Firewalls and subnets
-
I have a question regarding firewall rules and subnets.
If I have a subnet defined using 172.30.16.0/21
Can I create a rule for using 172.30.17.0/24
I want to be able to take a range of IPs and reserve them for Administration.
I would test this but I don't have a test environment yet. I will have one soon though.
-
Yes, but anyone outside that range can just manually set an IP address in that range and there's nothing you can do about it.
-
How about having a much smaller subnet and all IPs in that subnet assigned to static hosts (with static ARP entries) in the pfsense?
Better to have a different interface with own network though, i guess?
-
I am not worried about someone getting on the network. I have the deny unknown clients option checked. So they would have to spoof a mac-address as well. Not impossible but definitely more difficult.
-
I am not worried about someone getting on the network. I have the deny unknown clients option checked. So they would have to spoof a mac-address as well. Not impossible but definitely more difficult.
That only prevents them from getting a DHCP address. They can still set a static address inside your management range easily.
