Multiple non tagged subnets
-
@jknott great, thank you.
Now I have a virtual IP range in the firewall with description 'test virtual interface '
But when I go about setting up firewall rules I do not see the option to create rules for that interface.
I am really glad you all are helping out, but may I please be blunt and wonder if it is this hard for such a generic and straight forward use case then perhaps either documentation wise or perhaps the setup wizard could benefit from an update also taking into account newcomers like myself?
-
@pf_checker said in Multiple non tagged subnets:
Having N interfaces, untagged or not, on a single NIC is nothing unheard of.
Putting multiple IP ranges on the same L2 is just borked - sorry yeah its heard of but its WRONG..
Creating a sub interface is normally tagged.. Sorry but if your just running multiple layer 3 on the same L2 its borked - not secure and going to cause nothing but issues trying to do anything with dhcp.
-
@johnpoz said in Multiple non tagged subnets:
Putting multiple IP ranges on the same L2 is just borked - sorry yeah its heard of but its WRONG..
Yet it's commonplace with IPv6. Even the modem my ISP provides, in gateway mode has both GUA and ULA addresses.
Even with IPv4, there can be reasons to do it, but you'd better know what you're doing and why.
@pf_checker checker
When I set up security cameras, they were always on their own separate network, connected only to the DVR. The DVR had another port that connected to the LAN for access to the cameras through it. In your instance, I would go with a VLAN and managed switch just for the cameras.
-
@jknott said in Multiple non tagged subnets:
Yet it's commonplace with IPv6. Even the modem my ISP provide
My gawd how many times do we have to go over that is NOT the same thing.. Do you put 2 different boxes on the same L2 with different ULA prefixes.. Or do devices on the same L2 use the same prefix for ULA when you do that.
Using a link local address for a box on the same L2 is not the same as trying to run 192.168.10/24 and 192.168.20/24 on the same L2 and expecting them not to talk to each other, or trying to run dhcp on this L2 for multiple address ranges.
-
After my Linux box has been up for a week, it will have 8 GUA addresses, 8 ULA and 1 link local, total of 17 and 2 different subnets. One company I worked for, that provided hosted PBX service would connect a 2nd ADSL modem, with a different subnet for the phones. Because they were on the same network, the phones had to have static addresses, with DHCP for the computers. This isn't the way I would have done it, if it was my choice, but it did work. I would have gone with VLANs.
-
I have no idea why you don't understand this..
Do you have ula's in 2 different prefixes - NO!!
I don't care if you run 30 different IPs in same network... Your point of IPv6 gua and ula and link-local have ZERO to do with running multiple networks that are suppose to be isolated on the same L2..
If I want to isolate device A from device B.. I don't run them on the same L2 and just give A IP address in network A, and B ip address in network B.. Because they are on the same L2 - running multiple networks does not actually isolate them if they are in the same L2.
Your gua, and ula and link local has ZERO to do with that..
-
So how do I proceed setting up multiple subnets on a single NIC without vlanid's?
Or how do I make it possible to assign a static ip address without a vlanid on a vlan interface and have it reachable?
either of these 2 options will get done what needs to get done.
I am open for another option of course as long as that does not involve tinkering with managed switch and or getting another NIC installed.
I can accept if it is not the official way of doing, bad practice even, it as long as I can prevent devices in the IoT subnet from reaching the WAN interface using firewall rules I am happy
-
@johnpoz said in Multiple non tagged subnets:
Do you have ula's in 2 different prefixes - NO!!
I don't, but it is supported with IPv6. Also, as I mentioned, there were 2 subnets, though both NAT, with those hosted PBX phones. Aliases have been around for a long time, even on IPv4. There must have been a reason for it. In the OPs question, I can understand having a 2nd subnet for cameras, as it makes it harder to access them from outside, if NAT isn't set up for that subnet. However, as I mentioned, that would mean static addresses for the cameras. Funny thing, every security camera I have ever set up had a static address.
-
I like a good debate as much as the next guy :)
However, in this scenario I am left kind of confused :(
Am I on the correct forum to ask for help about pfsense related issues? If not then can someone please redirect me?
-
@johnpoz and I often have fun debating some points. I also like to push points that many people misunderstand or don't understand at all. However, as has been pointed out, while doable, 2nd subnets on a LAN are generally not a good idea unless you know what you're doing and why. Your question is not so much a pfsense issue as network configuration. As I mentioned, I would have put cameras on their own separate network. One reason for that is their security is poor, so you want to protect them. As for your rules, you don't have a specific interface to assign them to. The best you can do is assign them to the interface those addresses share, which can get tricky.
-
Like stated before. I am willing to go against the grain and do things not according to the 'rules' / 'convention'
Is one willing and/or able to tell me how to do it? Or perhaps can I conclude that this software and/or community and my goals are not a match?
No disrespect intended and I am still very fond of what you guys have setup. I am just confused at the moment
-
I have already told you what you need to configure a 2nd subnet on an interface and why you don't have a specific interface for your rules. Am I missing something else you need?
-
@jknott said in Multiple non tagged subnets:
I don't, but it is supported with IPv6.
NO IT ISN'T!! You do not use multiple different subnets/prefixes that are suppose to be isolated on the same L2..
If you want to use multiple L3 address ranges on a device that are all in the same L2.. But thinking you can have L3 address range A, and L3 address B on the same L2 and that some how isolates these networks - your doing it WRONG!!! They are NOT isolated if you they are in the same L2.
If you want to use gua range A, along with ula range A on some device in L2 A - have at it.. But you don't then put device B in gua range B, ula range B on this same L2 and think you have actually isolated anything..
