Need help better understanding subnets



  • One of my weaknesses has always been understanding how subnets work. Please read a scenario I am trying to create and see if you can give me info on what I need to do or am doing wrong.

    Here is my network

    Internet
    |
    trendnet managed switch (192.168.0.252)
    ||
    windows 2008 server (192.168.0.2) and oracle virtual pfsense (wan: 192.168.0.199 lan: 192.168.1.1) using 2 physical nics.
    |
    rest of network
    |
    2nd windows 2008 server

    I want to create a vlan between the 1st servers 2nd nic (using pfsense) and the 2nd server. I'm using the pfsense as my router for that 2nd lan. I want to make sure that the 2nd server cannot contact the 1st server by any way but I want the 2nd server to still be able to get out to the internet.

    Would I use a specific subnet bit count to control this? Or how would I go about this? Thanks guys.



  • edit I might have figured this out by using separate vlans for each set of devices. duhhh. haha.

    but say there isnt vlans, would it be possible to separate devices on a 192.168.0.x network and have them all go thru the same gateway?



  • @elementalwindx:

    edit I might have figured this out by using separate vlans for each set of devices. duhhh. haha.

    but say there isnt vlans, would it be possible to separate devices on a 192.168.0.x network and have them all go thru the same gateway?

    I have 3 split vlans now and somehow I cannot seem to get the server1 to not be seen while the virtual pfsense is on this server. I have 2 nics I can use on this thing. I feel like there must be some possible way to do this but I just cannot figure it out. Anybody have any idea?

    WAN side of the pfsense is 192.168.0.199 and LAN side is 192.168.1.1. They are both using the binded virtual adapter that physically has the ip of 192.168.0.2

    I can get server2 to get internet access but at the same time it can still ping 192.168.0.2 (server1). I'm betting it has something to do with the upstream/downstream of the routing I have setup. :/ but perhaps some form of subnet bit usage can fix this?



  • I suspect the flaw in your implementation is that the Windows Server has to get first look at all the traffic arriving on both NICs. Hence there is no way pfSense can block it.

    I don't know if Windows and your VM implementation (Oracle VirtualBox?) can provide "PCI passthrough" which would effectively give pfSense full control of one or more of the NICs. If so, that should be considered. As yet I haven't been able to see how VLANs would help, but maybe I don't understand your configuration or what you are attempting to do.

    Running BOTH Windows and pfSense in virtual machines would allow the isolation you seem to be looking for (then the Windows server would not have first access to both NICs.)

    There might be some capability I haven't considered in the VM support in the software you are using,but even if there was I can't see how you could claim a high level of security when the machine to which you are wanting to block access is itself handling the traffic you want blocked.



  • @wallabybob:

    I suspect the flaw in your implementation is that the Windows Server has to get first look at all the traffic arriving on both NICs. Hence there is no way pfSense can block it.

    I don't know if Windows and your VM implementation (Oracle VirtualBox?) can provide "PCI passthrough" which would effectively give pfSense full control of one or more of the NICs. If so, that should be considered. As yet I haven't been able to see how VLANs would help, but maybe I don't understand your configuration or what you are attempting to do.

    Running BOTH Windows and pfSense in virtual machines would allow the isolation you seem to be looking for (then the Windows server would not have first access to both NICs.)

    There might be some capability I haven't considered in the VM support in the software you are using,but even if there was I can't see how you could claim a high level of security when the machine to which you are wanting to block access is itself handling the traffic you want blocked.

    What you said was what I was thinking. I was hoping I could add a 3rd nic and find a way to get the vm to physically control two nice but I don't think the oracle virtual box can do that. :/ anybody know?



  • I remembered VirtualBox on Linux has "USB passthrough": a VM can take control of a USB device. Hence you could (if supported in VirtualBox on Windows) add a USB NIC, assign it to your pfSense VM and connect that NIC to your "rest of network" so that traffic from that part of the network has to go through the pfSense VM BEFORE it can get to "server1".

    pfSense is not real good with dynamically appearing interfaces so you will probably need to reboot the pfSense VM a couple of times to ensure the USB NIC is correctly seen on pfSense startup.

    There are a number of USB NICs that are supported by FreeBSD/pfSense which say they are USB 2 compatible but don't say they are not capable of 480Mbps operation (that is, they talk to the host at only 12Mbps or lower). Depending on the speed of your WAN link you might need to choose the USB NIC carefully.

    USB NICs don't have a great reputation in the pfSense community. I suspect at least a part of that is from people not considering all the details. I used a USB NIC for a while and eventually ditched it because it wasn't reliably seen on startup which meant I sometimes needed to be around to fix up the situation if pfSense restarted. I could probably have tweaked pfSense to get around that but I had a VLAN capable switch which I was able to use to effectively get extra ports removing the need for the USB NIC.


Locked