Multiple non tagged subnets
-
@pf_checker There is no point in using two different subnets on the same broadcast domain. You will not get the security that traditional VLANs provide if that's what you want. They will not be isolated. If you want to do a router on a stick configuration, you will need a managed switch. Otherwise you will need another physical interface on your pfsense box. Sorry, there's just no way around this.
-
@jknott I would think if OP is compromised that anyone that did it is savvy enough to do a simple ARP scan using nmap. Sometimes pinging the broadcast address is all you need to see every device on the network. I'm not sure there's any reason to have multiple ranges on the same broadcast domain, at least with IPv4.
-
@jknott said in Multiple non tagged subnets:
he OP asked about having a 2nd subnet on a LAN
And he was given the correct answer.. You are the one going on about running multiple different addressing schemes.. That have nothing to do with a firewall and securing anything.. Because its not secure if they are on the same L2..
If its "not" secure there is ZERO point to running another same type address scheme.. As I already stated running 192.168.10/24 and 192.168.20/24 on the same L2 provide ZERO anything other then headache.. If you to have some devices on 192.168.10.X and some on 192.168.20 for example then just run /16 or 192.168.0/19 and now you can use those different IP ranges - but they are all on the same L2 network its pointless to try and run different address schemes.. In the same family of addresses.
So the correct answer to the OP question is don't! He can if he wants via a vip, but there is no way to firewall between a vip network and native address on the interface. Since its pointless - even if you could create rules.. They are actually false!! Since your not actually isolating anything.. Since the devices are on the same L2.
@JKnott you tend to lead users down the WRONG path.. On semantics, your tagging advice about dumb switches don't strip them.. So what? It's not secure be it you can run tags over the device or not.. It doesn't understand them.. so it doesn't isolate traffic between the ports..
Same sort of thing in this multiple address schemes on the same L2 - it provides no security..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@pf_checker said in Multiple non tagged subnets:
@JKnott please help me wade through, that for me are, muddy waters. Is there a step by step available?
As I and John have both mentioned, the best thing for you is a managed switch to separate the VLAN from pfsense into a native LAN that supports the subnet you want to use. BTW, no need for a /16, unless you have several thousand cameras. Address classes have been obsolete for well over 20 years. Just pick the appropriate subnet size and set the mask accordingly. What you are trying to do, while possible, is not advisable. As I mentioned, you really need to know what you're doing when you try to get fancy with with things. Both John and I have years of experience (my LAN experience goes back to early 1978, Ethernet to the late '80s and IP, spring 1995) and would have no problem being able to do what you want and I have provided the info you need to do that. The next question is whether it's advisable, given your limited experience.
-
@johnpoz said in Multiple non tagged subnets:
They are actually false!! Since your not actually isolating anything.. Since the devices are on the same L2.
Yep and I haven't claimed otherwise.
-
@jknott said in Multiple non tagged subnets:
Yep and I haven't claimed otherwise.
Then DON'T even bring it UP!!
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
-
@johnpoz Heh heh, I don't post here much but I have to say that I appreciate your blunt, straight to the point responses. Obviously OP has a flawed understanding of what VLANs are.
I would start with reading up on broadcast domains if I were OP since the point here is to put their cameras on a separate broadcast domain (or VLAN) where one device would have to go through the firewall (or router/L3) to communicate with a device on the other L2/VLAN.
-
@johnpoz WOW!! As a newcomer to this community (and the software) I am flabbergasted.
Is this the level of communicative skills one can expect going forward?
I am not trying to be a dick but I am seriously looking to go back to OpenWRT at the moment because network science and politics should stay separate.I am not sure you all have heard about the blunder flamewars agains OPNsence but things like this need to not happen!!
It is simple. Either please show me how to get where I need to get or tell me it is not possible.
@RadicalEntity this is just a small home setup. Only thing I care about is not having IoT talking home to china.
Is this such an uncommon use case? And yes there are ways around it. Not trying to be a bitch but other software does this out of the box.
-
@radicalentity obvious? flawed? I never wanted to talk about vlans from the get go. I think you need to gather more of my knowledge about a certain subject before you are making statements.
now what is it you would like me to explain to you so you can start making judgements?
please settle down, stop drinking the coffee for a moment and breathe
-
BTW, this is by far the most hostile forum I have ever been on. I am not sure if you guys are doing this deliberately or just having a bad day at the office.
