing the Address scheme used.. YOU CAN NOT!!!
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in Multiple non tagged subnets:
@JKnott your not getting - at a loss to how anyone could be this dense..
Please read the info I provided in the other messages and tell me again I'm dense. Or are you also claiming Cisco and Silvia Hagen, the author of IPv6 Essentials, and the authors of that RFC7157 are dense?
-
Dude I have read - I suggest you read it again.. And point out where your actually securing anything by using different address schemes on the same L2... I don't give 2 shits what the different address schemes are used for..
Just completely flabbergasted how anyone in the field could be this dense..
-
You're going way off point. The OP asked about having a 2nd subnet on a LAN. We are all aware that the best way is to use a separate LAN or VLAN, but there is absolutely not reason to not use a 2nd subnet if that does the job. No, there is no protection from other devices on the LAN, but there is some from elsewhere. For example, on IPv4, NAT is often used. If he doesn't set up NAT to the 2nd subnet, then it's unlikely it can be reached from anywhere beyond the local network. Even if someone on the main subnet tries to reach something on the 2nd subnet, they'll get ICMP redirects, which will prevent them from reaching it. They would have to create an alias on their computer too to get around that. That is something that is likely to be beyond the skills of typical users, particularly if they don't have admin or root permissions.
Are the OP's goals high security? Or just enough to keep out casual attacks?
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@pf_checker There is no point in using two different subnets on the same broadcast domain. You will not get the security that traditional VLANs provide if that's what you want. They will not be isolated. If you want to do a router on a stick configuration, you will need a managed switch. Otherwise you will need another physical interface on your pfsense box. Sorry, there's just no way around this.
-
@jknott I would think if OP is compromised that anyone that did it is savvy enough to do a simple ARP scan using nmap. Sometimes pinging the broadcast address is all you need to see every device on the network. I'm not sure there's any reason to have multiple ranges on the same broadcast domain, at least with IPv4.
-
@jknott said in Multiple non tagged subnets:
he OP asked about having a 2nd subnet on a LAN
And he was given the correct answer.. You are the one going on about running multiple different addressing schemes.. That have nothing to do with a firewall and securing anything.. Because its not secure if they are on the same L2..
If its "not" secure there is ZERO point to running another same type address scheme.. As I already stated running 192.168.10/24 and 192.168.20/24 on the same L2 provide ZERO anything other then headache.. If you to have some devices on 192.168.10.X and some on 192.168.20 for example then just run /16 or 192.168.0/19 and now you can use those different IP ranges - but they are all on the same L2 network its pointless to try and run different address schemes.. In the same family of addresses.
So the correct answer to the OP question is don't! He can if he wants via a vip, but there is no way to firewall between a vip network and native address on the interface. Since its pointless - even if you could create rules.. They are actually false!! Since your not actually isolating anything.. Since the devices are on the same L2.
@JKnott you tend to lead users down the WRONG path.. On semantics, your tagging advice about dumb switches don't strip them.. So what? It's not secure be it you can run tags over the device or not.. It doesn't understand them.. so it doesn't isolate traffic between the ports..
Same sort of thing in this multiple address schemes on the same L2 - it provides no security..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@pf_checker said in Multiple non tagged subnets:
@JKnott please help me wade through, that for me are, muddy waters. Is there a step by step available?
As I and John have both mentioned, the best thing for you is a managed switch to separate the VLAN from pfsense into a native LAN that supports the subnet you want to use. BTW, no need for a /16, unless you have several thousand cameras. Address classes have been obsolete for well over 20 years. Just pick the appropriate subnet size and set the mask accordingly. What you are trying to do, while possible, is not advisable. As I mentioned, you really need to know what you're doing when you try to get fancy with with things. Both John and I have years of experience (my LAN experience goes back to early 1978, Ethernet to the late '80s and IP, spring 1995) and would have no problem being able to do what you want and I have provided the info you need to do that. The next question is whether it's advisable, given your limited experience.
-
@johnpoz said in Multiple non tagged subnets:
They are actually false!! Since your not actually isolating anything.. Since the devices are on the same L2.
Yep and I haven't claimed otherwise.
