Adding a second subnet to the lan interface [noob]



  • I'm sorry this is such a noob question, but I've been fumbling for a while and I can't find an answer. I'm running the latest pfsense and I have a lan interface that is 192.168.21.10-255.  I'd like to also add another subnet to that interface and allow it to talk to anything else on lan 1 as well as access the internet. How would I accomplish this?



  • Having two IP subnets on the same "collision domain" is not a good idea but can be done.  A collision domain (in very simple terms) is a single network with no VLANs.  Rather than me whittering on for ages about this stuff I really recommend you read up on how networking works.  There are loads of really good docs on the internet but finding the right one for you is tough because there are also loads of awful ones (I've just done a a quick Google and a quick read of some of those dreadful ones).  I've been doing this stuff for 25 years and have lost touch with decent educational resources.  I'll try to find a good one and post back if I remember 8)

    Anyway, the fix in this case is to use IP aliases (not to be confused with aliases which are lists of things in pfSense).  You can add arbitrary IPs to an interface at Firewall -> Virtual IPs.  Add one of type "IP Alias".

    Your "192.168.21.10-255" isn't right.  Hopefully you are using 192.168.21.10 with a subnet mask of 255.255.255.0 which is also known as /24 - that is 255.255.255.0 means the same as a 24 bit network mask which is written as /24.  You may also see 192.168.21/24 which refers to the entire network that includes a .10 system.  That network may also be written as 192.168.21.0/24.

    Example:

    LAN1 IP is 192.168.21.10/24
    LAN2 IP is 10.23.2.1/24

    You already have LAN1 IP set.  Add a Virtual IP of type IP Alias, Interface LAN, Address 10.23.2.1, put in the network mask as /24 in the dropdown list.  Add a Description as you see fit.

    Now a PC on your LAN can use either network range with the corresponding router address (the ones that are on pfSense.)  DHCP will only work for one or the other range, so don't try both.  Make sure that a suitable outbound NAT rule is in place to enable the second address range to get to the internet.

    You may need to add firewall rules to get this to work on the LAN interface but if you set a rule that allows any/any/any traffic then it will work.  Please refine the rules later once it is working otherwise there is no reason to use a firewall!

    Note that pfSense will log loads of ARP errors which can be switched off in System > Advanced > Networking > Suppress ARP messages.

    I think I've covered the lot but I really recommend you use VLANs or whatever.



  • @mudmin:

    … add another subnet to that interface and allow it to talk to anything else on lan 1 as well as access the internet.

    Why do you think you need an additional subnet then?
    If you run out of addresses then simply expand the network mask and make the address space bigger. Everything else wouldn't make too much sense since "everything should talk to everything" anyways.

    So expand your 192.168.21.0/24 to a
    192.168.20.0/23 (= 192.168.20.0 - 192.168.21.254 mask 255.255.254.0)
    and you're done.


  • LAYER 8 Global Moderator

    With jahonix here.. If you need some more IPs on your LAN is it WAY better to just increase the size vs doing something as BORKED as running multiple layer 3 on the same layer 2 network.. Sure you can do it..

    You can also hit your thumb with a hammer.. Or stick a pencil in your eye… Both of which would be a better idea then running another L3 network on the same layer 2 because you need some more IPs..

    If you want to bring up another network so you can control what can talk to what between these networks, or set different controls for how these 2 networks access the internet.. Then get a smart switch and setup vlans.  But please do not setup some alias network that your going to run on the same wire..



  • A collision domain (in very simple terms) is a single network with no VLANs.

    Collision domains haven't been an issue since we moved from hubs to switches.  Perhaps you meant broadcast domain?



  • @Jon:

    There are loads of really good docs on the internet but finding the right one for you is tough because there are also loads of awful ones (I've just done a a quick Google and a quick read of some of those dreadful ones).  I've been doing this stuff for 25 years and have lost touch with decent educational resources.  I'll try to find a good one and post back if I remember 8)

    I just hit you with the thank you button and the karma stick. You, sir, are a needle in a haystack  :-*

    (There is one other person on this board who is there with you, he knows who he is (yes, it is you  ;D )).


  • LAYER 8 Global Moderator

    So you thank someone for giving some of the Worse possible advice ever??  Hitting you with the karma stick myself…  WTF dude really!

    And that he says he has been doing this for 25 years - makes it that much worse even!!



  • @johnpoz:

    So you thank someone for giving some of the Worse possible advice ever??

    Sigh…

    Really. The gift to read something has not been given to you, I've noticed that about a zillion times.

    Let alone understand things. That comes after reading.

    Yes, I'm being rude. You started it. As you always do. Yet one of your many, many other virtues.



  • LAYER 8 Netgate

    You have one pfsense interface on a broadcast domain: 192.168.10.1/24

    A sample configuration of a host on that interface would be this:

    Address: 192.168.10.10
    Netmask: 255.255.255.0
    Gateway: 192.168.10.1

    You create an IP alias VIP on the same interface: 192.168.11.1/24

    You put hosts on the SAME broadcast domain as the other hosts. An example host configuration:

    Address 192.168.11.10
    Netmask: 255.255.255.0
    Gateway: 192.168.11.1

    Now the exercise: 192.168.10.10 wants to communicate with 192.168.11.10 on the SAME, shared, broadcast domain. What happens?

    Now you take the same problem - adding more host addresses to a broadcast domain..

    You bite the bullet in a maintenance window and change the router interface to this: 192.168.10.1**/23**

    You change the DHCP server to set the host netmask to /23, expand the DHCP address pool to include the newly available addresses in 192.168.11 since the available hosts addresses has about doubled to 510 (192.168.10.1 - 192.168.11.254, with the firewall interface using .1).

    You also make sure all dynamic hosts release/renew and all statically-configured devices get the new 255.255.254.0 (/23) netmask.

    Now you have two hosts that want to communicate:

    Address: 192.168.10.10
    Netmask: 255.255.254.0
    Gateway: 192.168.10.1

    Address: 192.168.11.10
    Netmask: 255.255.254.0
    Gateway: 192.168.10.1

    What happens now?

    You are likely trying to do one of these things:

    • Increase the number of available host addresses on a network - I doubt this is really what you are needing to do, but if that was the case, the SECOND method outlined above is the way to go.

    • Add a new network, while maintaining both separation between the two and the ability to route/firewall between them - I feel this is likely what you are after and, in that case, the FIRST method above will only lead to pain and suffering and an asymmetric, hairpinning mess, as was evidenced by answering the FIRST exercise question above. What you want to do in that case is add another interface to pfSense (this can be physical or VLAN to a managed switch)

    That leaves you with this on pfSense:

    LAN:

    192.168.10.1/24

    Example host:

    Address: 192.168.10.10
    Netmask: 255.255.255.0
    Gateway: 192.168.10.1

    OPT1:

    192.168.11.1/24

    Example host:

    Address: 192.168.11.10
    Netmask: 255.255.255.0
    Gateway: 192.168.11.1

    Each has its own independent DHCP server, firewall rules, etc.

    Now 192.168.10.10 wants to talk to 192.168.11.10 - What happens?


Log in to reply