@pf_checker if you run multiple L3 on the same L2 your not isolating anything - if you want devices on the same L2 then put them in the same L3 range.. While you can - use a vip if you want to run multiple L3 ranges on the same L2.. But your not going to be able to use dhcp to hand out multiple IP ranges. How would dhcp know that this device is suppose to get range A, while other device gets B?
What your trying to do makes no sense and not the correct way to run a network. If you want to use multiple networks - then isolate them at layer 2, either physically or with vlans. If your going to put all the devices in the same L2 then use the same L3 network on them - since you have not actually isolated anything anyway if they are on the same L2.
-
-
Sorry if your taking my tone the wrong way - yes I am passionate about networking and security. Your not isolating anything if the devices are on the same L2. So running different L3 ranges is pointless - even if you "can" do it.
If your desire is to isolate iot devices from other devices.. Then isolate them.. Either on different physical networks to isolate the L2s, or via vlans to isolate them on different L2s
It makes no sense to try and run multiple L3s on the same network if you goal is isolation.
jknott is providing BAD information.. IPv6 is no different than IPv4 with some magic sauce to isolate devices on the same L2 just because they using different subnets/prefixes
If you have your heart set on running different L3 networks on the same L2 - yes it can be done. But dhcp is not going to function with this.. You could hand IPs for devices in range A, and setup mac blocking to not hand out IPs to the device you want in range B.. But it makes no sense to do such a thing other than busy work with the false sense of security that you think these devices are somehow isolate because they are using different IP but are actually on the same network.
If want to keep your iot devices away from the rest of your network - then put them on their own "network". Some other L3 range is not another network.
-
@johnpoz said in Multiple non tagged subnets:
If you want to use multiple L3 address ranges on a device that are all in the same L2.. But thinking you can have L3 address range A, and L3 address B on the same L2 and that some how isolates these networks - your doing it WRONG!!! They are NOT isolated if you they are in the same L2.
If you want to use gua range A, along with ula range A on some device in L2 A - have at it.. But you don't then put device B in gua range B, ula range B on this same L2 and think you have actually isolated anything..Last week you mentioned your IPv6 prefix from an earlier ISP would change and I pointed out that this was one situation where you might want to use ULA, so that you'd have stable addresses for use with DNS. That right there is one valid reason for having both ULA and GUA on the same LAN. Also, since ULA is not allowed on the Internet, it does provide some isolation, not from your network, but from the rest of the world. I also mentioned cameras that were used with a DVR, where the cameras were on an entirely separate network that connects only to the DVR. This increases the security of those cameras, as there is no way they can be reached, other than through the DVR. While not physically separate, having a 2nd subnet on the same LAN will provide similar logical isolation, with the limitations discussed earlier. I think this is what the OP is trying to achieve.
So, yes there are reasons for 2 (or more) subnets on a LAN, both with IPv4 and IPv6. IPv4 has aliases, but IPv6 was designed from the ground up to support it.
-
gentlemen, are you seriously still hijacking my thread while not resolving it?
-
Your question has been answered multiple multiple times already.
-
@JKnott your not getting - at a loss to how anyone could be this dense..
What part do you not understand that running different L3s on the same L2 provides no isolation. I don't care if its ipv4, ipv6 or some new IPvX -- you are not isolating anything if your just changing the IP address used.
You can run multiple IP schemes on the same L2, but these are all meant to be the same network - your not attempting to isolate this from another network.. They are all the "same" network - just using different L3 schemes..
Device A having IPv4, IPv6 (gua and ula) link-local etc.. makes no difference when they are all the same L2 and meaning to talk to each other, and not trying to isolate them from device B.
But if you put device B on this same L2, and just giver it some different IPv4, or IPv6 either ula or gua - your not actually isolating anything! This is the basic concept you just don't seem to grasp..
You stating that you can run multiple Address schemes and provide anything is FUD!! There is ZERO point to running multiple address schemes on the same L2 if your goal is isolation.. If you want to run gua or ula or link-local be it ipv4 or ipv6 have at it - but don't think just using some different IP scheme on the same L2 provides anything in the way of security.. And if your not trying to secure anything - its pointless to run multiple different addresses in the same family be IPv4 or IPv6, gua or ula..
If your not trying to isolate then just use 1 address scheme since your not actually isolating anything.. This is the point the OP seems to be missing.
It can be done - not with any sort of easy way to dhcp.. Nor can you make firewall rules between an native address and some vip you put on the interface - why, because its POINTLESS because you can not secure devices from each other on the same L2 no matter what address you put on the devices.
-
@johnpoz said in Multiple non tagged subnets:
jknott is providing BAD information.. IPv6 is no different than IPv4 with some magic sauce to isolate devices on the same L2 just because they using different subnets/prefixes
Please see the link I provided in the other message about multi homing with IPv6. It is designed to support it. Why is it there, in RFC7157, if it's bad info?
John, I know you have a lot of experience in networks, but I get the impression you don't do a lot of research on the details. I knew about multi homing being built into IPv6 years ago, because I have made a point of learning as much about IPv6 as I can. For example, if you were to read IPv6 Essentials 3rd ed. (O'Reilly), on page 23 you would find:
"The global routing prefix identifies the address range allocated to a site. This part of the address is assigned by the international registry services and the Internet Service Providers (ISPs) and has a hierarchical structure. The subnet ID identifies a link within a site. A link can be assigned multiple subnet IDs."
Or Cisco's IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6 2nd e. pg. 127:
A global unicast address is configured on an interface, which can be configured with one or multiple GUA addresses. The GUA addresses can be on the same or different subnets, and they can be configured manually or obtained dynamically.
So, yes multiple subnets, on the same interface, are part of how IPv6 was built.