Multiple public ips and mutiple lan subnets with only 2 nic cards



  • So I've done lots of searching, and am not really finding information for the type of setup I am after…

    I need 3 public ip addresses to link individually to 3 private networks. And one public ip to pass through pfsense to an internal server.

    Setup:

    1 WAN card with 4 static ip addresses: 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4 (obviously not the actual IPs, but for privacy I will use these)

    1 LAN card with three subnets: 10.0.0.0/24, 10.0.0.1/24, and 172.16.1.0/24

    1 server that sits inside the LAN that needs and external ip address 192.168.1.4

    The 10.0.0.0/24 subnet is for our teacher's computers. The 10.0.0.1/24 subnet is for student computers. The 172.16.1.0/24 subnet is for our open access wifi.

    The teacher and student computers need to get dhcp addresses from their proper subnets. I would like to use the mac addresses to place them in their pools. Then any computer that is not in either the 10.0.0.0/24 or 10.0.0.1/24 pools would pull a 172.16.1.0/24 address. How would I go about setting up the multiple dhcp pools like that? also how can i get the dhcp server to give the public ip 192.168.1.4 to the server

    The next thing I need to do is be able to do is limit the speeds on each individual pool. I need the teachers pool to have a maximum of a 10Mbps x 1Mbps, the students to have a maximum of 10Mbps x 1 Mbps, the public pool to have a maximum of 2Mbps X 512Kbps, and the servers ip to have a maximum connection speed of 5Mbps x 5mbps. The speeds would be applied to the subnet as a whole, eg The traffic speed on the public ip for the student pool would never be more than 10Mbps x 1Mbps.

    Then, for the server, would I set up a 1:1 NAT for the public ip 192.168.1.4? would that pass all traffic on to the server?

    FYI all of these subnets and the server are on the same switch network(physical network) and our switches so not support vlan tagging.

    If some one could help me that would be greatly appreciated.



  • Since this is the DHCP/DNS forum lets concentrate on the IP address issues you have raised.

    @bitzenator:

    our switches so not support vlan tagging.

    That severely limits your options. In particular you have no real security between the subnets and (as best I understand the rate limiting options) the rate limiting is difficult or impossible.

    @bitzenator:

    The teacher and student computers need to get dhcp addresses from their proper subnets.

    Students being the experimenters they are, will likely quickly discover how to change the MAC address on their computer and get an IP address from the teacher pool, or even more easily, figure out how to give themselves a static IP in the appropriate pool.

    @bitzenator:

    also how can i get the dhcp server to give the public ip 192.168.1.4 to the server

    It is considered better practice to have publicly accessible servers on a separate physical network (or VLAN) so firewall can block access from such a server to "important" local systems. This provides a further barrier to anyone who might succeed in hacking into the publicly accessible server.



  • You need to upgrade to at least a smart switch. As noted even if you make this "work" with subnets it'll be horribly insecure.


  • LAYER 8 Global Moderator

    ^ as stated your going to need a "smart" or fully managed switch to be able to do vlans, so that you can isolate your different network segments.

    How many switches do you currently have?  Depending you might be able with just changing our your "core" switch or the upstream switch connected to pfsense that supports vlans and then connect dumb switches downstream as long all devices connected to those switches are to be in the same segment/vlan

    If not then your going to need switches that support vlans through the building - this allows you to put a device no matter where it sits in the building on whatever vlan you want.


Log in to reply