Segmenting a public /25 into 12 rooms
-
We are about to install AV gear in 12 classrooms of our local university (network switch, projector, AV switcher, control system, touchpanel, etc). Each room has identical equipment.
Campus IT handed us one public /25 where we have to fit in all IP-enabled equipment and each host must have a public IP (probably monitoring later on).
We will have at least 8 hosts per classroom so subnetting is not an option.
Switches are SG300-10 with the projectors hanging on the HDBaseT link of the AV-switcher so we don't run out of network ports yet.This is kind of what we got:
203.0.113.129/25 GW 203.0.113.254I'll probably end up with
Room 1: .130 - .139
Room 2: .140 - .149
etc. and we can use .250 - .253 for our programming laptops.But having 12 rooms in one broadcast domain doesn't seem sexy.
We will have a presentation gateway in each classroom which gets routed traffic from Eduroam WiFi. That's only 3-5Mbit per video stream and considered negligible but we cannot just pull our shields up.
One idea is to use 12x SG-1000 as filtering bridge (if Netgate can provide those pretty quickly, haven't checked with them yet) to block traffic between classrooms at least. That would have the benefit that we cannot accidentally program the classroom next door…
Your thoughts?
-
This is a BAD idea!
DO NOT put those devices public facing without active firewalling of all their ports, or extensive whitelisting.
If the Campus IT suggested that they be public facing they need fired or their heads examined, because the devices will be broken into in record time with the level of IoT scanning going on right now including MIRAI itself.
This statement isnt from some blowhard either, im a Cyber Security Engineer with 28 certs, and a member of Infragard. Google it if your not familiar.
-
Calm down, just because those are public IPs doesn't mean those hosts can be publicly accessed, which they won't.
Of course not. I'm long enough in this industry to not make such mistakes.
And I'm one of the guys who actually changes default logon credentials to something random.edit: typo
-
A /25 has 128 addresses. Dividing that 16 ways gives only 8 addresses per subnet (6 excluding first and last). So yes, to divide it 12 ways you can just have a group of 10 addresses in each "pool".
I expect you will want to be putting various rules in place on the public-facing side anyway, and port-forwarding the allowed stuff to the devices on the inside in each classroom. So the inside classroom subnets can be an "ordinary" /24 in each room, using private address space - 10.42.13.0/24 10.42.14.0/24 10.42.15.0/24 etc.
So your idea for splitting the public-facing IPs seems reasonable.
Then you would do port forwards into some part of each classroom's internal subnet. I would setup each classroom subnet "the same" - e.g. put the fixed/known devices in some part of the subnet like 10-19. Then you would have forwards like:
203.0.113.130-139 => 10.42.13.10-19
203.0.113.140-149 => 10.42.14.10-19
203.0.113.150-159 => 10.42.15.10-19
…I have picked some internal IP space numbers that "kind of decimal match" the external parts. That can be "fun" to do, but also the week after you setup that scheme, some new twist will come along and the scheme will be broken. So sometimes it is better not to try and make up such schemes in the first place.
-
If the classrooms absolutely do not need to talk to each other just put them all on the /25 on one pfSense interface and enable protected mode on the classroom switch ports. Assuming the switch feeding the classroom switches is at least as capable as the SG300s. That is where protected mode would be set. At the switch distributing access to the classrooms.
-
…So the inside classroom subnets can be an "ordinary" /24 in each room, using private address space...
Sorry if I wasn't clear enough, each host has to have a public IP from the range given. No RFC1918 addresses allowed.
What's 192.168/16 to us is 203.0/16 to them. -
… all on the /25 on one pfSense interface and enable protected mode on the classroom switch ports.
Sorry, for now I don't have a pfSense in there. Gateway/router/firewall is whatever university is using on the GW address. Classrooms are spaced out through a 5 story building and I expect to have distribution switches on each floor. Those will be Cisco 2960 or >=3500 series.
Protected mode has to be enabled on those and not on the SG300 in each classroom, right?
(I only know 'protected mode' from APs, really have to digg deeper into Cisco switches…)It's correct that classrooms do not have to talk to each other.
The gateway is only used for routing wireless presentation traffic into each room (from Eduroam WiFI) and for monitoring the systems later on next year. -
Your campus has some strange IT people/policy, but ive said my peace. Just a waste of perfectly good IPv4 Address Space.
This sounds like something Towson University would do…..
-
for now I don't have a pfSense in there. Gateway/router/firewall is whatever university is using on the GW address.
OK the router really doesn't matter.
Protected mode has to be enabled on those and not on the SG300 in each classroom, right?
Yes. And with multiple switches that gets a lot more complicated, generally requiring complete Private VLAN support, not just PVLAN Edge (protected) mode.
In general if you have a switch with 10 access ports on a VLAN and 9 of them in protected mode, those 9 cannot communicate with any switch port except the one without protected mode enabled. So broadcasts from the unprotected port go to all ports and broadcasts from protected ports only go to the unprotected ports.
pfSense does allow some private vlan-type functions if you bridge. But yuck.
You might be able to get creative with VLANs to the classrooms and a central switch using PVLAN edge as well.
I would at least try to push back and tell them they didn't give you enough addresses for the required subnets.
-
I would at least try to push back and tell them they didn't give you enough addresses for the required subnets.
That would be kind of pointless. I'm dealing with a "Language Center" and not the IT department. All they did was counting hosts per room and multiply that by 12…
I just learned that the campus IT department has a consultation-hour every Monday. I probably head there and talk to them. We'll see if they can do more than reset passwords or help with boot problems. ;-)
-
Just an update after all parties are back from holiday leave…
I finally managed to talk to NOC which was kind of interesting.
Their first approach was: what do you know, why do you bother?Now we're talking.
Installed is one Catalyst 4500 chassis for the building which means that private VLAN mode will work.
They got quite excited like: "Your idea is reasonable. We never did that before but we'll try first thing tomorrow. Let's test this together then?"The biggest problem was getting to the right party. We were engaged by facility mgmt which doesn't want the institute's admin to be involved beforehand. ??? NOC provides and manages the backbone where we hang off but we weren't allowed (by FM) to talk to them. After FM couldn't answer our questions we were redirected to NOC again.
And the local (institute's) admin still doesn't even know what gear he gets and is supposed to monitor...Thanks Derelict for pointing me to PVLAN mode! That really made the difference and I highly appreciate your input.
