Multiple Subnets on Same LAN Interface

a.simon

I need to route between three networks 10.15.0.0/23, 172.16.1.0/24 and 172.16.3.0/24 that are on the same physical network (please don't ask why...). The firewall pfsense alread was using IP 10.15.1.2 on the LAN IF. I added 172.16.1.1 and 172.16.3.1 as virtual IPs to LAN IF, set up related firewall rules and expected the firewall to route between the three LANs. When traceroute from a client in the 10.15.0.0/23 network to a host in the 172.16.3.0 network, the packages are directly NATed and sent out via the default gateway of the firewall. What's going on here? The routing table looks fine and presents entries for all IPs on LAN interface.

johnpoz

@a-simon said in Multiple Subnets on Same LAN Interface:

hat are on the same physical network (please don't ask why...).

On the same L2? That is just borked.. Fix it and then you won't have any issues routing traffic.

If your going to just run them on the same L2, then just put them all on the same L3 network.

stephenw10

@a-simon said in Multiple Subnets on Same LAN Interface:

(please don't ask why...)

Well if you insist!

I would guess you have some policy based routing rules forcing that traffic out of the WAN. pfSense will otherwise use the same interface to route between subnets as you expect. You can get some odd asymmetry happening at time. Firewall rules often don't apply as you expect because things like 'LANnet' don't contain the additional subnets. Some services will not listen on those subnets without additional config.

Do the VIPs you added have the correct subnets on them?

Steve

johnpoz

Its like helping someone pound in a screw with a hammer ;)

Sure if the hammer is big enough, and you hit the screw hard enough you can drive it in.. But its not the correct tool for the job.

Just like trying to run multiple L3 on the same L2 is not how you do it. The OP would be much better off correcting such a borked network, then forcing the square peg into the round hole.

Or you get other users thinking this

Is fine or a correct way to do things..

stephenw10

I'm not disagreeing but sometimes you gotta do what you can with what you've got.

I've added subnets to interfaces to access some device that was stuck on the wrong subnet more times than I can remember.

Steve

johnpoz

@stephenw10 said in Multiple Subnets on Same LAN Interface:

I've added subnets to interfaces to access some device that was stuck on the wrong subnet more times than I can remember.

That is completely different.. That was a quick fix solution to a specific problem, that I am assume you corrected. Or did you just leave that device on the wrong subnet? Once you were able to get to it?

Is the OP goal to be able to talk to these devices from his machine to change their IPs, set them to dhcp so they get the correct subnet? Sure didn't sound like temp method to fix his broken setup to me.

stephenw10

@johnpoz said in Multiple Subnets on Same LAN Interface:

Or did you just leave that device on the wrong subnet? Once you were able to get to it?

I'm admitting nothing!

a.simon

@stephenw10 "Policy Based Routing" was the key to the solution. I had already solved my problem by adding explicit rules right after writing my post but was not sure why this was necessary. You're absolutely right: There is a rule forcing the outgoing LAN traffic to use one of the WAN interfaces, overriding the routing table. Thanks for your response.

johnpoz

Lets list off a couple of reasons why this is bad..

1. There is no security here, be it you think you created firewall rules to block X from Y or not.. If the devices are on the same L2, they can talk to each other.. All that has to happen is for the user to change their IP or even just create a static arp and there you go they are talking directly to other IP not routing through anything.

2. All broadcast/Multicast will be seen by all clients on this L2, doesn't matter what their IPs are..

3. Can't run dhcp server in such a setup..

4. Did I mention no actual isolation of your devices ;)

5. Complicates your setup on your firewall/router - complicated setups lead to mistakes and extra work ;)

6. Relates to 1, since all networks are really just the same L2 - any user can just change their IP and off they go hitting firewall rules that they shouldn't be able to, and talking to stuff that is actually on a different network/internet that maybe you don't want them too.

JKnott

@a-simon

When you have multiple subnets on the same interface, you will get ICMP redirects when you try to send traffic to a different network. But you can't do that, because the other network doesn't fit within the first network, as specified by the subnet mask. You can't get there from here.

AKEGEC

@a-simon , are you starting a campaign? Because with this method all your data s are leaking and sharing radios with others .

JKnott

@AKEGEC

Did he mention WiFi? If he's running multiple APs, then he needs VLANs.

AKEGEC

@JKnott said in Multiple Subnets on Same LAN Interface:

@AKEGEC

Did he mention WiFi? If he's running multiple APs, then he needs VLANs.

It doesn't matter. The problem is he thinks he can get away with that method. Anyway it used to be inequality of available information, but in this case network X knows who network Y is and vice versa.

coffeecup25

Been there. Done that. It does not work.

Everything on the same switch eliminates the isolation I presume you want. Impossible.

My home internet is wired / wireless. I have a smart switch that isolates everything attached to a 2nd switch. Not difficult. Google it.

stephenw10

Sometimes you don't need isolation you just need to access both subnets. But doing so in this way should really be a last resort or something temporary.

Steve

johnpoz

@stephenw10 said in Multiple Subnets on Same LAN Interface:

But doing so in this way should really be a last resort or something temporary.

Concur... As in your example where box had the wrong IP for the L2 it was on.. And you didn't have physical access to the box and need to get to it to correct is wrong IP..

A valid use of such methods would be say for example you changed your address range via dhcp change.. And you forgot about some box that was static.. And now your no longer at the office and you need to get to that box to change its IP, or change it to dhcp and reboot it..

stephenw10

Yes, and knowing how to do that and what it looks like if you're in that situation is a useful skill that may well save your ass!
They other situation I see it in commonly is when a network is switching subnets, because the previous one was too small and couldn't enlarged or it conflicts with a remote subnet over a VPN say. Both subnets may be run for some time during the switch over because there are always some systems that have some issue. Still better to avoid it if you can.

Steve