Adding second network, 10.0.0.0



  • I've done this before but cannot seem to find a simple explanation on how to do it. The firewall handles the 192.168.0.0. network but I'd like to add the 10.0.0.0/8 network as well. Both would be on the same LAN interface.

    I guess I must be using the wrong search words because I cannot find how to do this.

    Can someone please just share a URL/Link to a doc that shows how this is done. I recall it was very simple but don't want to mess up the firewall since it's in production.

    Thanks in advance.



  • @lewis

    You could create an alias address, but I don't think that's what you want to do. What do you expect to accomplish with this? Even if you did it, everything on the 2nd address block would have to use static config, instead of DHCP.


  • LAYER 8 Rebel Alliance

    There is no clean/proper way to run two networks at the same layer2.
    Create VLANs or use more physical NICs.

    -Rico



  • I found this.

    https://serverfault.com/questions/837058/add-an-alias-to-a-pfsense-interface

    Go to the Firewall > Virtual IPs menu
    Click Add
    Click IP Alias
    Select the Interface to add the IP alias to
    Add the IP alias to the Address field and set its prefix length
    Click Save
    

    I basically just need to have access to other IP ranges so I can nmap scan devices I'm testing when I cannot tell what IP they are set to.

    Once added, I could also use it to separate traffic. For example, maybe all IP cameras go on a 10.0.1.1 network.

    Nothing too complicated.



  • @lewis

    Maybe you should think this through. For example, where would you run nmap from? Also, what would those cameras be connecting to? As mentioned, you want another NIC or VLAN.



  • Since adding the alias for example (as shown above), I'm now able to ping 10.0.0.1. This seems to be just what I'm looking for.

    Not sure what there is to think through and of course, is why I asked the question.

    I'm not looking for anything all that complicated, I don't need to route anything, I just need to ping devices that are on 10.x.x.x networks while the default network is 192.168.1.1.

    Isn't what I have now just what I am looking for?



  • @lewis said in Adding second network, 10.0.0.0:

    I'm not looking for anything all that complicated, I don't need to route anything, I just need to ping devices that are on 10.x.x.x networks while the default network is 192.168.1.1.

    Again from where? If only from pfSense, yeah that will work. If the other network, no it won't.



  • Not following.
    The firewall default LAN network is 192.168.0.0./16.
    Adding the alias has so far allowed me to ping the 10.0.0.1 IP from devices in the 192.168.x.x. network. Does this not mean I can ping any device on 10.x.x.x from the 192.168.x.x network now?



  • @lewis

    Did you actually ping something on one network from the other, except for from pfSense? The way IP works, that shouldn't be possible. When you try to connect with IP, the destination address is compared with the local address & subnet mask. If the destination is on the same network, then you can connect directly. If not, you have to go through a router. However, with both networks on the same interface, the router (pfSense) will send an ICMP redirect, advising to connect directly. But you can't, as describe above. The way around that is more aliases, so that a computer has addresses on both networks. You'll need an addresss on every device you want to be able to use either network.



  • Yes, you are right. I pinged the firewall only, not a device on the LAN.
    I thought being able to ping the firewall meant I could now reach anything on the 10.x.x.x network.

    I recall it was very simple when I did this a long time ago. I simply added an alias or something, I believe I only needed to add one rule to allow the 192.168.x.x network to communicate with devices on the 10.x.x.x network.

    And, if I wanted more security, I could also set up separate rules instead of one single rule as above.



  • So, can someone direct me to a url/document that can help me with this? I had found one once but can't seem to find one now.
    I basically just want to have 192.168.x.x. as the default network with 10.0.0.0/8 as a secondary network.



  • @Rico said in Adding second network, 10.0.0.0:

    There is no clean/proper way to run two networks at the same layer2.
    Create VLANs or use more physical NICs.

    -Rico



  • I'm not trying to argue but I had this working up until last year and it worked perfectly. I could either have one rule that allowed traffic to flow between the two networks or I could create separate rules to keep them separated. It was a one minute setup.

    I was not using a vlan either. Maybe I'm not asking the question correctly which is why I'm not finding anything on Google either.



  • you can't find anything on google, because it's not supported & in fact very bad practice to run multiple subnets on the same interface.

    you either use a separate network card or you use vlans.

    whatever it was you had working up until last year, it probably wasn't what you think it was.


  • LAYER 8 Global Moderator

    As others have said this is just borked.. Running multiple layer 3 networks on the same layer 2 network is just WRONG!! Can it be done - yeah, but it provides no security, no isolation.. its just utterly freaking pointless from every point of view..

    If you want to isolate devices onto different networks for security... Then do it physically with different nics in pfsense, and different switches and APs... Or go the vlan route... Get a switch and APs that actually support vlans.

    A 40$ 8 port gig switch can do vlans... If you don't want to spend money on wireless AP that do them or your current wifi router can not run 3rd party like ddwrt that will allow vlans - then you could use some 20$ wifi router as AP and connect it to a specific vlan on your switch..



  • I understand why it's not a good idea but as I said, it's not to route traffic, it's just to scan devices I work on that come in with fixed IPs and the only way to find them is to nmap a range.

    All my switches can do VLANs and other tricks but I'm not looking for anything like that. Not looking to set up separate networks. I'm not looking to isolate anything, I do want all three on the same interface, there is no security issue in this case.



  • @lewis

    As has been mentioned, you can't get from one network to the other, without going through pfSense or other router. But a router won't do that when both networks are on the same interface. You could install nmap on pfSense and then use it to check those devices, provided you put an alias on the pfSense LAN port.


  • LAYER 8 Global Moderator

    @lewis said in Adding second network, 10.0.0.0:

    it's just to scan devices I work on that come in with fixed IPs

    What devices - so you can not log into these devices.. No console or screen.. And you don't know what their IP is to say telnet/ssh to them.. But you have the login creds?

    Why would think you should do this from your firewall?

    Set the IP on your PC your working from.. Scan whatever you want... I would do such things on an isolated vlan anyway.. I wouldn't be plugging random shit into my normal lan..



  • @johnpoz said in Adding second network, 10.0.0.0:

    @lewis said in Adding second network, 10.0.0.0:

    it's just to scan devices I work on that come in with fixed IPs

    What devices - so you can not log into these devices.. No console or screen.. And you don't know what their IP is to say telnet/ssh to them.. But you have the login creds?

    Why would think you should do this from your firewall?

    Set the IP on your PC your working from.. Scan whatever you want... I would do such things on an isolated vlan anyway.. I wouldn't be plugging random shit into my normal lan..

    The random 'shit' are IoT devices that I need to recover. I know where they come from, I know there are no security risks, just that someone lost access to it by setting up a static IP and it cannot be reset. When arp -s IP MAC doesn't work, the only thing left is to scan the IP ranges. Nothing will be routing on those networks, it's only to find IPs that might be using one of these.

    I keep telling you, this is not a security issue, I'm not trying to isolate anything, I had a simple config on the pfsense some time back that gave me exactly this. It allowed me to set up two additional networks on the default 192.168.x.x. The two additional networks were 10.0.0.0/8 and 172.16.0.0/16.

    Anyhow, if no one here know what it was I might have had, no need to continue this thread. I just thought it was something simple and well known.



  • I think I'll just add a couple more interfaces and do it that way. I got to thinking about how I might be able to use the separate lans anyhow.

    Thanks to all for the input.


Log in to reply