LAN VIPs - multiple subnets



  • I would like to split our LAN into two separate subnets. I was hoping we could accomplish this with a virtual IP range. However, I can't seem to figure out how to do this (a computer with an IP on the Virtual subnet cannot connect). Is there any way to do this? We only have one switch, and it is unmanaged - so I am assuming a VLAN is out of the question?

    Basically, the idea here is that I have some corporate machines on my home network that I would like to keep separated from our personal machines. I would like to connect a site-to-site VPN from our main office to the corporate subnet at home, but I do not want the home PCs to have access to the VPN.

    Any assistance would be appreciated.

    Thanks



  • @spetnik:

    I would like to split our LAN into two separate subnets. I was hoping we could accomplish this with a virtual IP range. However, I can't seem to figure out how to do this (a computer with an IP on the Virtual subnet cannot connect). Is there any way to do this? We only have one switch, and it is unmanaged - so I am assuming a VLAN is out of the question?

    Some options:

    • Use static  ips on home machines, change LAN DHCP range to do not match home machines and configure rules on LAN / VPN interface to do not permit traffic to home machines.

    • Try to buy another unmanaged switch and a network card for pfsense to do a better solution.
      First switch keep personal machines and LAN
      Second switch receive corporate machines and OPT1

    • You may do it configuring vlans at pfsense interfaces(LAN,OPT1) and at machines network configurations. This is not a Best practice but could work.

    @spetnik:

    Basically, the idea here is that I have some corporate machines on my home network that I would like to keep separated from our personal machines. I would like to connect a site-to-site VPN from our main office to the corporate subnet at home, but I do not want the home PCs to have access to the VPN.

    After separating machines with interfaces or ip range, you will be able to set rules to enable or disable traffic between interfaces and vpn.



  • Thanks for the reply. I had actually tried option 3, but I could not get it to work. The LAN interface is set up with DHCP on 192.168.2/24 and I set up a VLAN on the LAN with 192.168.3/24. I assigned a static IP in the VLAN subnet to one of my machines, but I do not get any connectivity. Is there anything I'm missing?

    Thanks


  • Rebel Alliance Developer Netgate

    Having two subnets on the same switch offers you -zero- security gain. There is nothing stopping anyone from simply coding in an IP on the other subnet and using it to talk to those machines. Security by obscurity is not effective against anyone who really wants to get in.

    You also cannot run DHCP on multiple subnets on the same interface/broadcast domain.

    You really need to separate them physically or by VLANs if you want to achieve any of this effectively.

    That said - in 2.0 you can add an IP Alias VIP on the LAN to act as the "gateway" of the second subnet, and then hardcode people into that subnet using that as their gateway/dns. Adjust your firewall rules to let the traffic through, and make sure they're covered by your outbound NAT rules, and it should work.

    It's possible, yes, but not recommended, especially not for security.


Locked