Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to keep networks separated

    Scheduled Pinned Locked Moved
    L2/Switching/VLANs
    networking switch at&t modem lan
    4
    9
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blake
      last edited by

      New to using Pfsense. I have tried in the past to get it up and running in a vmware esxi environment but had been unsuccessful until now. Everything works but my pfsense is using a AT&T modem, the AT&T modem is configured for IP pass thru to allow Pfsense to get a public IP address. Pfense is configured for DHCP and is handing out 10.x.x.x IP address correctly and I can get out to the internet without any issues. I'm still using the AT&T modem for other devices and it is handing out IP address in the 192.x.x.x range and everything works as expected. I cant ping anything from the 192 to the 10 network which seems correct to me. But I can ping from the 10 to the 192 network which does not seem correct to me. I do not want the 10 to be able to reach the 192. Is there anything I can do to prevent the 10 from reaching the 192.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @blake
        last edited by

        @blake said in How to keep networks separated:

        I do not want the 10 to be able to reach the 192. Is there anything I can do to prevent the 10 from reaching the 192.

        Yeah put in a rule on your lan that blocks access to 192.168/16 or whatever the /24 network is your using on pfsense wan.

        Seems odd to me that your saying pfsense is getting a public IP - but other devices are getting 192 - this isn't normally how a gateway in bridge mode works.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        AndyRHA G 2 Replies Last reply Reply Quote 0
        • AndyRHA
          AndyRH @johnpoz
          last edited by

          @johnpoz With my ATT modem in DMZ mode pfSense gets a public address, but hosts on the inside can still talk to 192.168.1.0/24 which is the ATT DHCP range. I cannot say how it works but it does.

          o||||o
          7100-1u

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @AndyRH
            last edited by

            @andyrh There is a difference between dmz mode where all traffic is sent to the dmz host, and actually having a public IP.

            Ah your doing this

            https://www.att.com/support/smallbusiness/article/smb-internet/KM1188700/

            You are on a business connection then I take it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            AndyRHA 1 Reply Last reply Reply Quote 0
            • AndyRHA
              AndyRH @johnpoz
              last edited by

              @johnpoz That is what I did because my modem does not have bridge mode. I do not have a business connection.

              o||||o
              7100-1u

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @AndyRH
                last edited by

                @andyrh either way yeah makes sense that you would be able to access that network on your wan with such a setup.

                Just block that access on pfsense lan if you do not want your clients to access whatever 192.168.x.x network.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                B 1 Reply Last reply Reply Quote 0
                • B
                  blake @johnpoz
                  last edited by

                  @johnpoz Thanks for your help, that worked. After restarting Pfsense it starting working.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @blake
                    last edited by johnpoz

                    @blake said in How to keep networks separated:

                    After restarting Pfsense it starting working.

                    You should not have had to restart pfsense, but if there was an existing state sure it would of still been allowed.

                    If you would of waited for that state to timeout, or if you would of killed the state then the rule would of kicked in. States are looked at before firewall rules.

                    So if pfsense had allowed traffic to X, and the state was still there - then yes traffic via that state would of still be allowed, until the state went away. Rebooting pfsense is one way of killing off states - but its a pretty heavy handed way of doing that ;)

                    spider.jpg

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                    1 Reply Last reply Reply Quote 0
                    • G
                      GPz1100 @johnpoz
                      last edited by

                      @johnpoz said in How to keep networks separated:

                      Seems odd to me that your saying pfsense is getting a public IP - but other devices are getting 192 - this isn't normally how a gateway in bridge mode works.

                      That's how the att garbage works. Their gateways have what's called passthrough mode. Via dhcp it assigned the public ip to a single device on the lan side.

                      However, the public ip still remains assigned to the gateway's wan as well. It's a pseudo passthrough mode of sorts, fake bridge.

                      The end result, customer's device (router, pfsense, etc) has what appears to be a public ip as well as the gateway. As such, the gateway can assign various private ip's to other devices (wired and wireless) connected its ethernet ports and/or wifi ssid. A traceroute behind the customer's router (pfsense or other), will show the gateway ip as the first hop (192.168.1.254) rather than the real wan gateway.

                      For those of us on fiber in areas not get upgraded to xg-pon, several bypass methods exist which eliminate the isp gateway box entirely. The best is extracting (or buying) the 802.1x certs then implementing them in software using wpa_supplicant. This gives customer full access and control of the network, no double nat, etc. Also a /60 PD for ipv6 vs /64 from the gateway box.

                      The other methods still rely on the gateway box in one manner or another.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post