need multiple subnets on a single interface

RadarG

How do I make this work. I need to run multiple subnets on one interface. I have been following the instructions here but I am missing something. https://forum.netgate.com/topic/113560/multiple-subnets-on-one-physical-lan-interface

Oremountain

@radarg simply use VLAN. if your switches dont support VLAN use another Port.
using Virtual IP´s for a secondary network may work but is a Setup destined to break.

johnpoz

Those instructions you linked too are for vlans.

Really trying to figure out what your drawing there is suppose to be.. 192.168.4 would be a transit to 2 downstream routers.

Where do you think you need to run multiple subnets on the same interface? You mean you need to allow downstream networks into the transit interface (192.168.4) on pfsense?

What are you using for those downstream routers? They most likely are natting anyway.

JKnott

@radarg

Which interface do you have 2 IPs on? Why do you think you need 2 IPs on it? It is possible to use an alias, but you don't want to do that unless you know what you're doing.

johnpoz

@jknott said in need multiple subnets on a single interface:

but you don't want to do that unless you know what you're doing.

If you knew what you were doing - you wouldn't be doing it ;)

And I think you meant vips there and not aliases... You might use a vip on your wan if your ISP has given you more public IPs to you sort of thing. And this would almost always be on the same network as your normal public IP.

You might use a vip again on your wan.. To access your modem or something who's IP is not on your wan IP in a bridged setup.. For example the common modem management IP of 192.168.100.1

But generally speaking if your thinking of running multiple layer 3 on the same L2, your doing it wrong ;) Might be needed in an emergency sort of thing where hey.. I have this device on my L2 and I was changing IP ranges - and now I can not get to it to change its IP to the correct network.

But generally speaking - no you don't run multiple L3 on the same L2.. I think what he is trying to do is setup downstream routers - but not sure where he thinks he needs to set multiple subnets on the same interface? Not in that drawing.. I don't see any vlans - unless he is talking for his management PC there. But the way he has it drawn sure looks like a different interface..

The thread he linked to was allowing downstream networks into a transit interface

JKnott

@johnpoz said in need multiple subnets on a single interface:

@jknott said in need multiple subnets on a single interface:

but you don't want to do that unless you know what you're doing.

If you knew what you were doing - you wouldn't be doing it ;)

There may be valid reasons for it.

And I think you meant vips there and not aliases...

Sorry, force of habit from Linux. I've been working with Linux for a lot longer than pfsense, going back to the late '90s.

But generally speaking if your thinking of running multiple layer 3 on the same L2, your doing it wrong ;)

Yet IPv6 is designed to support that, where you can have multiple routeable addresses on a network. IIRC, there's a fix coming in pfsense 2.5 to better support it.

johnpoz

@jknott said in need multiple subnets on a single interface:

Yet IPv6 is designed to support that,

No not really... While they might have multiple IPs - they are all in the same prefix. Link local is not a layer 3 network to be honest, since you don't route it - it stays on that layer 2.. So its your layer 2 address, and then you have a Layer 3 address - you can have multiple in the same prefix - which is pretty much pointless from a networking perspective and is just nonsense "privacy" that has zero point from a networking point of view. And just makes it harder to manage..

Same goes for ULA address - another pointless thing.. Like putting a rfc1918 address at the same time putting public.. really no point from a networking perspective of device A talking to device B..

JKnott

@johnpoz

Well, pfsense allows you to put multiple prefixes, including ULA on an interface and router advertisements allow for multiple routers. I would expect those to be within the same prefix, but I don't know that's required.