Two subnets on one lan interface

  • Is it possible to have two separate subnets (e.g. and on the same lan interface, with a subnet mask of
    2nd question, if I do have that setup, and the gateway is say (pfsense box) will the subnet be able to reach the gateway?

    3rd question, in either case above, how can I separate computers hitting the captive portal from statically defined dhcp entries so as to create a firewalled office subnet separate from the public internet access??

    Am i being too much of a noob? sorry for simple questions but I want to ensure I understand how this works before I implement this.

    Currently I have two subnets, as above, but the subnet mask for the lan interface on the pfsense box is so both can access the box freely. I belive that means that all computers on both subnets will be able to talk to each other? (windows sharing, samba etc) which is what I want to avoid.

  • Netgate Administrator

    I will preface this with an 'I've never tried this' but…

    1. You can add a virtual IP alias to the interface in question to give you effectively two interfaces each on a different subnet.

    2. No the gateway will be outside the subnet of the second interface. However in a normal situation where you have two real interfaces you simply hand out the interface IP as the gateway using DHCP or set it manually if you're using static IPs (I assume you must be).

    3. If you have setup a virtual interface you can apply firewall rules to separate the traffic based on static IP addresses. However it will not be at all secure. Since both subnets will be on the same physical network any user on subnet 1 could just change their address to one in subnet 2 have full access.

    Whether or not the machines can currently talk to each other depends on what you have set each machines subnet to rather than the subnet on the LAN interface. However if both sets of machines are using the same gateway IP then they are able to talk to each other in one direction at least.
    However if you have, say, your public machines on with subnetmask they would not be able to see machines on with subnet mask but both could see
    But, as above, this is no real security.


  • I looked into VLANS, but the card I'm using has problems with the tagging, so I'm gonna just do it properly and add another interface for the customer network. For the two computers on either side that do need to talk to each other, I'll just sort out some firewall rules for that. Better safe than sorry.

    Cheers for your input Steve

  • Netgate Administrator

    An extra physical interface is definitely the right way to do it.  :)
    I wasn't referring to VLANs though.


Log in to reply