Two subnets on one lan interface

graigchq · Jan 31, 2012, 9:44 AM

Is it possible to have two separate subnets (e.g. 192.168.0.0/24 and 192.168.1.0/24) on the same lan interface, with a subnet mask of 255.255.255.0?
2nd question, if I do have that setup, and the gateway is say 192.168.1.1 (pfsense box) will the 192.168.0.0/24 subnet be able to reach the gateway?

3rd question, in either case above, how can I separate computers hitting the captive portal from statically defined dhcp entries so as to create a firewalled office subnet separate from the public internet access??

Am i being too much of a noob? sorry for simple questions but I want to ensure I understand how this works before I implement this.

Currently I have two subnets, as above, but the subnet mask for the lan interface on the pfsense box is 255.255.0.0 so both can access the box freely. I belive that means that all computers on both subnets will be able to talk to each other? (windows sharing, samba etc) which is what I want to avoid.

stephenw10 · Jan 31, 2012, 12:00 PM

I will preface this with an 'I've never tried this' but…

1. You can add a virtual IP alias to the interface in question to give you effectively two interfaces each on a different subnet.

2. No the gateway will be outside the subnet of the second interface. However in a normal situation where you have two real interfaces you simply hand out the interface IP as the gateway using DHCP or set it manually if you're using static IPs (I assume you must be).

3. If you have setup a virtual interface you can apply firewall rules to separate the traffic based on static IP addresses. However it will not be at all secure. Since both subnets will be on the same physical network any user on subnet 1 could just change their address to one in subnet 2 have full access.

Whether or not the machines can currently talk to each other depends on what you have set each machines subnet to rather than the subnet on the LAN interface. However if both sets of machines are using the same gateway IP then they are able to talk to each other in one direction at least.
However if you have, say, your public machines on 192.168.1.0/24 with subnetmask 255.255.255.0 they would not be able to see machines on 192.168.0.0/24 with subnet mask 255.255.0.0 but both could see 192.168.1.1.
But, as above, this is no real security.

Steve

graigchq · Feb 1, 2012, 10:58 AM

I looked into VLANS, but the card I'm using has problems with the tagging, so I'm gonna just do it properly and add another interface for the customer network. For the two computers on either side that do need to talk to each other, I'll just sort out some firewall rules for that. Better safe than sorry.

Cheers for your input Steve

stephenw10 · Feb 1, 2012, 12:31 PM

An extra physical interface is definitely the right way to do it. :)
I wasn't referring to VLANs though.

Steve