Wan and Lan on same IP range for test lab

mattie01 · Dec 7, 2017, 3:05 PM

Hi All,
So I have just taken over a bit of network infrastructure (a couple of servers and such) that needs a bit of TLC and I want to setup a test lab that is an exact replica of a production environment on vsphere, using pfsense as a virtual router to block all network traffic between the two but allowing access to http and https so I can pull in windows and linux server updates for testing before deploying to production.

I've had a quick look around the internet and on the forum, there are lots of references advising it is easy to do with PFsense but I haven't had much luck setting it up I guess I am missing something stupid.

So my normal network is a 172.16.x.x 255.255.0.0 with the default gateway address as 172.16.0.1, if I have the wan pickup an ip address of say 172.16.252.252 and have the pfsense interface run on 192.168.1.1 i can see the pfsense from an internal machine and can browse the internet, (I haven't placed any firewall rules in place to block anything as I wanted to wait until I can get the internet network working on the 172.16.0.x range) but everytime I try and set this up then I lose all network access to the pfsense from the machines on the inside LAN. I can still access it via vsphere.

Ideally I want the internal lan address of the pfsense to be 172.16.0.1 so that it mimics my live environment and I don't then need to change the gateway on any of the VMwares I deploy to this test lab.

I believe I have the vmware site setup correctly. with 3 switches, 1 for vsphere management connected to a real nic, 1 switch for the wan side of the pfsense vm connected to a different real nic, and another virtual switch with no real nic's assigned to it which I put all the internal test lab devices on, so the only connection they have to a working nic is via the vswitch on the WAN side of pfsense.

Also I should mention there are no VLANS on the network, that is my next project to get sorted but wanted a test lab up and running first.

As I said I am guessing I am missing something as everything I have read seems to point to say this is all possible so if anyone can help on what I am doing wrong that would be great.

thanks for taking a look.

JKnott · Dec 7, 2017, 3:42 PM

You cannot have the same network address on both sides of a router. It won't know which way to forward a packet.

mattie01 · Dec 15, 2017, 3:27 PM

Would it be something I could do, if I could setup an additional range of ip addresses on my normal network to be something like 172.16.240.x as well as 172.16.0.x and then have the 172.16.240.x address assigned as the outside gateway of the virtual pfsense, then use the 172.16.0.1 as the inside interface of the pfsense?

JKnott · Dec 15, 2017, 3:38 PM

@mattie01:

Would it be something I could do, if I could setup an additional range of ip addresses on my normal network to be something like 172.16.240.x as well as 172.16.0.x and then have the 172.16.240.x address assigned as the outside gateway of the virtual pfsense, then use the 172.16.0.1 as the inside interface of the pfsense?

You cannot have 176.16.240.x on both interfaces. They must be different. You could have 172.16.240.x on the WAN and 172.16.0.x on the LAN.

Once again, you cannot have the same address range on both sides of a router.

johnpoz · Dec 16, 2017, 9:20 AM

/16 Why?? That would be the first thing I would freaking fix on some network I took over..

Dec 16, 2017, 10:47 AM

So I have just taken over a bit of network infrastructure (a couple of servers and such) that needs a bit of TLC

I would start off by studying how networks operate first. Trying to put both LAN and WAN on the same address range shows a basic lack of understanding.

Frightening…

johnpoz · Dec 16, 2017, 1:41 PM

heheh marjohn56… I wanted to say the same thing.. But trying to be nicer and less blunt.. But that did get you a applaud from me.. And made me smile. thanks!

Dec 16, 2017, 1:56 PM

Yes, I miss the Doc…. Occasionally it needs to be said the way it is.

jahonix · Dec 16, 2017, 2:47 PM

Only very few don't and I'm not one of them.

jahonix · Dec 16, 2017, 2:52 PM

@JKnott:

You could have 172.16.240.x on the WAN and 172.16.0.x on the LAN.

No, he cannot!
His network is defined as 172.16.0.0 /16. They would still be on the same broadcast domain unless he'd change the network size to something smaller and not overlapping.

