Multible subnets on pfsense?



  • Hi all

    First let me tell you how my network is

    I have multiple networks like

    192.168.1.0 / 24 gw 192.168.1.1 vlan 101

    192.168.2.0 / 24 gw 192.168.2.1 vlan 102

    192.168.3.0 / 24 gw 192.168.3.1 vlan 103

    Etc etc etc

    Up to about

    192.168.15.0 / 24 gw 192.168.15.1 vlan 115

    These are running on their own vlans connected to a bunch of HP2650 layer 2 managed switches, which all are connected to a Netgear GSM7312 Layer 3 switch, that is our default gateway for all these subnets

    From the layer 3 switch, the traffic runs into a cisco pic 506 and then onto our cisco 4000 router which runs our internet, and everything is fine

    Now i´m trying to exchance the pix with a pfsense, to get the traffic shaper option on our entire network

    The pfsense has to Ethernet cards in, one for lan which is 192.168.1.2 / 24 gateway 192.168.1.1

    The other for wan is 80.164.175.xxx / 28 gateway 80.164.175.xxx

    I have in the pfsense created a lot of static routes, one from every subnet like

    192.168.1.0 /24 gateway 192.168.1.1

    192.168.2.0 /24 gateway 192.168.1.1

    192.168.3.0 / 24 gateway 192.168.1.1

    And so on

    But I cant get this to work

    When i´m sitting on vlan 101, with a pc with 192.168.1.50 I can and using 192.168.1.2 as my default gateway, I can get thru to the internet, though the pfsense, and everything is fine, I can ping other machines on other vlans, example 192.168.2.50, so that is also working.

    But i´f im using 192.168.1.1 (my layer 7 switch) for default gateway, and define the next hop address in the layer 3 switch to be 192.168.1.2 I cant get out.

    I tried switching to vlan 103 and this doesn’t work either, I then have a 192.168.3.50 ip with 192.168.3.1 for gateway (same layer 3 switch), with next hop address 192.168.1.2, NO GO

    I hope you can understand what it is I want to do?

    Just to clarify, in my layer 3 switch I define the next hop address, which is normally my pix 192.168.1.7 and this is working flawlessly, but when I change it to 192.168.1.2 it doesn’t work.

    From the pfsense I can ping the internet, and also machines on different vlans, so it does have some kind of contact with them.

    Hope that any one can help me, figure out what is wrong, or maybe just clarify, whether the pfsense can handle all these subnets?

    Sincerely

    Carsten Larsen

    Denmark



  • I more or less followed this, it would help to see a Visio or Dia diagram of the proposed network layout (with maybe only 2 or 3 vlans shown).  What it sounds like you want to do is just put the pfSense box in between the L3 switch and the PIX, putting it in each VLAN is just making your network more complex than it needs to be and isn't how the shaper works (LAN and WAN interface only - actually, any TWO interfaces now).

    –Bill



  • hi bill

    i have made a quick jpg over the network

    you can see it here

    http://www.sundbynet.dk/forum/sundbynet.jpg

    hope that i explains it better, otherwise feel free to ask any questions

    sincerely Carsten Larsen



  • Check the firewall log and see if your missing any allow rules by chance.

    Possibly assign virtual IP's within each of the given IP ranges to the pfsense box 2.1, 3.1, 4.1, ect and change the gateway ip for the separate vlans acordingly.



  • hello

    i looked in the firewall log, and could see that there was many "blocks" from all of my subnets, even though that pc´s from there subnets still could ping the firewall

    i tried making a rule to allow the 192.168.3.0/24 net to any, and that stopped pc´s from this subnets of showing up in the firewall log, but still no internet, but it looks like we got a little further.

    i dont understand exactly what you mean about the virtual ip, could you perhaps clarify this a little bit more

    sincerely Carsten Larsen



  • Virtual IPs…..

    On the internal interface on the firewall have the real ip address be what is currently is 192.168.1.1 and then goto Firewall-->Virtual IPs and add a virtual ip for each of the subnets

    So you can assign virtuals for
    192.168.2.1/24
    192.168.3.1/24
    192.168.4.1/24
    and so forth....



  • hey all

    i got to work, it was the outbound nat, that i needed to enable, then eveything worked out fine
    thanks alot for the help anyway

    now i´m fooling alittle bit around with the trafiic shaper, but i dont think it works all that good for me, or perhaps i´m doing something wrong

    we have a 10/10 mbit fwa connection from our isp, and in the traffic shaper wizard, i have typed that my lan is 10000 kbits/second and wan is 10000 kbits/second is this correct, i then tried to traffic shape p2p, especially direct connect, as only 1 % of the total bandwidth, but i could still download with almost 10mbit from dc++?

    any ideas, guys?

    sincerely Carsten



  • @blackbox:

    now i´m fooling alittle bit around with the trafiic shaper, but i dont think it works all that good for me, or perhaps i´m doing something wrong

    we have a 10/10 mbit fwa connection from our isp, and in the traffic shaper wizard, i have typed that my lan is 10000 kbits/second and wan is 10000 kbits/second is this correct, i then tried to traffic shape p2p, especially direct connect, as only 1 % of the total bandwidth, but i could still download with almost 10mbit from dc++?

