How to assign subnetmask 255.255.255.255



  • is there any possible way to assign a subnetmask of 255.255.255.255 using dhcp server to LAN and OPT clients so all their communication is routed through the firewall?


  • Rebel Alliance Developer Netgate

    If they have that for a subnet mask, they can't reach the gateway since they would no longer be in its subnet.

    You'd need to control that at the switch level with a function like "private vlans" (or manually make a vlan for each switch port).



  • is there any other way to make all LAN clients route everything through pfsense rather than local traffic being routed directly between LAN clients. i dont want lan clients to see each other directly nor be able to discover other lan clients, all of them communicate to pfsense and pfsense bridges them all.



  • @xbipin:

    is there any other way to make all LAN clients route everything through pfsense rather than local traffic being routed directly between LAN clients. i dont want lan clients to see each other directly nor be able to discover other lan clients, all of them communicate to pfsense and pfsense bridges them all.

    I can't think of any way other than VLANs. Switches normally filter out non-broadcast traffic not destined to systems downstream of the appropriate port but there are probably enough broadcast protocols in use (ARP and DHCP for example) to make it possible for a system to harvest MAC addresses and IP addresses associated with other switch ports. But it depends on how seriously you mean "nor be able to discover other lan clients". There are probably solutions that would stop the "average Joe or Josephine" discovering other lan clients that wouldn't stand in the way of a serious hacker discovering other lan clients.



  • the problem is i have a normal dlink 8port switch which doesnt mention anything about VLAN support



  • @xbipin:

    the problem is i have a normal dlink 8port switch which doesnt mention anything about VLAN support

    Then I guess if you want the higher level of security you'll have to upgrade the switch. HP/Procurve 1700-8, 1800-8 (end of sale announced) and 1810G-8 seem to have a good reputation and are among the cheapest 8 port switches I have found with VLAN support.



  • Correct, the best you can get as far as keeping computers from talking on the LAN with an unmanaged switch is unplugging them :-) VLANs (or the pfSense book mentions some switches may have a Private VLAN function where every client is isolated automatically–I've not seen this in the HP switches I've worked with though) are the way to do what you want, or some other switch-specific feature. The firewall can only control traffic that it sees, which is no unicast LAN traffic within a broadcast domain unless destined for its own IP address.



  • The pppoe server gives a 255.255.255.255 subnet to clients.


  • Rebel Alliance Developer Netgate

    PPTP, and PPP in general, is a special case where the connection is a point-to-point link.

    Even if you setup the PPPoE server on LAN and blocked everything outbound from there that didn't use PPPoE, the LAN clients can still see and talk to each other - the 255.255.255.255 subnet mask is only on the (virtual) PPP interface.



  • They can still talk to each other, but they're now on separate broadcast domains, no? If so, then this would provide privacy roughly equal to two neighbors on separate providers, I would think.


  • Rebel Alliance Developer Netgate

    No, you're missing the point, that just adds another layer on top. If they use PPPoE or PPTP on LAN, they still get an IP by DHCP (or could set one static) and can talk to the local subnet. The PPPoE/PPTP would only be for traffic that went out to the Internet. Even if it redirects the default gateway, the actual IP address on the hardware ethernet adapter would be local and reachable by other machines in the same switch/vlan.

    You can get cheap managed switches on eBay for under $50. It's not worth the hassle to try to make a convoluted mess that won't work when you could really segregate them properly. :-)



  • the reason y i said subnet as 255.255.255.255 is because i have seen my isp give that to my static wan ip to my dedicated server which is assigned by their dhcp server, basically it means all communication would happen using the isp router in which case its the default gateway, now i have no clue if they r using VLANS or no, basically i wanted to do the same on my LAN, most of the users r the normal tom, dick and harry so no worries about hackers etc so is it possible to achieve such basic results without using a vlan supporting switch and just by making changes to pfsense?


  • Rebel Alliance Developer Netgate

    As we've been saying this entire thread: no, that isn't possible just with settings in pfSense on a wired network.

    The ISP network is probably vastly more complex (and expensive) than just a normal DHCP server, a switch, and some cable.


Log in to reply