How to create logical subnets with a single Lan interface without VLAN?
-
Hi,
I believe it doesn't end up with one managed switch. I need to change all the end point switches so that it can do vlan.
I have a client who has network setup as attached. Currently sonicwall is there instead of pfsense and just works without vlan. And thats the reason why I am trying to replicate a similar setup with Pfsense.
I am ok in having vsphere+ vswitch + pfsense ( all in one box). Not sure if this works?
What would be the best way to achieve this?
Regards,
Raja
-
That will work just fine with one subnet. Why do you want multiple layer 3 subnets on a single layer2 segment again? What do you expect to gain from such a thing?
And you would not have to change all the edge switches IF all the hosts on each switch are on the same VLAN. You would tag three VLANS from pfSense to the "core" switch then put each edge switch on an untagged port on each of the three VLANs. They can be dumb, unmanaged switches.
-
Yep. Thats the way my network in Maryland works.
The reason I used multiple VLAN subnets is so I could firewall the LAN segments from "seeing" each other.If you are not trying to segregate things, I see no reason to have multiple subnets or VLANs
-
Hi,
Yes, the subnets has been created for firewalling ( Restricted Lan/Wan Access).
If you look at the diagram above, there are 3 groups of users connected to different switches.
Group A - Have access to all internet sites (WAN) + Full access to LAN
Group B - Full access to LAN + restricted internet access
Group C - Isolated users who can communicate between the same group but cannot communicate with other users/PCS and will have restricted WAN access.
Actually with the default route, iam able to do all these with pfsense(with deny rule). I have problem only when I configure Gateway groups for loadbalancing/failover. The moment I configure gateway groups, the local subnets gets disconnected.
Regards,
Raja -
Any security you think you're getting from your proposed solution is an illusion.
Any host can just change its IP address to one of the other subnet schemes and they're now on that "LAN."
Traffic among the "different LANs" is not dependent on pfSense's firewall to forward. Any host can also add VIPs on all three subnets and access any host on any subnet at any time and there's not a damn thing your firewall can do about it, because it's not being routed through.
-
Hi,
The client is ok with that.. Users are not given admin rights to the pcs/registry and hence can't change the IPs.
Mac ID for each PCs are also in place.
Believe me or not.. They have been running this setup for past 3 years without any issues.
Regards,
Raja -
OK. Good luck.
-
;D
-
Derelict - Are you saying that putting the 3 switches in 3 separate VLANs will not work for isolating them from each other?
-
No. That absolutely will, providing one doesn't want different VLANs on the same unmanaged edge switch.
Nothing wrong with the attached config if you can tolerate unmanaged switches in your network.
-
Cool - You scared me for a minute. Occasionally my thinking gets a correction here…
Last time I thought I knew something absolutely for sure, I ended up getting punked by CMB. haha.
I'm not sure why OP is so opposed to VLANS, but what he said about the client computers being locked down gave me this idea:Assuming he is correct and the network is PHYSICALLY secure. No one can plug/unplug things and the machines are truly secured and no config changes can be made, he could just control what can and can not be accessed on each client machine's firewall. Seems to me the only other way to do it. Other than running 3 separate LAN NICs or VLANs.
I wouldn't recommend that though.
-
VLANs are far easier than maintaining the necessary MAC address lists. And since MACs can be easily spoofed, far more effective.
US$500 gets managed switches all around (cheap ones, but light years better than the proposed hack).
Dude doesn't want to listen and that's fine with me. I'm not the one on call when it blows up.
-
Even at $500 he would be doing himself a favor.
But seriously, for $30 to $50 he could get a VERY nice used managed gigabit switch with a ton of ports from someone on ebay who is upgrading to 10GB…
You think I make a habit of buying all new hardware? I'd be broke... I have stuff everywhere.
(I buy hardware for people with the condition to run my services on their bandwidth)
-
Hi,
Mac can be spoofed.. Even vlans are not secure. A determined person can still put a plug on vlan port can still gain access to the vlan. But Iam not going into this now. And its hard for me to convince my client to buy additional hardwares. He has been living with this network for years.
If my configuration will work, why is that I have problems when configuring gateway groups( load balancing) in pfsense. Is this a known issue with pfsense? Whennever I configure gateway groups, the first hop always goes to the wan router instead of my pfsense router. I believe it should be a simple routing issue. Not sure how to fix this. I am just new to pfsense.
Regards,
Raja -
You don't run multiple layer 3 over the same layer 2 - you do not do this, this is wrong.. I don't care what the client says. Why do they even think it is possible?? Let them setup their own network then - I wouldn't have anything to do with this. If they are so freaking cheap they wont spend pennies to get the correct hardware - they sure and the hell can not be paying you anything worth doing something this wrong!!
-
Is this a known issue with pfsense? Whennever I configure gateway groups, the first hop always goes to the wan router instead of my pfsense router. I believe it should be a simple routing issue. Not sure how to fix this. I am just new to pfsense.
No. It's a known issue with hokey, broken network design. All sorts of wacky crap will happen. Expect it.
-
Even vlans are not secure. A determined person can still put a plug on vlan port can still gain access to the vlan.
Umm, yes. Plug into an enabled port on the VLAN and you're on the VLAN. That's sort of the point. Controlling such access is a completely separate problem, which might be solved using 802.1x if that's what you're worried about. You'd need managed switches though. ;)
If you're talking about VLAN hopping I'll need to see an example with modern gear to believe it's still a viable hack.
-
No. It's a known issue with hokey, broken network design. All sorts of wacky crap will happen. Expect it.
Oh that made my morning!! Always good to start the day with a laugh!! ;) heheeheheh
-
Hello Derelict,
I agree that it may not be a standard way. But still when a feature is there why not exploit it?
Look at the advantage it has… You don't need additional switches and additional nic for subnets.
Regards,
RajaThat's not a feature, it's an undefined configuration that is highly recommended against. Kind of like people using a high or low IP address of a subnet. It can work in some setups, but expect strange stuff to happen.
