How can I achieve this setup?



  • I'm trying to do the following

    IP: 176.16.x.x
    Subnet: 255.255.252.0

    I have two  interfaces, LAN and OPT1.
    What I want to do is devices connecting on LAN (port 1 of a 4 port NIC) get 176.16.1.x and on OPT1 (single port NIC) get 176.16.2.x

    What is the best way to achieve this?



  • 176.16.0.0/22 (176.16.0.0/255.255.252.0) yields an address range of:

    176.16.0.0 to 176.16.3.255

    It is not possible to have two NICs in a machine that belong to (or define) the same network as this is an ambiguous configuration. Therefore a LAN with 176.16.1.x and an OPT1 with 176.16.2.x is not possible.

    However, if you change the netmask to /24 you can have a LAN with 176.16.1.x and an OPT1 with 176.16.2.x so long as the reduced number of addresses available on each interface  (253 usable) is acceptable to you.


  • LAYER 8 Global Moderator

    I'm confused with your /22 that does not work out to .1.x and .2.x as gderf mentions.    Did you mean .0.x to .1.254? and 2.x - 3.254? for your dhcp ranges?

    Or were you planning on leaving .0 and .3 for statics?

    As gderf states you normally do not put 2 interfaces in the same network.  His suggestion works if you your ok with lower hosts.

    Or you could do 172.16.0.0/23 on 1 interface and 172.16.2.0/23 on other interface.  And then sure you could have your dhcp scopes only use .1.1-254 and 2.1-254 where you could then setup .0.1-254 and .3.1-254 as static address space for those 2 network segments.



  • @johnpoz:

    I'm confused with your /22 that does not work out to .1.x and .2.x as gderf mentions.    Did you mean .0.x to .1.254? and 2.x - 3.254? for your dhcp ranges?

    Or were you planning on leaving .0 and .3 for statics?

    As gderf states you normally do not put 2 interfaces in the same network.  His suggestion works if you your ok with lower hosts.

    Or you could do 172.16.0.0/23 on 1 interface and 172.16.2.0/23 on other interface.  And then sure you could have your dhcp scopes only use .1.1-254 and 2.1-254 where you could then setup .0.1-254 and .3.1-254 as static address space for those 2 network segments.

    Yes, I was planning on leaving 0.x and 3.x for static assignments.
    My biggest problem is windows networking.
    If I separate them into two networks, which I currently have done, Windows doesn't let let filesharing occur between the subnets without explicit changes to the windows firewall, which is something I can't force my users to do.


  • LAYER 8 Global Moderator

    "changes to the windows firewall, which is something I can't force my users to do."

    What??  What do you mean you can't change?  Is this your network, or bunch of cats your trying to herd?  Why would a user have control of the firewall in the first place.  Simple enough to make a group policy to allow whatever firewall rules you want.

    You could even debate the need of software firewalls in secure network, just setup policy to enable firewall when they are not on your domain, etc.

    How about you give us some details of your network, and what your wanting to accomplish exactly and we can figure out the best course of action.  Why did you want to use 2 interfaces for the same network in the first place?  Just to give specific machines specific addresses via dhcp??



  • @johnpoz:

    "changes to the windows firewall, which is something I can't force my users to do."

    What??  What do you mean you can't change?  Is this your network, or bunch of cats your trying to herd?  Why would a user have control of the firewall in the first place.  Simple enough to make a group policy to allow whatever firewall rules you want.

    You could even debate the need of software firewalls in secure network, just setup policy to enable firewall when they are not on your domain, etc.

    How about you give us some details of your network, and what your wanting to accomplish exactly and we can figure out the best course of action.  Why did you want to use 2 interfaces for the same network in the first place?  Just to give specific machines specific addresses via dhcp??

    I can't assign group policies if the machines are not on a domain.  This is a network where people use their own machine.
    What I want to do is have wired and wireless access to the same network.  I would also assign specific IPs depending on which method the device is connected to.

    I cannot control the client machines.  The only thing I know for sure is that the machines can (and should be able to) communicate amongst themselves.  The only configuration I can guarantee is that the machines can communicate on their assigned subnet, which means having the wireless ones on a separate subnet is a problem.

    If this is definitely not possible, I will likely have to bridge the interfaces and not be able to separate the assigned IPs.  This is not my ideal circumstance however.


  • LAYER 8 Global Moderator

    "which means having the wireless ones on a separate subnet is a problem."

    So then put the wireless on same subnet..  Why can your wired and wireless not all just use your 172.16.x.x/22 network??

    Why do you think you need to use a different interface on pfsense to add wireless?  Just connect how ever many APs you need to your currently wired network to provide the coverage you want.

    So if users bring their own devices, and manage them.  And control their own firewalls - why is it your problem if they don't understand how to allow file sharing access to another network?  You would not be blocking anything, what they do with their firewalls is not your issue - is it?



  • @johnpoz:

    "which means having the wireless ones on a separate subnet is a problem."

    So then put the wireless on same subnet..  Why can your wired and wireless not all just use your 172.16.x.x/22 network??

