Using subnets with pfsense

sandeep.sp · Sep 18, 2009, 11:39 AM

Hi

I am running pfsense 1.2.2 and here is what i like to configure on my lan

The lan ip address is 192.168.0.0 subnet mask 255.255.255.192 which means i have 4 subnets

1. 192.168.0.0 /26
2. 192.168.0.64 /26
3. 192.168.0.128 /26
4. 192.168.0.192 /26

my pfsense box has an ip address 192.168.0.177 /26

Now, how can i use pfsense to make sure that pc's in the first subnet be able to access the pc's on other subnets and vice versa.

I've two interfaces one is WAN and other for LAN. all the pc's under pfsense has getaway as pfsense's lan address. what should i do

sandeep

sandeep.sp · Sep 19, 2009, 5:02 AM

Hi,
any one can help???

thanks
Sandeep

danswartz · Sep 19, 2009, 7:31 PM

Not understanding what you are trying to accomplish here? If you have one physical LAN, what is gained by having 4 subnets?

Supermule · Sep 19, 2009, 8:23 PM

Nothing..

Ben.K · Sep 20, 2009, 3:10 AM

You'll need an interface in each subnet pfSense. Once you have this just configure the firewall rules to allow the traffic to pass from one subnet to another. If you don't have the actual physical interfaces, you could set up VLANs.

There really isn't much (anything?) to be gained by making this four small subnets.

sandeep.sp · Sep 20, 2009, 9:16 AM

i am subnetting my network to reduce the broadcasts
i've got more than 100 pc's on my lan and some use internet and some does not, so i will keep those pc's which use internet in one subnet and those who don't use internet will be kept in other subnet

in this way i can control the traffic on my lan
this is what i want to do..

Supermule · Sep 20, 2009, 9:20 AM

HP managed switches can block multicast traffic just FYI.

:)

If you plan to do it the easy way…..BUT. I would use VLANS to reduce traffic like that, if I did'nt have a switch that could....

blak111 · Sep 20, 2009, 9:46 AM

The subnetting alone won't reduce the amount of broadcasts on that network. It will just change the destination addresses. It will still be delivered to all of the nodes unless you actually divide the network using VLANs or separate hardware.

sandeep.sp · Sep 21, 2009, 6:01 AM

i don't have managed switch
i have only one 3com's managed switch and other switches are not managed, can i create the vlan in this scenario, i mean how can i use one manged switch to control the traffic

thanks
sandeep

Supermule · Sep 21, 2009, 6:11 AM

If the switch has VLAN option, it is no problem.

sandeep.sp · Sep 21, 2009, 6:56 AM

thanks very much
i'll give it a try

Smokeshow · Sep 22, 2009, 2:21 PM

[rant]
This seems to be one of the major features missing in pfsense; the ability to assign more than one IP address to an interface. Yes, I know you can do so by modifying the config file manually, but I seem to have issues with this, especially when doing so on one of my WAN interfaces. Most of the linux firewall distros have the ability to do this easily and effectively, why can't pfsense?
[/rant]

ITCoresys · Sep 23, 2009, 6:20 AM

Even if you never use more than one pFsense, you can still add CARP virtual IP's to it to get "secondary" addresses on your WAN.

That way you can map inbound and outbound NAT to the CARP address as well as port forward statements, etc.

This is how I utilize more than a single IP in a block assigned by my ISP.

Not sure if this is the right way, but it allows me to have users port translate to address .2 and my mail server nat translate to .3 which is a CARP virtual IP.

Supermule · Sep 23, 2009, 6:24 AM

Pls. explain more of that…..

ITCoresys · Sep 25, 2009, 2:34 PM

Say for example, my ISP assigns me an external address of 207.46.193.24/29 (255.255.255.248).

They describe it to you as 5 usable. Its really 6 but your ISP takes one for their router to be your default gateway leaving you 5 for your router(s).

So, your ISP uses 25 and you get 26-30 usable.

Put 207.46.193.26/29 on your WAN

Add 207.46.193.27/29 through 207.46.193.30/29 as Virtual IP's "CARP" types.

Optionally label each address with something that tells you what you intended it for like…

.26 = WAN Interface = Default outbound NAT translation for LAN network (Disable auto
.27 = EMAIL Server = Outbound translation of 192.168.x.x (Mail Server IP) to .27 (Carp virtual) and inbound port translations for TCP 25 (SMTP), TCP 110 (POP3), TCP 80,443 (Webmail)
.28 = Web server= Inbound port translations for TCP 80,443

etc...

Disable automatic outbound rule generation and use manual outbound rule generation for NAT to use the CARP virtual IP's out outbound for particular inside hosts.

This way, reverse DNS for .26 could be users.mydomain.com and the reverse DNS for .27 could be mymailserver.mydomain.com and the forward DNS for .27 could match mymailserver.mydomain.com. This way forward and reverse matches so you dont get penalized by some spam solutions for your outbound mail.

All this magical goodness because you can set more IP's on virtual IP CARP interfaces.

If you decide later to add a second pfSense for redundancy, you could set .30 on your second pfSense, set up replication from your current one and they will share those secondary addresses.

This makes it WAY better than Linux being able to have secondary addresses on its firewalls with ifconfig eth0:0 eth0:1, etc...

Cheers ;D

ktims · Sep 29, 2009, 5:51 PM

Yeah, I think a virtual IP on your LAN interface for each subnet would do the job here. You might need to tweak the rules a bit, but I think it should work fine.

Like everyone else though I question why you're doing it this way. Without VLANs or separate physical segments it doesn't buy you anything. Either upgrade your switches (or rearrange them so you have a VLAN-capable 'core' and unmanaged edge) or flatten it out since all it does is complicate your setup needlessly.