JKnott · Dec 16, 2017, 7:49 PM

@jahonix:

@JKnott:

You could have 172.16.240.x on the WAN and 172.16.0.x on the LAN.

No, he cannot!
His network is defined as 172.16.0.0 /16. They would still be on the same broadcast domain unless he'd change the network size to something smaller and not overlapping.

I believe that /16 came from the part where he was talking about 172.16.x.x, implying a /16. I referred to 172.16.0.x and 172.16.240.x, both of which imply /24 and would work fine.

johnpoz · Dec 18, 2017, 5:19 PM

yeah are on the same /16 he stated he was running 172.16 rfc1918 is not a /16 its a /12..

This one post wonder prob won't be back, or if he is it will be months later… etc.. So we may never know what he what he has as a mess..

JKnott · Dec 18, 2017, 5:26 PM

^^^^
Maybe he discovered he has a thing or two to learn about networking. ;)

johnpoz · Dec 18, 2017, 5:37 PM

3 or 4 or more like 10k things ;) hehehe

Dec 18, 2017, 5:38 PM

What concerned me was the initial comment about 'taking over a bit of network infrastructure'. Surely to be in that position it is assumed that you know the basic principles at least.

In saying that, I think there are few working for IT departments I come into contact with who could well do with a refresher course.

KOM · Dec 18, 2017, 6:23 PM

Perhaps you guys could help him out without the non-stop mockery and asshatism? It's crap like this that gets a forum and product a bad name. It really isn't that hard to help people without the goal of making them look stupid and making sure they realize it. I normally wouldn't have said anything but you appear to be wallowing in this guy's lack of knowledge.

As for dok, he was a perfect example of weaponized autism. He was very good at networking, and a total failure at relating to and interacting with people. I won't miss him for a nanosecond, no matter how smart he was.

Derelict · Dec 18, 2017, 6:47 PM

@marjohn56:

What concerned me was the initial comment about 'taking over a bit of network infrastructure'. Surely to be in that position it is assumed that you know the basic principles at least.

KOM · Dec 18, 2017, 8:15 PM

Instead of silently smiting me like a coward, perhaps you could use your big-boy voice and explain why I'm wrong?

ivor · Dec 18, 2017, 8:26 PM

@KOM:

As for dok, he was a perfect example of weaponized autism. He was very good at networking, and a total failure at relating to and interacting with people. I won't miss him for a nanosecond, no matter how smart he was.

Funny and true.

@KOM:

Instead of silently smiting me like a coward, perhaps you could use your big-boy voice and explain why I'm wrong?

Everyone should chill. Let's all be nice to each other.

JKnott · Dec 18, 2017, 8:35 PM

@KOM:

Instead of silently smiting me like a coward, perhaps you could use your big-boy voice and explain why I'm wrong?

Well let's start with:

So I have just taken over a bit of network infrastructure (a couple of servers and such) that needs a bit of TLC and I want to setup a test lab that is an exact replica of a production environment on vsphere, using pfsense as a virtual router to block all network traffic between the two but allowing access to http and https so I can pull in windows and linux server updates for testing before deploying to production.

When I see something like that, I would expect the person to have at least some understanding of networks. I then mention a couple of times that you can't have the same addresses on the LAN and WAN sides of a router. Others said similar. However the reason for that is the way routers work. They maintain a list of which was to connect to a given address range. For home or small office networks, it normally only has to deal with the local network and the default gateway. Regardless, it still has to know which direction, based on the network address. So, if he has 172.16.0.0/16 on the WAN side and again on the LAN side, how does the router know which is the proper direction? The only exception would be where the masks are a different length, because routers rely on longest match. So, in this case, it might be possible to have 172.16.0.0 /16 on one side and 172.16.x.0 /24 on the other. In this situation, it says everything 172.16.0.0 /16 on one port, except 172.16.x.0 /24 which is on the other. This works only because the net mask allows the router to make the distinction. This also means that any address in the /24 network cannot be on the /16 side.

Bottom line, he can't have the same address ranges on both sides of the router.