Multiple IP Networks on 1 Interface



  • Hi there,

    Wondering if anyone is able to help with advising what the best (if possible) solution would be for this?

    I am trying to have multiple networks for my wireless setup, the wireless is configured elsewhere. I'd like the firewall to be able to put MAC addresses from a static DHCP pool into network A and the rest go into network B. Network A should be isolated from network B. So any DHCP/DNS…etc should all be within network A's network range for network A and the same for network b.

    I tried adding a vlan interface to my existing wireless interface. This allowed me to set an IP but when I go into DHCP it seems to still want to use the original wireless (B) DHCP network...

    Is there no way I can have a totally new DHCP pool?

    Is there a better way?

    Note: the wireless AP itself is fairly dumb.

    Thoughts?

    Cheers!


  • Rebel Alliance Global Moderator

    If you want vlans via your wifi - then your AP need to support vlans so it can tag different clients via different ssid or dynamic assigned vlans.  And switching between pfsense and the AP would also need to support vlans you set on the interface that goes to the AP.  If you plug your AP right into an interface of pfsense then you don't need a vlan capable switch.  But your AP needs to support vlans.  The unifi AP are very reasonable in price and have vlan support.



  • @johnpoz:

    If you want vlans via your wifi - then your AP need to support vlans so it can tag different clients via different ssid or dynamic assigned vlans.  And switching between pfsense and the AP would also need to support vlans you set on the interface that goes to the AP.  If you plug your AP right into an interface of pfsense then you don't need a vlan capable switch.  But your AP needs to support vlans.  The unifi AP are very reasonable in price and have vlan support.

    Thanks for the reply. I don't necessarily need VLAN's, I just need to be able to apply multiple networks to a single hardware interface. So if that were possible in PFSense without VLANS that would also work however what I tried did not seem to allow me to apply any policy to it. I was hoping to use DHCP/static MAC to apply policy and assign to correct network from there. I realize security wise this would not be terribly strong. :)

    The AP is plugged directly into PFSense for reference.

    Thoughts?


  • Rebel Alliance Global Moderator

    "I just need to be able to apply multiple networks to a single hardware interface."

    That is VLANS - just running multiple layer 3 networks on the same layer 2 is just BORKED!

    You can always create a VIP on an interface and put it on a different layer 3.. But your not going to be able to have 2 dhcp servers running that way.

    If your AP supported vlans this is stupid easy..

    If you just want to be able to apply specific firewall rules based upon an IP a client has that are in the same network - just assign the specific devices a an IP from a dhcp reservation based upon their mac, or setup the client with a static ip on the client.

    Then you can create rules you want based upon their IPs.  But if you want to actually isolate clients then you either need different physical networks so you have multiple layer 2 network, or you create your multiple layer 2 networks with vlans.



  • @johnpoz:

    "I just need to be able to apply multiple networks to a single hardware interface."

    That is VLANS - just running multiple layer 3 networks on the same layer 2 is just BORKED!

    You can always create a VIP on an interface and put it on a different layer 3.. But your not going to be able to have 2 dhcp servers running that way.

    If your AP supported vlans this is stupid easy..

    If you just want to be able to apply specific firewall rules based upon an IP a client has that are in the same network - just assign the specific devices a an IP from a dhcp reservation based upon their mac, or setup the client with a static ip on the client.

    Then you can create rules you want based upon their IPs.  But if you want to actually isolate clients then you either need different physical networks so you have multiple layer 2 network, or you create your multiple layer 2 networks with vlans.

    I don't think the AP supports vlans as I don't see it in the online manual however I will confirm once I am able to login.


  • Rebel Alliance Global Moderator

    What is the make and model?  If its some consumer sort of AP then highly doubtful it does.  Now you can do some vlans with old wifi routers with 3rd party firmware on them, like dd-wrt or openwrt, etc.  If that is what your using for an AP, the vlan support is still dependent on the hardware - some devices that support dd-wrt for example can not do vlans even if dd-wrt supports it.



  • @johnpoz:

    What is the make and model?  If its some consumer sort of AP then highly doubtful it does.  Now you can do some vlans with old wifi routers with 3rd party firmware on them, like dd-wrt or openwrt, etc.  If that is what your using for an AP, the vlan support is still dependent on the hardware - some devices that support dd-wrt for example can not do vlans even if dd-wrt supports it.

