Need a little help with subnets



  • I am trying to get multiple subnets to be recognized by the LAN interface. I have made the desired IP-Alias using ifconfig:

    ifconfig xl0 inet 192.168.5.1 netmask 255.255.255.252

    Then I setup the route.

    Now from the 192.168.1.x network I can ping that address. Seems good… Next I changed my computer over to that network/subnet but I could not ping it. Could it be the firewall or what? Any help would be greatly appreciated.



  • Please provide more info what you are trying to do or better said, what you want to achieve by doing this. I'm not understanding it atm  ::)



  • @hoba:

    Please provide more info what you are trying to do or better said, what you want to achieve by doing this. I'm not understanding it atm  ::)

    I am sorry… what I am trying to do is grant people access to the internet but not to each other, a segmented LAN. Possibly farther down the road to monitor each segment’s bandwidth but that’s another story. So basically my goal is to have one computer on its own segment so it can have internet access but no access to anything else on the LAN. Right now it has access to nothing  :)



  • Hello!

    I was in the same situation, dividing 4 subnets from each other under all circumstances, but connecting them to wan.

    I think, the best possibility is to use separate lan-cards for every subnet (I took an D-Link DFE-580 4x Card, ~70 €). So you can control access via firewall-rules for each subnet, connected to a port, e.g. lan, opt1, opt2… On a first step, you can copy your default-rule from lan to opt1, opt2... and modify.  So every subnet can get out unrestricted (but to the other subnets). Then I pushed blocking-rules above the default to restrict every unallowed access from one to another (and you can use the DHCP in a certain range for every subnet).

    Second possibility would be using a vlan-switch, but this had been far more expensive in my case... Might be interesting, if you need more than 8 Subnets.



  • you can't split different subnets securely if they are at the same nic unless you use vlans. I agree to what wolfman suggests.



  • :-\ I am sorry that I was not all that specific. I didn’t have much time but now I will elaborate.

    This is what I am ultimately trying to accomplish. I am going to have a wireless AP with 20+ people on it. Now I want a way that they only have access to the internet and not each other. The only way that I have figured a way for this to work is to have the clients statically assigned to independent subnets. I agree this isn’t very secure but it accomplishes the clients cant see each other in a windows file sharing environment.

    What I wanted to do was have a central server answer to all the separate subnets and just act as a simple gateway. This would have to be done on a single interface. There is no way that I would put up multiple AP’s so that they can have their own dedicated port.
    In trying to set this up I have made an IP Alias on the PFbox such as,

    ifconfig xl0 inet 192.168.5.1 netmask 255.255.255.252

    Now if I make a route to that address I can ping it. But when I go to the subnet I can not ping that address. Did I not set it up right or is the firewall blocking this?
    Now the next question is will this work? If not, I need some suggestions. I would prefer not to keep them on just a class C but if I must I must. Please help :)



  • There's a rather easy solution to this: Get a wirelesscard for your pfsense with atheros chipset. We have an option to prevent the hosts talking to each other if configured as accesspoint. Check the wireless settings page once the card is in place. All clients will get an IP in the same subnet but are not able to talk to each other  ;D



  • @hoba:

    There's a rather easy solution to this: Get a wirelesscard for your pfsense with atheros chipset. We have an option to prevent the hosts talking to each other if configured as accesspoint. Check the wireless settings page once the card is in place. All clients will get an IP in the same subnet but are not able to talk to each other  ;D

    Ok thats a good Idea, but the wireless part is transparent and is more like a WLAN. and the computer hardware can't support the 10 or so hardware connections needed either :P.  I have really simplified the network just to the part I'm having problems with. I have two LAN's, one a WLAN and another just a LAN. On the WLAN I have it sub netted to a /30 network, in hopes to keep there networks separate. Just want Internet traffic to travel thru the WLAN, and I don't want the computers able to communicate with the other networks on that interface…

    The problem I have is it's not routing any traffic at all… I created a IP alias and was able to have the computers ping their gateways, but not route. I totally opened the firewall to allow all traffic thru, but still didn't work, I tried adding static routes and messing with the NAT, but still will not work

    I'm not sure where it might not be working

    @hoba:

    you can't split different subnets securely if they are at the same nic unless you use vlans. I agree to what wolfman suggests.

    I know and I have a 24 port managed switch for that but the main problem is routing… I'll worry about the security once it works and routes.



  • @hoba:

    There's a rather easy solution to this: Get a wirelesscard for your pfsense with atheros chipset. We have an option to prevent the hosts talking to each other if configured as accesspoint. Check the wireless settings page once the card is in place. All clients will get an IP in the same subnet but are not able to talk to each other  ;D

    That is pretty interesting.  How can you do this without wireless setup through a normal NIC LAN.  I am meaning any easy ways not nessassarily involving pfsense.



  • use the clients isolation switch on the admin menu of youre ap



  • i understand what ure trying to do, but with that what ure trying it wont go…

    This is to make subnetting a bit more understanding (if this is wrong, somebody correct me please): At first, you chose /30 (255.255.255.252) subnet, wich allows a maximum of 3+1=4 hosts (252 in bin is 11111100, so u have only 2 bits for hosts), i suggest u to use /28 (240) or smth like that, because i think u have more than 4 wifi clients a ? ;)

    So the easyest way would be to: 1.) But a atheros based wifi card ; 2.) But a Linksys wrt54gs, flash it with dd-wrt, set it in ap mode, disable wan, connect it to lan, set it up, and select AP isolation...


Locked