Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Segmenting a public /25 into 12 rooms

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    11 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jahonixJ
      jahonix
      last edited by

      We are about to install AV gear in 12 classrooms of our local university (network switch, projector, AV switcher, control system, touchpanel, etc). Each room has identical equipment.
      Campus IT handed us one public /25 where we have to fit in all IP-enabled equipment and each host must have a public IP (probably monitoring later on).
      We will have at least 8 hosts per classroom so subnetting is not an option.
      Switches are SG300-10 with the projectors hanging on the HDBaseT link of the AV-switcher so we don't run out of network ports yet.

      This is kind of what we got:
      203.0.113.129/25  GW 203.0.113.254

      I'll probably end up with
      Room 1: .130 - .139
      Room 2: .140 - .149
      etc. and we can use .250 - .253 for our programming laptops.

      But having 12 rooms in one broadcast domain doesn't seem sexy.

      We will have a presentation gateway in each classroom which gets routed traffic from Eduroam WiFi. That's only 3-5Mbit per video stream and considered negligible but we cannot just pull our shields up.

      One idea is to use 12x SG-1000 as filtering bridge (if Netgate can provide those pretty quickly, haven't checked with them yet) to block traffic between classrooms at least. That would have the benefit that we cannot accidentally program the classroom next door…

      Your thoughts?

      1 Reply Last reply Reply Quote 0
      • M
        MasterX-BKC- Banned
        last edited by

        This is a BAD idea!

        DO NOT put those devices public facing without active firewalling of all their ports, or extensive whitelisting.

        If the Campus IT suggested that they be public facing they need fired or their heads examined, because the devices will be broken into in record time with the level of IoT scanning going on right now including MIRAI itself.

        This statement isnt from some blowhard either, im a Cyber Security Engineer with 28 certs, and a member of Infragard.  Google it if your not familiar.

        1 Reply Last reply Reply Quote 0
        • jahonixJ
          jahonix
          last edited by

          Calm down, just because those are public IPs doesn't mean those hosts can be publicly accessed, which they won't.
          Of course not. I'm long enough in this industry to not make such mistakes.
          And I'm one of the guys who actually changes default logon credentials to something random.

          edit: typo

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            A /25 has 128 addresses. Dividing that 16 ways gives only 8 addresses per subnet (6 excluding first and last). So yes, to divide it 12 ways you can just have a group of 10 addresses in each "pool".

            I expect you will want to be putting various rules in place on the public-facing side anyway, and port-forwarding the allowed stuff to the devices on the inside in each classroom. So the inside classroom subnets can be an "ordinary" /24 in each room, using private address space - 10.42.13.0/24 10.42.14.0/24 10.42.15.0/24 etc.

            So your idea for splitting the public-facing IPs seems reasonable.

            Then you would do port forwards into some part of each classroom's internal subnet. I would setup each classroom subnet "the same" - e.g. put the fixed/known devices in some part of the subnet like 10-19. Then you would have forwards like:
            203.0.113.130-139 => 10.42.13.10-19
            203.0.113.140-149 => 10.42.14.10-19
            203.0.113.150-159 => 10.42.15.10-19
            …

            I have picked some internal IP space numbers that "kind of decimal match" the external parts. That can be "fun" to do, but also the week after you setup that scheme, some new twist will come along and the scheme will be broken. So sometimes it is better not to try and make up such schemes in the first place.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              If the classrooms absolutely do not need to talk to each other just put them all on the /25 on one pfSense interface and enable protected mode on the classroom switch ports. Assuming the switch feeding the classroom switches is at least as capable as the SG300s. That is where protected mode would be set. At the switch distributing access to the classrooms.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • jahonixJ
                jahonix
                last edited by

                @phil.davis:

                …So the inside classroom subnets can be an "ordinary" /24 in each room, using private address space...

                Sorry if I wasn't clear enough, each host has to have a public IP from the range given. No RFC1918 addresses allowed.
                What's 192.168/16 to us is 203.0/16 to them.

                1 Reply Last reply Reply Quote 0
                • jahonixJ
                  jahonix
                  last edited by

                  @Derelict:

                  … all on the /25 on one pfSense interface and enable protected mode on the classroom switch ports.

                  Sorry, for now I don't have a pfSense in there. Gateway/router/firewall is whatever university is using on the GW address. Classrooms are spaced out through a 5 story building and I expect to have distribution switches on each floor. Those will be Cisco 2960 or >=3500 series.
                  Protected mode has to be enabled on those and not on the SG300 in each classroom, right?
                  (I only know 'protected mode' from APs, really have to digg deeper into Cisco switches…)

                  It's correct that classrooms do not have to talk to each other.
                  The gateway is only used for routing wireless presentation traffic into each room (from Eduroam WiFI) and for monitoring the systems later on next year.

                  1 Reply Last reply Reply Quote 0
                  • M
                    MasterX-BKC- Banned
                    last edited by

                    Your campus has some strange IT people/policy, but ive said my peace.  Just a waste of perfectly good IPv4 Address Space.

                    This sounds like something Towson University would do…..

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      for now I don't have a pfSense in there. Gateway/router/firewall is whatever university is using on the GW address.

                      OK the router really doesn't matter.

                      Protected mode has to be enabled on those and not on the SG300 in each classroom, right?

                      Yes. And with multiple switches that gets a lot more complicated, generally requiring complete Private VLAN support, not just PVLAN Edge (protected) mode.

                      In general if you have a switch with 10 access ports on a VLAN and 9 of them in protected mode, those 9 cannot communicate with any switch port except the one without protected mode enabled. So broadcasts from the unprotected port go to all ports and broadcasts from protected ports only go to the unprotected ports.

                      pfSense does allow some private vlan-type functions if you bridge. But yuck.

                      You might be able to get creative with VLANs to the classrooms and a central switch using PVLAN edge as well.

                      I would at least try to push back and tell them they didn't give you enough addresses for the required subnets.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • jahonixJ
                        jahonix
                        last edited by

                        @Derelict:

                        I would at least try to push back and tell them they didn't give you enough addresses for the required subnets.

                        That would be kind of pointless. I'm dealing with a "Language Center" and not the IT department. All they did was counting hosts per room and multiply that by 12…

                        I just learned that the campus IT department has a consultation-hour every Monday. I probably head there and talk to them. We'll see if they can do more than reset passwords or help with boot problems.  ;-)

                        1 Reply Last reply Reply Quote 0
                        • jahonixJ
                          jahonix
                          last edited by

                          Just an update after all parties are back from holiday leave…

                          I finally managed to talk to NOC which was kind of interesting.
                          Their first approach was: what do you know, why do you bother?

                          Now we're talking.
                          Installed is one Catalyst 4500 chassis for the building which means that private VLAN mode will work.
                          They got quite excited like: "Your idea is reasonable. We never did that before but we'll try first thing tomorrow. Let's test this together then?"

                          The biggest problem was getting to the right party. We were engaged by facility mgmt which doesn't want the institute's admin to be involved beforehand. ??? NOC provides and manages the backbone where we hang off but we weren't allowed (by FM) to talk to them. After FM couldn't answer our questions we were redirected to NOC again.
                          And the local (institute's) admin still doesn't even know what gear he gets and is supposed to monitor...

                          Thanks Derelict for pointing me to PVLAN mode! That really made the difference and I highly appreciate your input.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.