    No its a newer AP from Amped wireless. Will check into it.


  • Rebel Alliance Global Moderator

    So looked at their

    While it lists this as a feature..
    "Add up to eight additional wireless networks for other rooms or offices. Each network can be customized with unique passwords and bandwidth restrictions for guests."

    It says nothing about vlan support.. So while you might be able to limit their bandwidth depending on which SSID they are on - seems to me they are still all on the same layer 2 as it goes to your router.

    APA2600M, at $200..  WTF.. no vlan support??

    Under their data sheet for requirements it only lists
    "A router or network switch with an available network (LAN) port"

    Says nothing that these devices need vlan support.. So tells me it does NOT support vlans!!  Its consumer hyped up marketing crap if you ask me..  Sell it and get a real AP that does vlans!!  If you want to isolate your devices!  And then be able create firewall rules between these networks.

    Unifi Pro, supports 8 ssids on each band.  DFS channels, ATF, Dynamic vlans even is only $130.. The HD that is wave 2 AC lists for $349..
    https://unifi-hd.ubnt.com/

    To get vlans looks like you need to go with their pro series - APR175P, shows it supports vlans.



  • @johnpoz:

    So looked at their

    While it lists this as a feature..
    "Add up to eight additional wireless networks for other rooms or offices. Each network can be customized with unique passwords and bandwidth restrictions for guests."

    It says nothing about vlan support.. So while you might be able to limit their bandwidth depending on which SSID they are on - seems to me they are still all on the same layer 2 as it goes to your router.

    APA2600M, at $200..  WTF.. no vlan support??

    Under their data sheet for requirements it only lists
    "A router or network switch with an available network (LAN) port"

    Says nothing that these devices need vlan support.. So tells me it does NOT support vlans!!  Its consumer hyped up marketing crap if you ask me..  Sell it and get a real AP that does vlans!!  If you want to isolate your devices!  And then be able create firewall rules between these networks.

    Unifi Pro, supports 8 ssids on each band.  DFS channels, ATF, Dynamic vlans even is only $130.. The HD that is wave 2 AC lists for $349..
    https://unifi-hd.ubnt.com/

    To get vlans looks like you need to go with their pro series - APR175P, shows it supports vlans.

    Appreciate your help. Checked the config and yes cannot find anything to do with vlan support so does not look possible. Is there no other solution possible with PFSense?

    Cheers!


  • Rebel Alliance Global Moderator

    Other solution for what?  When you want to isolate networks you either need to isolate them at physical layer to create your different layer 2 networks, or you need to do it with vlans.  This is networking 101..  This is not something special to pfsense in any way shape or form..

    So you either need a bunch of dumb switches an interfaces and AP to put all the devices on different networks, or you need devices that can create the different layer 2 networks via vlans..

    Running different IP address on the same wire does not isolate anything..



  • @johnpoz:

    Other solution for what?  When you want to isolate networks you either need to isolate them at physical layer to create your different layer 2 networks, or you need to do it with vlans.  This is networking 101..  This is not something special to pfsense in any way shape or form..

    So you either need a bunch of dumb switches an interfaces and AP to put all the devices on different networks, or you need devices that can create the different layer 2 networks via vlans..

    Running different IP address on the same wire does not isolate anything..

    Like I said before I'm not looking for rock solid security. I get vlan's are great if you happen to have enterprise hardware. I don't as we have established and don't really want to buy new hardware. Multiple networks on the same interface would however create different broadcast domains and isolate the two networks for the common user. Or in my case if I wanted to put some non-user devices in their own network.  IE the user would still need to know of the other network and be able to change policy to reach it and the firewall would still be able to control routed traffic. I don't see why this is such a terrible solution in my situation, once again given that vlan's are not an option right now.


  • Rebel Alliance Global Moderator

    " I get vlan's are great if you happen to have enterprise hardware"

    You can get a vlan switch for like $40.. Wouldn't call this enterprise hardware.  You can pick up a AC vlan AP for $89 retail - not going to bust the bank.

    You can run multiple layer 3 networks on a same layer 2 if you want.  But not going to work for dhcp..  You can not run 2 different dhcp servers on the same interface handing out different pools in different networks.

