Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewalls and subnets

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gordc
      last edited by

      I have a question regarding firewall rules and subnets.

      If I have a subnet defined using 172.30.16.0/21

      Can I create a rule for using 172.30.17.0/24

      I want to be able to take a range of IPs and reserve them for Administration.

      I would test this but I don't have a test environment yet.  I will have one soon though.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Yes, but anyone outside that range can just manually set an IP address in that range and there's nothing you can do about it.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • 2
          2chemlud Banned
          last edited by

          How about having a much smaller subnet and all IPs in that subnet assigned to static hosts (with static ARP entries) in the pfsense?

          Better to have a different interface with own network though, i guess?

          1 Reply Last reply Reply Quote 0
          • G
            gordc
            last edited by

            I am not worried about someone getting on the network.  I have the deny unknown clients option checked.  So they would have to spoof a mac-address as well.  Not impossible but definitely more difficult.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              @gordc:

              I am not worried about someone getting on the network.  I have the deny unknown clients option checked.  So they would have to spoof a mac-address as well.  Not impossible but definitely more difficult.

              That only prevents them from getting a DHCP address. They can still set a static address inside your management range easily.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.