-
@pf_checker Are you trolling or something? If you're not that concerned about security then why do you want to do two separate subnets? What are you trying to ultimately accomplish? If you want help, then answer that question.
But if you're really set on this idea, then you need to turn off DHCP since it won't work properly at all and then use hard coded static IP addresses on all of your hosts with subnet masks set accordingly. The problem you will run into here is your default gateway if you want your devices to talk to the internet. If I recall, you can only set one static IPv4 address on an interface in pfsense.
-
@radicalentity so when critical questions or observations are being made one is a troll?
No, I just want to get my shit together.
10.30.x.x. camera
10.20.x.x other devices
10.19.x.x. servers
10.18.x.x. some other shitI will accept if netgate did not plan ahead for this usecase
-
@pf_checker Then you need a managed switch using router on a stick config or more interfaces on your pfsense box. What you're asking for is impossible, that is if you want them all to talk to the internet. Only one of those subnets will be able to. I doubt very much that Netgate will modify pfsense to do what you want because it's pretty much a misconfiguration.
-
@pf_checker said in Multiple non tagged subnets:
I will accept if netgate did not plan ahead for this usecase
Ok, you are right, bye.
-
@johnpoz please treat me as a slow learner. Where in this thread are the step by steps?
Re: Multiple non tagged subnets
One man down. Going back and try OpenWRT.
humility seems to still rule there -
@pf_checker If you're smarter than all of us, then you can figure this one out on your own. Have fun.
-
@pf_checker said in Multiple non tagged subnets:
did not plan ahead for this usecase
Huh? Has zero to do with pfsense.. You wouldn't put those on the same L2 if your wanting those to be different networks.. You wouldn't, doesn't matter what your using for networking.
Those could all be on the same L2 if your using say a /8 mask for your 10 network or a 10.18/19 if you wanted that would put all of those IP ranges in the same network.
And you could mess with your dhcp server to hand out IPs in specific pools of those ranges via mac addresses.
But those would not be different networks.. If you want to actually isolated those - which is normal and common for say camera's and other stuff. Then you would use vlans, or you would use physical method of isolating them. And you would size the L3 network appropriate for your use.. In your example /16 for each of those.. Since you seem to be calling out the 2nd octet as the differentiator.
You do not run multiple networks (same family of address type to keep jknott happy) untagged on the same L2 - how else do you have to be told that is not the correct way to do it..
Pfsense didn't "plan" for it - because its not done.. There are scenarios where you might have to for some specific networking issue.. So you can use a vip on an interface to accomplish such scenarios.. Say your changing your address space from one network to another is one example. The vip can help in the transition..
But no you do not "plan" for running multiple untagged subnets on the same L2.. Because yet again its pointless to do such a thing.
What you think some soho router allows you to do or what it was doing I have no idea. Maybe it was allowing you to create a sub interface for a specific port on the switch to be on a different network via port isolation.. Or maybe they allowing you to create another IP on the interface via a sub.. But again if that is not tagged its not going to be isolated. And is no reason to do such a thing in the big picture.
Your example of camera's on X and servers on Y is done with L2 isolation and then different networks on those different L2s.. That is how its done - period!
-
@pf_checker If you simply don't want your devices phoning home then maybe consider pfblockerNG's geoip egress filtering. Static assignments in DHCP for devices will help if you only want certain devices to be filtered.
-
@pf_checker said in Multiple non tagged subnets:
Going back and try OpenWRT.
Yeah come back when that doesn't do what you want either - because it doesn't, because it is not done.
https://openwrt.org/docs/guide-user/base-system/basic-networking
eth0.2 is vlan 2 on that parent interface just like it shows in pfsense for vlans.
So 30 years in the biz, before there was tcp and routers.. When you create a sub interface it is another vlan.. Sure I can put multiple IPs on an interface in the same vlan.. Not going to provide anything anyone would want.. It doesn't isolate, its not secure.. So why would you do it other than transition.. Or having to support some device that is static IP, that you can not change.. Its not a "planned" sort of thing - it is always and forever will be a work around setup to get around a specific situation. Nobody would plan on running multiple L3 on the same L2 and think it actually does something useful..
Users new to networking might think - oh just run 10.x on these devices and 10.y on these other devices - and there you go.. No it doesn't work that way..
