LAN subnetting not allowed?



  • Hi all,

    I have a /24 LAN subnet (10.10.10.0/24). I would like to carve out a subnet for IoT devices (that need extra filtering), but when trying to create a VLAN interface for the subnet (10.10.10.192/26) pfsense tells me tells me it overlaps with the LAN and doesn't allow me to assign it. Is this a restriction of pfsense?


  • Rebel Alliance Global Moderator

    Its a restriction of how networking works ;)

    You can not do that period no matter what firewall/router you would be using.. If you want a vlan then it needs to be something different than any other network/vlan on your network.  You can for sure subnet your /24 into smaller chunks.  Put say

    10.10.10.0/25 on your lan, then sure you could create a /26 vlans

    10.10.10.128/26
    10.10.10.192/26



  • @johnpoz:

    You can not do that period no matter what firewall/router you would be using..

    Thanks, but shouldn't a more specific route win over a more general one?

    If not, can I put 2 subnets (10.10.10.0/25 and 10.10.10.128/26) on the same interface (LAN)?


  • Rebel Alliance Global Moderator

    Huh???  Your wanting to run 2 different layer 3 networks on the same layer 2?  Borked!!

    What exactly are you wanting to accomplish??  Are you trying to isolate devices by putting them on 2 different networks and then firewalling between them?



  • @johnpoz:

    What exactly are you wanting to accomplish??  Are you trying to isolate devices by putting them on 2 different networks and then firewalling between them?

    Yes, precisely. I want to carve out a /26 that gets extra firewalling from/to the rest of the LAN.

    Huh???  Your wanting to run 2 different layer 3 networks on the same layer 2?  Borked!!

    No, I want to run one layer 3 network that is "all of the /24 except for the /26 carve-out" on the one layer 2 (and the carve-out /26 part on another layer 2).


  • Rebel Alliance Global Moderator

    You can not use a /24 and then a subnet of that on another network.. That is overlap..  You would use /25 on network 1 and then either the other half of your /25 or sure a /26 or a /27 or /28 that is in that 2nd half of your /25..

    Or just use 2 different /24's for that matter.

    10.10.10/24
    10.10.11/24

    When you talk about extra firewalling your talking about talking to your lan network, or talking about something outside your lan /24??  If so then you could just create a firewall rule using the /26 mask for the IPs you want to keep from say talking to other networks or the internet, etc.

    if what your wanting to do is keep devices on 10.10.10.0/25 from talking to 10.10.10.128/26 then you need to yes isolate them on their own networks or via a vlan.  do you have a vlan capable switch?

    But you can not use a 10.10.10.0/24 mask for 1 network and use 10.10.10.128/26 as another network in the same location - those networks overlap..  But you can use subnets of a network in your firewall rules to block or allow specific devices based upon their IPs that all fall inside a specific subnet of a network.



  • Yes, I have a VLAN capable switch.

    What I want to do is:

    1. Keep everything in one /24 address range
    2. Allow WLAN access from whole /24
    3. Isolate (using VLAN switch and the pfsense firewall) a /26  for devices that shouldn't be allowed to talk to rest of /26 except for a couple of ports/addresses (because they are IoT devices that I don't trust).

    So I either need to be able to define a /26 that is a subset of the /24 but on a different VLAN (routing isn't an issue, the narrower route spec wins), or be able to put "the rest of the /24" on the other interface - the problem is that "the rest of the /24" is one /25 and one /26.


  • Rebel Alliance Global Moderator

    Why does have to be in 1 /24 range??  That makes ZERO sense..

    But if your going to subnet your /24 so you can have multiple networks then you can not overlap them..  You have to break the /24 up into smaller chunks, be it 1 /25 and then 2 /26 or could be 1 /25 and then 1 /26 and then 2 /27's etc..  But you can not have networks that overlap!!

    I have multiple segments, yes I put my iot devices on their own vlans both wired and wireless and have multiple wireless segments. My trusted one for my devices that use eap-tls to auth, and then one for iot devices, etc.

    I am all for isolation of different types of devices for security reasons.. This a exactly what pfsense makes really really simple.  But I think your hung up on this everything under 1 /24??  Why do you think your limited to only 1 /24???

    I use for example
    192.168.2.0/24
    192.168.3.0/24
    192.168.4, .5, .6 etc..

    While I applaud the proper use of network sizes for specific subnets.. If you don't have more than a /26 address you will need…  But /24 is very easy for human eyes to spot that its a different network, etc.

    I would just use /24 segments to isolate your networks..

    "for devices that shouldn't be allowed to talk to rest of /26 "  So you want a private vlan?  So clients that are on same /26 can not talk to each other?  Is this /26 wireless or wired.  Keeping devices on the same network from talking to each other has nothing to do with pfsense.  This would have to be done on your AP or your switch.  AP normally call this isolation, on a switch this would be a private vlan.



  • @johnpoz:

    Why does have to be in 1 /24 range??  That makes ZERO sense..

    Because it is part of a larger network, and only has one /24 allocated to it. Yes, I could start to NAT, but that is an added complication.

    "for devices that shouldn't be allowed to talk to rest of /26 "  So you want a private vlan?

    No, that was my mistake, sorry - it should read "shouldn't be allowed to talk to the rest of the /24". So I only need to protect the "normal" from the potentially unsafe ones.


  • Netgate

    If you have an interface on 10.10.10.0/24 and and another interface on 10.10.10.192/26 they CANNOT talk to each other.

