Subnetting theory for added security



  • I'm trying to build as much security as possible in to a public wireless segment. I've got some ports/service blocked, layer 7 filtering etc. What I'm trying to prevent is a device, scanning it's subnet and trying to attack them all. Is there no way to define this network as 192.168.88.1/23 and then have DHCP hand out many /31 leases within that subnet? ie: Many gateways within that subnet that could just be aliases for 192.168.88.1? So i might get a lease of 192.168.88.3/31 with .2 is my gateway and .4 is the broadcast, the next device gets .6, with .5 as the gateway and .7 broadcast? that way any device that could be infected would think there's no other devices in it's subnet?

    I know there are so many attack vectors, the thought is keep your area subject to attack small. What do you think?


  • LAYER 8 Netgate

    DHCPv4, to my knowledge, cannot issue a subnet.

    What you want is private VLAN/private VLAN edge coupled with isolation among wireless clients done in the APs.

    Your switching layer prevents traffic from one AP to another and the APs prevent traffic among wireless clients associated with that AP.

    Everyone connecting to public wireless should be wearing their own condom anyway.



  • Just enable the AP isolation feature on your AP… done.


  • LAYER 8 Netgate

    Yeah, that works for one AP.


Log in to reply