Firewalls and subnets



  • I have a question regarding firewall rules and subnets.

    If I have a subnet defined using 172.30.16.0/21

    Can I create a rule for using 172.30.17.0/24

    I want to be able to take a range of IPs and reserve them for Administration.

    I would test this but I don't have a test environment yet.  I will have one soon though.


  • LAYER 8 Netgate

    Yes, but anyone outside that range can just manually set an IP address in that range and there's nothing you can do about it.


  • Banned

    How about having a much smaller subnet and all IPs in that subnet assigned to static hosts (with static ARP entries) in the pfsense?

    Better to have a different interface with own network though, i guess?



  • I am not worried about someone getting on the network.  I have the deny unknown clients option checked.  So they would have to spoof a mac-address as well.  Not impossible but definitely more difficult.


  • LAYER 8 Netgate

    @gordc:

    I am not worried about someone getting on the network.  I have the deny unknown clients option checked.  So they would have to spoof a mac-address as well.  Not impossible but definitely more difficult.

    That only prevents them from getting a DHCP address. They can still set a static address inside your management range easily.


Log in to reply