Routing between multiple Subnets, one LAN Interface

brigzzy

Hello All,

My apologies if this is a stupid question, I couldn't find the answer searching Google or the forums…

I have pfSense as my core router, with 2 interfaces, LAN and WAN.  From the LAN Interface, the connection goes through an unmanaged switch to the rest of my network.  My goal is to have my DHCP clients on one subnet, Desktops on another, and Servers on a third, with the ability route between them.  I'm not really concerned with security right now, as this is just a home network, I'm just curious about learning how you route between subnets.

I've set a virtual IP for my server subnet, and created a static route from one subnet to another, but I cannot ping hosts on either side from the opposite side.

Can anyone offer any suggestions?  Is what I'm asking even possible, or do I need to be thinking about this differently?

Thanks for the input!

Derelict

You can't do that (basic IP networking, not a pfSense limitation).

You need multiple interfaces into multiple switches, one for each subnet, or a managed/smart switch and VLANs.

brigzzy

Understood, thank you very much for confirming that :)

I guess my next big purchase will be a Layer 3 switch.

Cheers!

Derelict

You don't need a layer 3 switch. In fact if you plan on firewalling between the segments it will be a waste of money.

http://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I

johnpoz

^ yeah you don't need a L3 switch to do vlans.. You just need L2, which as derelict can be had very reasonable priced these days..

KyferEz

@Derelict:

You can't do that (basic IP networking, not a pfSense limitation).

You need multiple interfaces into multiple switches, one for each subnet, or a managed/smart switch and VLANs.

This is just wrong. It's certainly not best practice to have multiple subnets on a single network segment, and isn't secure, but you can accomplish it and there are reasons for doing it. First and foremost is a lab. Next is where you are migrating physical equipment to a different class of IPs - remotely. And finally is when you have multiple VMs and cannot have multiple physical (or Virtual) networks because you don't manage the virtual switches (as in some cloud providers).

Edit: The only potential problem is certain services, like DHCP. You can only have DHCP on one Subnet.

The last one is what I'm dealing with, in a lab environment. So I do have multiple subnets inside a single VLAN all being routed. I couldn't use pfSense because it is not flexible enough to do it with how subnets are attached to interfaces - I used a NetScaler.

johnpoz

Sorry KyferEZ but Derelict was not wrong - he was right on the money!  If you do not have a switch that supports vlans, then you can create your networks with physical isolation, ie different interfaces with different dumb switches for each network.

Nowhere did he ever suggest to run more than 1 layer 3 on the same layer 2.

"So I do have multiple subnets inside a single VLAN all being routed."

This utterly BORKED!!  So you are running multiple layer 3 on the same layer 2 = BORKED!!!

"but you can accomplish it and there are reasons for doing it"

While you can accomplish it - there would never be a good reason for doing it..  While a migration to a new IP scheme might be somewhat valid - it would be very short lived migration, should only be minutes in such an endeavor.

KyferEz

@johnpoz:

Sorry KyferEZ but Derelict was not wrong - he was right on the money!  If you do not have a switch that supports vlans, then you can create your networks with physical isolation, ie different interfaces with different dumb switches for each network.

Nowhere did he ever suggest to run more than 1 layer 3 on the same layer 2.

"So I do have multiple subnets inside a single VLAN all being routed."

This utterly BORKED!!  So you are running multiple layer 3 on the same layer 2 = BORKED!!!

"but you can accomplish it and there are reasons for doing it"

While you can accomplish it - there would never be a good reason for doing it..  While a migration to a new IP scheme might be somewhat valid - it would be very short lived migration, should only be minutes in such an endeavor.

That was the original question… Multiple subnets on the same layer 2. Seems like you have never managed anything bigger than a /24 either, judging from the "minutes in such an endeavor" comment - any actual network engineer knows a big IP migration can take a lot longer dealing with all the physical devices, routes, etc, etc. Clients I work with have international networks and are well-known publicly traded companies.

I don't disagree it's bad design. That is not the question. The question is "is it possible" and I would further that with "Is there any reason it can't be done". Answers are yes it's possible and no, there is no reason it can't be done if your equipment allows it (enterprise grade equipment does). Ask anyone who manages a large scale Enterprise equipment for massive corporate environments. It's possible, and it will work. And people often do it by accident because they configure their equipment wrong. I certainly agree it's bad design for production. I'd counter it's perfectly acceptable for a lab.

Further, reference this Cisco discussion: https://supportforums.cisco.com/discussion/10885136/single-vlan-can-support-multiple-subnets

johnpoz

Oh you caught me never nothing bigger than a /24.. <rolleyes>Been managing global networks for years.. Actually mange a /16 with Arin - but sure just small networks for me ;)  I have personally migrated large plant networks with 1000's of nodes to new networks.. Not once have needed to run multiple layer 3 on the same layer 2.. Now if you had lots of static devices on a network that had to each be touched - ok might take you more than a few minutes.. But would be your own fault or the guy before you not thinking ahead to have large amounts of devices with statics in the first place.

While it is "possible" suggesting it to new user even in a LAB is just Borked plain and simple..  There is ZERO reason to ever do this other then the time needed to migrate, which is planned correctly should be very short amount of time..  Minutes if done correctly!!

Not in the smallest of labs or the smallest of home networks just starting out is this ever a good idea!  Production, not production, lab - whatever this is just plain Borked.. Period!

BTW - are you having fun smiting me every time you login?  Seems odd my count just went up again, minutes if not exactly when you logged into the forum..</rolleyes>

KyferEz

@johnpoz:

Oh you caught me never nothing bigger than a /24.. <rolleyes>Been managing global networks for years.. Actually mange a /16 with Arin - but sure just small networks for me ;)  I have personally migrated large plant networks with 1000's of nodes to new networks.. Not once have needed to run multiple layer 3 on the same layer 2.. Now if you had lots of static devices on a network that had to each be touched - ok might take you more than a few minutes.. But would be your own fault or the guy before you not thinking ahead to have large amounts of devices with statics in the first place.

While it is "possible" suggesting it to new user even in a LAB is just Borked plain and simple..  There is ZERO reason to ever do this other then the time needed to migrate, which is planned correctly should be very short amount of time..  Minutes if done correctly!!

Not in the smallest of labs or the smallest of home networks just starting out is this ever a good idea!  Production, not production, lab - whatever this is just plain Borked.. Period!

BTW - are you having fun smiting me every time you login?  Seems odd my count just went up again, minutes if not exactly when you logged into the forum..</rolleyes>

You are being a bit forceful and nasty in how you reply.

Whatever. Yawn. Agree to disagree.