Multiple Subnets on Same LAN Interface

stephenw10 · Oct 12, 2020, 7:57 PM

I'm not disagreeing but sometimes you gotta do what you can with what you've got.

I've added subnets to interfaces to access some device that was stuck on the wrong subnet more times than I can remember.

Steve

johnpoz · Oct 12, 2020, 8:05 PM

@stephenw10 said in Multiple Subnets on Same LAN Interface:

I've added subnets to interfaces to access some device that was stuck on the wrong subnet more times than I can remember.

That is completely different.. That was a quick fix solution to a specific problem, that I am assume you corrected. Or did you just leave that device on the wrong subnet? Once you were able to get to it?

Is the OP goal to be able to talk to these devices from his machine to change their IPs, set them to dhcp so they get the correct subnet? Sure didn't sound like temp method to fix his broken setup to me.

stephenw10 · Oct 12, 2020, 8:21 PM

@johnpoz said in Multiple Subnets on Same LAN Interface:

Or did you just leave that device on the wrong subnet? Once you were able to get to it?

I'm admitting nothing!

a.simon · Oct 12, 2020, 8:30 PM

@stephenw10 "Policy Based Routing" was the key to the solution. I had already solved my problem by adding explicit rules right after writing my post but was not sure why this was necessary. You're absolutely right: There is a rule forcing the outgoing LAN traffic to use one of the WAN interfaces, overriding the routing table. Thanks for your response.

johnpoz · Oct 12, 2020, 8:35 PM

Lets list off a couple of reasons why this is bad..

There is no security here, be it you think you created firewall rules to block X from Y or not.. If the devices are on the same L2, they can talk to each other.. All that has to happen is for the user to change their IP or even just create a static arp and there you go they are talking directly to other IP not routing through anything.
All broadcast/Multicast will be seen by all clients on this L2, doesn't matter what their IPs are..
Can't run dhcp server in such a setup..
Did I mention no actual isolation of your devices ;)
Complicates your setup on your firewall/router - complicated setups lead to mistakes and extra work ;)
Relates to 1, since all networks are really just the same L2 - any user can just change their IP and off they go hitting firewall rules that they shouldn't be able to, and talking to stuff that is actually on a different network/internet that maybe you don't want them too.

JKnott · Oct 12, 2020, 8:54 PM

@a-simon

When you have multiple subnets on the same interface, you will get ICMP redirects when you try to send traffic to a different network. But you can't do that, because the other network doesn't fit within the first network, as specified by the subnet mask. You can't get there from here.

AKEGEC · Oct 15, 2020, 9:43 AM

@a-simon , are you starting a campaign? Because with this method all your data s are leaking and sharing radios with others .

JKnott · Oct 15, 2020, 4:30 PM

@AKEGEC

Did he mention WiFi? If he's running multiple APs, then he needs VLANs.

AKEGEC · Oct 15, 2020, 4:30 PM

@JKnott said in Multiple Subnets on Same LAN Interface:

@AKEGEC

Did he mention WiFi? If he's running multiple APs, then he needs VLANs.

It doesn't matter. The problem is he thinks he can get away with that method. Anyway it used to be inequality of available information, but in this case network X knows who network Y is and vice versa.

coffeecup25 · Oct 17, 2020, 7:19 PM

Been there. Done that. It does not work.

Everything on the same switch eliminates the isolation I presume you want. Impossible.

My home internet is wired / wireless. I have a smart switch that isolates everything attached to a 2nd switch. Not difficult. Google it.

stephenw10 · Oct 17, 2020, 7:49 PM

Sometimes you don't need isolation you just need to access both subnets. But doing so in this way should really be a last resort or something temporary.

Steve

johnpoz · Oct 17, 2020, 7:52 PM

@stephenw10 said in Multiple Subnets on Same LAN Interface:

But doing so in this way should really be a last resort or something temporary.

Concur... As in your example where box had the wrong IP for the L2 it was on.. And you didn't have physical access to the box and need to get to it to correct is wrong IP..

A valid use of such methods would be say for example you changed your address range via dhcp change.. And you forgot about some box that was static.. And now your no longer at the office and you need to get to that box to change its IP, or change it to dhcp and reboot it..

stephenw10 · Oct 17, 2020, 7:58 PM

Yes, and knowing how to do that and what it looks like if you're in that situation is a useful skill that may well save your ass!
They other situation I see it in commonly is when a network is switching subnets, because the previous one was too small and couldn't enlarged or it conflicts with a remote subnet over a VPN say. Both subnets may be run for some time during the switch over because there are always some systems that have some issue. Still better to avoid it if you can.

Steve