    When any device on the 10.10.10.0/24 network has any traffic for any device on the 10.10.10.192.0/26 network, it will (properly) think that network is on the same subnet as itself so it WILL NOT send the traffic to its default gateway for routing. It will, instead, ARP for that host on its local network and it will not be there.

    RFC1918 private addresses are free. Use another subnet for your IoT network. Why the resistance to using proper subnets on your network?



  • @Derelict:

    RFC1918 private addresses are free. Use another subnet for your IoT network. Why the resistance to using proper subnets on your network?

    Because it requires coordinating with other users. But Guess that is the best solution. Thanks everybody!


  • Netgate

    It's the only solution. It's how ethernet and IP work at layers 2 and 3.


  • Rebel Alliance Global Moderator

    "Because it requires coordinating with other users"

    Huh??  Why would "users" have a clue or a care what rfc1918 address space they are on?  You hand them an IP and mask and dns to use via dhcp, this normally the extent of their involvement.  Make sure your client is set for dhcp.

    if your telling your users to set static.  Again what network and mask they given are completely irrelevant.  The only time using other networks outside of a block assigned to you would be an issues is if you were on say a corp network and corp said hey you can use 10.10.10/24 and you wanted to using other /24's. If that is the case then no I would not start using other /24 networks.

    Or if your in say a tenant sort of building and the building network guy said hey use this /24..

    But you can for sure subnet out your /24 into smaller chunks.. You just can not overlap them..  If you need more address space than /24 provides you and its been assigned to you by someone that manages your IP space in your network then your going to need to get with them and get more space.



  • Some firewall devices allow you to do this, but it breaks all kinds of rules and only works because of undefined implementation details of some network stacks. All kinds of crazy intermediate problems can occur by the way you're trying to do it.


  • Rebel Alliance Global Moderator

    What firewall devices allows you to do this?  Please name it… Such a setup is BORKED.. What company would support such a setup.. Just because some device does not have checks in place from stopping you from shooting yourself in the foot does not mean its a support method.

    I can buy a gun and put it to my head and pull the trigger... Is that the maker of the guns problem??



  • I doubt you can see such set ups on commercial products or they even allow such. There are few threads here and on the FreeBSD user forums posted by Linux hipsters claiming that such setup is standard because it works on Linux and it should be by that argument a supported feature on FreeBSD/pfSense.



  • @johnpoz:

    Or if your in say a tenant sort of building and the building network guy said hey use this /24..

    That is pretty much exactly my situation. This network is a subnetwork of a larger network I don't have control over.


  • Netgate

    Put your IoT on its own subnet and NAT it. Yes, you'll be double-NAT but it sounds like you have no choice.



  • @Derelict:

    Put your IoT on its own subnet and NAT it. Yes, you'll be double-NAT but it sounds like you have no choice.

    Thanks - I was thinking about that, but would rather avoid the complexity. I will try to get another /24 allocated.


  • Netgate

    Unless it's routed to you it will do you no good. You'll just be 1:1 NAT which is, again, double NAT. Better off probably running your own numbering scheme.

    I think there's probably some lack of communication as to what you're actually facing. Not through any fault of yours.

    Note that if you have a /24 routed to you you can do two (or more) inside interfaces such as 10.10.10.0/25 and 10.10.10.128/25.



  • What Julf is trying to do sounds to me a lot like a filtering bridge.

    Basically:
    Create a vlan100 for your device-group1.
    Create a vlan200 for your device-group2.
    Create a bridge containing vlan100 and vlan200.
    Assign the bridge as interface.
    Do all your IP configuration on the assigned bridge interface. (DHCP server?) –> No IP configuration on the vlan interfaces.
    Create firewall rules on the vlan100/vlan200/bridge interfaces accordingly.

    Now you have 2 vlans with the same subnet and the ability to create firewall rules which allowed you to defines how devices between these two vlan talk to each other.

    However as the rest of this thread pointed out:
    A less complicated solution would be to simply have 2 subnets.
    If you have a single /24 assigned for your own use, simply use it as two /25.
    To the outside you still appear as a /24, but internally you are two /25.



  • @GruensFroeschli:

    What Julf is trying to do sounds to me a lot like a filtering bridge.

    Hadn't thought about a bridge - that could be a solution.

    However as the rest of this thread pointed out:
    A less complicated solution would be to simply have 2 subnets.
    If you have a single /24 assigned for your own use, simply use it as two /25.
    To the outside you still appear as a /24, but internally you are two /25.

    Indeed, as long as I can fit all the "normal" hosts in a /25 - should be possible.


  • Rebel Alliance Global Moderator

    "Hadn't thought about a bridge - that could be a solution."

    No it wouldn't it would be pretty much an abomination!!  So you can do exactly the same freaking thing.. Use part of your /24 network on 1 side ie your /25 and then subset of that /24 on your other side Ie /26..

    Why do you not just do as we have be saying from the get go subnet your /24 down..  You can do exactly what you want, you just can not overlap..

    The big question is how many hosts do you have??  As I mentioned before if you have more than /25 that need to be on same network and this /24 is assigned to you then your going to need more networks or bigger network.

    I am very curious in what sort scenario your in were they are limiting you to 1 /24??  the 10 space is freaking HUGE.. How many sites/locations are you talking that you can only have 1 /24?? 65k of them?



  • @johnpoz:

    I am very curious in what sort scenario your in were they are limiting you to 1 /24??  the 10 space is freaking HUGE.. How many sites/locations are you talking that you can only have 1 /24?? 65k of them?

    Some times the problems are not technical but political. I will request a larger address space.