    Why do you think you need to use a different interface on pfsense to add wireless?  Just connect how ever many APs you need to your currently wired network to provide the coverage you want.

    So if users bring their own devices, and manage them.  And control their own firewalls - why is it your problem if they don't understand how to allow file sharing access to another network?  You would not be blocking anything, what they do with their firewalls is not your issue - is it?

    I'm using a wireless NIC installed on pfsense box, and access point is not something that can be purchased currently.
    If I put both interfaces on the same subnet, they do not work.  If I do that, and bridge them, I can't separate DHCP.

    What exactly are you suggesting I do?
    (Also can we please keep the discussion to configuration on the pfsense end and not the client machines?  All that should be relavant is that I would like all machines on the same subnet, assigned different IP ranges based on which interface it's connected through.  The why shouldn't matter in this case.)

    If this simply is not possible, just tell me that.


  • LAYER 8 Global Moderator

    No if you create bridge you can not have different dhcp scopes that hand out different addresses based upon what actual physical interface the connection comes in on.  Your dhcp server would have an IP it listens on, not a interface.

    If you want to isolate wired from wireless - then you have to create different segments.

    If you can not have different segments because of some issue you think these cats your trying to herd are going to have with their firewalls, I don't there is anywhere else we can go with your problem.

    I am trying to help you..  So all you have is a wireless card in pfsense for a /22 of users?  That is a LOT of users to use 1 wireless card with ;)

    Your other option to hand out different ranges for different users would be to use 2 different pools on one segment.  Where you limit who can use each pool based upon mac.  But this is would be lots of setup for a /22

    I don't know if the dhcp additional pools are in the 2.0 line, but in 2.1 they are an option.  With this you could create your 2 different pools and then using mac controls you could limit which clients can get an address from which pool.  Maybe this is something you could use.  It allows for you to put in partial mac addresses, so that specific hardware would all use same pool - but if user based hardware you could have lots of different card makers to have to put into your allow or deny.  And then what about those that don't match either, etc..



  • @johnpoz:

    No if you create bridge you can not have different dhcp scopes that hand out different addresses based upon what actual physical interface the connection comes in on.  Your dhcp server would have an IP it listens on, not a interface.

    If you want to isolate wired from wireless - then you have to create different segments.

    If you can not have different segments because of some issue you think these cats your trying to herd are going to have with their firewalls, I don't there is anywhere else we can go with your problem.

    I am trying to help you..  So all you have is a wireless card in pfsense for a /22 of users?  That is a LOT of users to use 1 wireless card with ;)

    Your other option to hand out different ranges for different users would be to use 2 different pools on one segment.  Where you limit who can use each pool based upon mac.  But this is would be lots of setup for a /22

    I don't know if the dhcp additional pools are in the 2.0 line, but in 2.1 they are an option.  With this you could create your 2 different pools and then using mac controls you could limit which clients can get an address from which pool.  Maybe this is something you could use.  It allows for you to put in partial mac addresses, so that specific hardware would all use same pool - but if user based hardware you could have lots of different card makers to have to put into your allow or deny.  And then what about those that don't match either, etc..

    Yeah, it looks like I'll have to scrap that whole idea.  I'll make a separate topic on the correct way to implement the bridge.  Thanks for the help, it looks like though, I just have the misfortune of wanting something that's not possible.


  • LAYER 8 Global Moderator

    Well not so much that its impossible - just how you would do it is 2 segments.  Where each segment has its own dhcp server with its own scope.

    Can't you just post some info for your "cats" ;) to find that tells them wireless clients are on different segment and to allow 172.16.x.x/23 in their firewalls?

    With a bridge your going to be under 1 broadcast domain, so all the broadcast traffic of all your clients will be going over your wireless..  With a /22 – I assume there are lots of users, that could be a hit on your wireless performance without any users actually even on the wireless..

    Only other issue I could see other than their firewalls would be how do they resolve other hosts, if they broadcast for them - then yeah segments is going to put a nix on that as well and you would have to use dns, wins or IP address or some other way to resolve hosts they want to access that are not on their local segment.

    Good luck and let us know how it turns out.



  • @johnpoz:

    Well not so much that its impossible - just how you would do it is 2 segments.  Where each segment has its own dhcp server with its own scope.

    Can't you just post some info for your "cats" ;) to find that tells them wireless clients are on different segment and to allow 172.16.x.x/23 in their firewalls?

    With a bridge your going to be under 1 broadcast domain, so all the broadcast traffic of all your clients will be going over your wireless..  With a /22 – I assume there are lots of users, that could be a hit on your wireless performance without any users actually even on the wireless..

    Only other issue I could see other than their firewalls would be how do they resolve other hosts, if they broadcast for them - then yeah segments is going to put a nix on that as well and you would have to use dns, wins or IP address or some other way to resolve hosts they want to access that are not on their local segment.

    Good luck and let us know how it turns out.

    Yeah, I'm not dealing with savvy users.  (I'm talking about the kind of people who need filesharing, but who's eyes will glaze over if I even say the word firewall).
    I'll switch over to using a bridge, one DHCP server, and static leases for as many as I can.


Log in to reply