    You could run dhcp in 1 network, and then assign different ranges of IPs based upon mac to so some clients get say 192.168.0.x/23 and others get 192.168.1.x/23 - this is 1 network.

    Pfsense is NOT going to let you run a dhcp server on a VIP address.

    So to do with you want for dhcp you would have to setup reservations for every mac..

    Dude save yourself a bunch of pain and suffering and get yourself a vlan switch and a AP..  Could be done for $120..

    https://www.amazon.com/dp/B00K4DS5KU/ref=twister_B06XDLVVF6?_encoding=UTF8&psc=1
    $30

    https://www.amazon.com/Ubiquiti-Unifi-Ap-AC-Lite-UAPACLITEUS/dp/B015PR20GY
    $78

    $108 and all your problems are gone!  depending how many different devices you need wired on different vlans you could prob get away with 5 porter for $25 vs 30..  But for $5 I would get the 8 porter.

    Its not the greatest switch in the world - but it does vlans!

    Running multiple layer 3 on the same layer 2 does not create multiple broadcast domains - it would be just 1 wire.. So broadcast from device on 192.168.1/24 would be seen by 192.168.2/24 etc..  Since broadcast goes to FF:FF:FF:FF:FF:FF  This is why you would have issues with trying to run dhcp on the sort of setup your talking about!

    You can create vips on the interfaces for whatever networks you want - you could run 100's of L3 networks on your wire - but your not going to be able to run dhcp on these VIP addresses.



  • Hi thanks for your input.

    Yes my original idea was to set 2 DHCP servers one would deny any DHCP requests except for those in the list. The list isnt very large so not really a big deal to populate. It would still leave the other DHCP as a possible issue for getting the correct IP however based on the initial networkless broadcast (255…255). So really I guess the only sure way would be to just use statically assigned addressing.

    Don't live in the states so those prices don't work for me. None the less not really interested in buying anything right now.

    Not sure I follow your example on broadcast domains. Every network has a broadcast domain. Broadcast domain should only be replied to by the same network it belongs to. I'm aware one could sniff it out...etc.

    
    broadcast of 192.168.0.63 would be for 192.168.0.1 - 192.168.0.62
    
    

    Anyway does not really matter much. Posted here to see if there were other options out there but does not seem so.

    Thanks for your input/advise.


  • Rebel Alliance Global Moderator

    yes every network has a broadcast IP 192.168.0/24 would be 192.168.0.255, but what MAC address do you think that goes too??

    See attached is a broadcast to the network broadcast address .255 - look at the MAC.. That is a directed broadcast, but dhcp would be a full broadcast to 0.0.0.0 same all F's mac..

    How exactly are you going to run 2 dhcps on the same wire on pfsense??  So even if you deny all on one, and reversed the deny on the other so your devices could only get their reservations.  Pfsense will not let you run them in such a borked configuration..

    If you want to do the borked config vs doing it correctly, then you would have to setup static IPs for everything.. Or run the second dhcp on something else other than pfsense and then limit what the dhcp servers will hand out IPs for.. If your going to go to all of that trouble - prob just be easier to setup static IPs on the devices themselves, etc.

    Good luck!




  • @johnpoz:

    yes every network has a broadcast IP 192.168.0/24 would be 192.168.0.255, but what MAC address do you think that goes too??

    See attached is a broadcast to the network broadcast address .255 - look at the MAC.. That is a directed broadcast, but dhcp would be a full broadcast to 0.0.0.0 same all F's mac..

    How exactly are you going to run 2 dhcps on the same wire on pfsense??  So even if you deny all on one, and reversed the deny on the other so your devices could only get their reservations.  Pfsense will not let you run them in such a borked configuration..

    If you want to do the borked config vs doing it correctly, then you would have to setup static IPs for everything.. Or run the second dhcp on something else other than pfsense and then limit what the dhcp servers will hand out IPs for.. If your going to go to all of that trouble - prob just be easier to setup static IPs on the devices themselves, etc.

    Good luck!

    Yes exactly that's what I wrote more or less as well. :)

    So not really worth doing right now but will have to do some thinking on what I should do.

    Thanks for your help.