Multiple non tagged subnets

johnpoz

YOU DO NOT GET IT --- where in that RFC does it state that using address X scheme vs Y on the same L2 provide any sort of security..

Sorry but device A on same L2 as device B you can not secure them from each other by just changing the Address scheme used.. YOU CAN NOT!!!

JKnott

@johnpoz said in Multiple non tagged subnets:

@JKnott your not getting - at a loss to how anyone could be this dense..

Please read the info I provided in the other messages and tell me again I'm dense. Or are you also claiming Cisco and Silvia Hagen, the author of IPv6 Essentials, and the authors of that RFC7157 are dense?

johnpoz

Dude I have read - I suggest you read it again.. And point out where your actually securing anything by using different address schemes on the same L2... I don't give 2 shits what the different address schemes are used for..

Just completely flabbergasted how anyone in the field could be this dense..

JKnott

@johnpoz

You're going way off point. The OP asked about having a 2nd subnet on a LAN. We are all aware that the best way is to use a separate LAN or VLAN, but there is absolutely not reason to not use a 2nd subnet if that does the job. No, there is no protection from other devices on the LAN, but there is some from elsewhere. For example, on IPv4, NAT is often used. If he doesn't set up NAT to the 2nd subnet, then it's unlikely it can be reached from anywhere beyond the local network. Even if someone on the main subnet tries to reach something on the 2nd subnet, they'll get ICMP redirects, which will prevent them from reaching it. They would have to create an alias on their computer too to get around that. That is something that is likely to be beyond the skills of typical users, particularly if they don't have admin or root permissions.

Are the OP's goals high security? Or just enough to keep out casual attacks?

poechii

@pf_checker There is no point in using two different subnets on the same broadcast domain. You will not get the security that traditional VLANs provide if that's what you want. They will not be isolated. If you want to do a router on a stick configuration, you will need a managed switch. Otherwise you will need another physical interface on your pfsense box. Sorry, there's just no way around this.

poechii

@jknott I would think if OP is compromised that anyone that did it is savvy enough to do a simple ARP scan using nmap. Sometimes pinging the broadcast address is all you need to see every device on the network. I'm not sure there's any reason to have multiple ranges on the same broadcast domain, at least with IPv4.

johnpoz

@jknott said in Multiple non tagged subnets:

he OP asked about having a 2nd subnet on a LAN

And he was given the correct answer.. You are the one going on about running multiple different addressing schemes.. That have nothing to do with a firewall and securing anything.. Because its not secure if they are on the same L2..

If its "not" secure there is ZERO point to running another same type address scheme.. As I already stated running 192.168.10/24 and 192.168.20/24 on the same L2 provide ZERO anything other then headache.. If you to have some devices on 192.168.10.X and some on 192.168.20 for example then just run /16 or 192.168.0/19 and now you can use those different IP ranges - but they are all on the same L2 network its pointless to try and run different address schemes.. In the same family of addresses.

So the correct answer to the OP question is don't! He can if he wants via a vip, but there is no way to firewall between a vip network and native address on the interface. Since its pointless - even if you could create rules.. They are actually false!! Since your not actually isolating anything.. Since the devices are on the same L2.

@JKnott you tend to lead users down the WRONG path.. On semantics, your tagging advice about dumb switches don't strip them.. So what? It's not secure be it you can run tags over the device or not.. It doesn't understand them.. so it doesn't isolate traffic between the ports..

Same sort of thing in this multiple address schemes on the same L2 - it provides no security..

JKnott

@pf_checker said in Multiple non tagged subnets:

@JKnott please help me wade through, that for me are, muddy waters. Is there a step by step available?

As I and John have both mentioned, the best thing for you is a managed switch to separate the VLAN from pfsense into a native LAN that supports the subnet you want to use. BTW, no need for a /16, unless you have several thousand cameras. Address classes have been obsolete for well over 20 years. Just pick the appropriate subnet size and set the mask accordingly. What you are trying to do, while possible, is not advisable. As I mentioned, you really need to know what you're doing when you try to get fancy with with things. Both John and I have years of experience (my LAN experience goes back to early 1978, Ethernet to the late '80s and IP, spring 1995) and would have no problem being able to do what you want and I have provided the info you need to do that. The next question is whether it's advisable, given your limited experience.

JKnott

@johnpoz said in Multiple non tagged subnets:

They are actually false!! Since your not actually isolating anything.. Since the devices are on the same L2.

Yep and I haven't claimed otherwise.

johnpoz

@jknott said in Multiple non tagged subnets:

Yep and I haven't claimed otherwise.

Then DON'T even bring it UP!!

JKnott

@johnpoz said in Multiple non tagged subnets:

Then DON'T even bring it UP!!

What fun is that?

poechii

@johnpoz Heh heh, I don't post here much but I have to say that I appreciate your blunt, straight to the point responses. Obviously OP has a flawed understanding of what VLANs are.

I would start with reading up on broadcast domains if I were OP since the point here is to put their cameras on a separate broadcast domain (or VLAN) where one device would have to go through the firewall (or router/L3) to communicate with a device on the other L2/VLAN.

pf_checker

@johnpoz WOW!! As a newcomer to this community (and the software) I am flabbergasted.

Is this the level of communicative skills one can expect going forward?
I am not trying to be a dick but I am seriously looking to go back to OpenWRT at the moment because network science and politics should stay separate.

I am not sure you all have heard about the blunder flamewars agains OPNsence but things like this need to not happen!!

It is simple. Either please show me how to get where I need to get or tell me it is not possible.

@RadicalEntity this is just a small home setup. Only thing I care about is not having IoT talking home to china.

Is this such an uncommon use case? And yes there are ways around it. Not trying to be a bitch but other software does this out of the box.

pf_checker

@radicalentity obvious? flawed? I never wanted to talk about vlans from the get go. I think you need to gather more of my knowledge about a certain subject before you are making statements.

now what is it you would like me to explain to you so you can start making judgements?

please settle down, stop drinking the coffee for a moment and breathe

pf_checker

BTW, this is by far the most hostile forum I have ever been on. I am not sure if you guys are doing this deliberately or just having a bad day at the office.

poechii

@pf_checker Are you trolling or something? If you're not that concerned about security then why do you want to do two separate subnets? What are you trying to ultimately accomplish? If you want help, then answer that question.

But if you're really set on this idea, then you need to turn off DHCP since it won't work properly at all and then use hard coded static IP addresses on all of your hosts with subnet masks set accordingly. The problem you will run into here is your default gateway if you want your devices to talk to the internet. If I recall, you can only set one static IPv4 address on an interface in pfsense.

pf_checker

@radicalentity so when critical questions or observations are being made one is a troll?

No, I just want to get my shit together.

10.30.x.x. camera
10.20.x.x other devices
10.19.x.x. servers
10.18.x.x. some other shit

I will accept if netgate did not plan ahead for this usecase

poechii

@pf_checker Then you need a managed switch using router on a stick config or more interfaces on your pfsense box. What you're asking for is impossible, that is if you want them all to talk to the internet. Only one of those subnets will be able to. I doubt very much that Netgate will modify pfsense to do what you want because it's pretty much a misconfiguration.

Bob.Dig

@pf_checker said in Multiple non tagged subnets:

I will accept if netgate did not plan ahead for this usecase

Ok, you are right, bye.

pf_checker

@johnpoz please treat me as a slow learner. Where in this thread are the step by steps?

Re: Multiple non tagged subnets

One man down. Going back and try OpenWRT.
humility seems to still rule there