    Check out this post:
    http://forum.pfsense.org/index.php?topic=63.0

    –Bill



  • ive seen this type of setup at a friends job location, and i dont mean to be an ass… but such a complex configuration, for a site that functions as a single lan?  if all computers can ping each other as if they were all on the same subnet... all that routing inside the site makes no sense to me.  wouldnt it be easier to jsut change the subnetmask to 255.255.252.0, and have 192.168.0.1 thru 192.168.3.254 as one giant subnet, and just do away with all the internal routing?  the gateway would surely then be a much simpler config.

    im definatly interested in knowing the method of your madness :)



  • Well, judging by his picture a few reasons that I can see…..:

    • 500 hosts won't fit into a /24 address
    • why have 500 hosts worth of broadcast packets flying around when you can contain everything within each subnet
    • management reasons

    We have a similar setup here at work, although on a much larger scale (150 VLAN's, 4600 hosts).  Every building has it's own VLAN and subnet.  While we could theorhetically have the whole site under a /19 address, it's just much more practical from a management standpoint to use subnets.  Plus it makes it way easier to track down problems, etc, etc.



  • well, i was suggesting a /22 (or /23, for just 500).

    in a windows environmet, the bulk of the broadcast traffic is quelled using a group policy to disable the computer browser service (which isnt needed on 2000 or greater, and i think even NT4 doesnt need it).

    what management reasons?  thinair, does your site have 1 main internet connection?  i just dont see what the benefit is to have such a complex configuration for a single lan, that is connected as if its one contiguous lan.



  • One internet connection, two routers, one routes odd numbered VLAN's and the other routes even numbered VLAN's, and if one fails the other will route all VLANs (for load balancing and failover).

    We have a lot of buildings on site, right now we only have fibre run to 148 buildings, so we have 148 VLAN's.  Each building has it's own VLAN.  If someone does something that they shouldn't do (like plug a personal laptop into our network), we can quickly narrow it down to which building it is just by looking at it's IP address, then shut down the port on that switch.  We have roughly 250 switches by the way.  Also it keeps the broadcast domain within the building itself.  Plus it's a fairly secure network, so we don't need someone on the opposite end of our site to sniff broadcasts.

    Our smaller networks don't have VLAN's yet, although our second largest network will soon be NAT'd and VLAN'd, we're getting near our 510 IP address limit.



  • the config of our network, is just as thinair says, configured by this way, to get a better manament and diagnostic situation

    having a differetn vlan and subnet pr. building, we currently have 15 buildings, makes it easier to identify a computers location, by its ip.

    also since none of the users are on the 192.168.1.0 subnet, we are also protected from someone that plugs a access point or a router that has 192.168.1.1 as default ip into our network, and bringing the whole thing down, or if someone accidently adds a dhcp server to the network, it´s only building that goes down, and not the whole network.

    sure, they can ping across the vlans, but they cant see eachother in network neighbourhood, so that adds a little extra protection.

    but anyway, thanks for all the nice inputs.

    sincerely Carsten



  • Well as it's been stated before. Subnetting is dumb for in your house or in a small business(assuming it's not IT-related) but if you are in a larger business or a IT-related small business(aka….ISP/co-location firm) then it makes lots of sense.

    ie...(here's an example)

    At one of my jobs I work for the IT department at a college(small school), there are about 1200 students on the campus network besides about 1,000 desktops/servers, 100 printers, and 100 or so switches. Last year this was a flat network (ie....just one vlan) and it bit us in the ass, the network went down for a couple of days (oh, by the way....I'm not incharge of the network..just the intern) so they subnetted the students off into a class-b non-routable network because of the broadcast traffic...(klez/mydoom/....insert virus of choice) after subnetting the students off from the rest of the network everything was fine till there was a fence-jumper....killed the network in the spring. Did it get fixed? not yet....running 3 vlans now but still having issues every-other-week. Why because people didn't plan for grow years ago and now it's a huge project to change everything over.

    Moral of the story....in business if your wonder if you should subnet the network or not, seriously consider it as it can come back to bite you in the ass a couple years down the road.



  • @Sharaz:

    ive seen this type of setup at a friends job location, and i dont mean to be an ass… but such a complex configuration, for a site that functions as a single lan?  if all computers can ping each other as if they were all on the same subnet... all that routing inside the site makes no sense to me.  wouldnt it be easier to jsut change the subnetmask to 255.255.252.0, and have 192.168.0.1 thru 192.168.3.254 as one giant subnet, and just do away with all the internal routing?  the gateway would surely then be a much simpler config.

    im definatly interested in knowing the method of your madness :)

    Large broadcast domains suck ass, keep your subnets small (especially if you have Windows boxes as they are EXTREMELY chatty).

    –Bill



  • @ZGamer:

    Well as it's been stated before. Subnetting is dumb for in your house or in a small business(assuming it's not IT-related) but if you are in a larger business or a IT-related small business(aka….ISP/co-location firm) then it makes lots of sense.

    Ohhh, subnetting at home has a LOT of uses, none of which the AVERAGE user needs (especially when you consider that the average user has a whopping one peeeceee).

    –Bill



  • by the way, i forgot to mention that this is not a office network, but 500 apartments and groving, that are sharing the same internet connection, together with cheap telephone, and cheap tv here in denmark

    when we began to make this network, be did a lot of thinking about the structure before we implemented it, and i think today, we are happy with our subnetting, cause we get bigger and bigger with more apartments all the time, so its nice to have done things the right way from scratch.

    anyway thanks for the replyes

    sincerely
    Carsten
    www.sundbynet.dk


Log in to reply