DHCP for virtual IP/LAN



  • Hi,

    I will be using VLANs for the following as soon as possible but due to the missing WLAN Multi-SSID equipment I wanted to at least assign some devices an IP address of a secondary range and deny traffic between this net and other things on the net. Yes I am aware that without VLAN a hacked devices would be able to still access the primary IP range and this is security by obscurity only.

    I setup a virtual IP alias on the LAN and got everything working. Then I wanted to create a DHCP lease so that the devices in question would get a range of this secondary net which was denied with the error that the DHCP lease IP has to be within the LAN network (which it is not). Any idea? Is this a possible at all? Or would I have to create a virtual interface (and if so, how?)?

    Regards,
      JP


  • LAYER 8 Netgate

    Firewalling between VLANs on pfSense is just like firewalling between different interfaces. To the router, a VLAN interface is a separate interface.

    You really can't do what you want to do with virtual IP addresses on one interface. Routing between the "subnets" is hokey because you need to ask the router to route traffic back out the interface it arrived into.

    Even more difficult is DHCP. Even if you do add a second IP subnet to an interface, it is still the same broadcast domain so your DHCP clients won't be able to tell which DHCP server they should be listening to and the DHCP servers won't be able to tell which DHCP server the client wants to talk to. Can't be done on one broadcast domain.

    You only have one local interface on the router? No managed switch? Where were you planning on connecting the wireless gear?



  • @Derelict:

    Firewalling between VLANs on pfSense is just like firewalling between different interfaces. To the router, a VLAN interface is a separate interface.

    I am well aware. However I currently do not have VLANs as stated since my WLAN infrastructure is not multi-ssid capable and it would not give me benefits.

    You really can't do what you want to do with virtual IP addresses on one interface. Routing between the "subnets" is hokey because you need to ask the router to route traffic back out the interface it arrived into.

    Which would be the same with VLANs just on a different OSI layer. :-) I do not even want to route between them. And if it would work. That was not the point.

    Even more difficult is DHCP. Even if you do add a second IP subnet to an interface, it is still the same broadcast domain so your DHCP clients won't be able to tell which DHCP server they should be listening to and the DHCP servers won't be able to tell which DHCP server the client wants to talk to. Can't be done on one broadcast domain.

    I am well aware of that as well. I did not want to use a second DHCP server. I wanted my one DHCP server to respond with addresses of the second subnet with fixed MAC IPs only. That way I could assign a "guest LAN IP" to things like IP cameras that tend to contact servers in the Internet and at least have some sort of protection should the manufacturer (or hacker) use that connection as a back channel. The camera would then have to do more than just scan its own subnet. To gain some knowledge. As I said I am aware that the extra level of protection without a VLAN is minimal.

    You only have one local interface on the router? No managed switch? Where were you planning on connecting the wireless gear?

    All besides the point I am afraid. The WLAN infrastructure is currently not multi ssid/vlan capable. So all devices will be in th same ssid and VLAN unless I buy new gear.

    Thanks though!


  • LAYER 8 Netgate

    Which would be the same with VLANs just on a different OSI layer. :-)

    Right - which makes it not the same thing at all.

    Make another interface and test routing and firewalling between them. Anything you do with IP aliases putting multiple subnets on one interface will not be testing anything resembling what you will end up with and will pretty much be a waste of time.

    If you insist, instead of mucking about with different subnets, just make static host entries in your existing DHCP server on the same subnet but put them all in something like 192.168.1.192 through .254.  Then you can make firewall rules using that subnet (192.168.1.192/26) as the source and you can make the firewall allow or disallow access to anything outside you want.

    Again, although I'm SURE you already know this, it'll provide no protection for same-subnet traffic. (because firewalls do not provide protection for same-subnet traffic)

    The pfSense DHCP server is capable but it cannot be cofigured to hand out addresses in subnets outside the interface subnet. If you want to do that, you'll need to use a different DHCP server.

    If I was really that worried about the security of these devices, I would take them off my network and wait for the proper gear to arrive instead of ham-fisting some unsound unsolution.



  • @Derelict:

    Which would be the same with VLANs just on a different OSI layer. :-)

    Right - which makes it not the same thing at all.

    Not in every sense. I was referring to "traffic passing in and out the same interface".

    If you insist, instead of mucking about with different subnets, just make static host entries in your existing DHCP server on the same subnet but put them all in something like 192.168.1.192 through .254.  Then you can make firewall rules using that subnet (192.168.1.192/26) as the source and you can make the firewall allow or disallow access to anything outside you want.

    I am fine with the devices outbound traffic. I wanted to have at least some control over the traffic these devices try to then have with my other LAN devices.

    The pfSense DHCP server is capable but it cannot be cofigured to hand out addresses in subnets outside the interface subnet. If you want to do that, you'll need to use a different DHCP server.

    That's what I suspected and was the answer to the original (or at least underlying) question. Thanks.

    If I was really that worried about the security of these devices, I would take them off my network and wait for the proper gear to arrive instead of ham-fisting some unsound unsolution.

    I was just throwing out unifi due to their terrible 802.11ac support (instable, no DFS) and found a nice Asus AP as a temporary device. Still looking for an affordable 802.11ac solution I can run with 2-3 AP (size of the house requires it) and multi vlan/ssid support.

    Thanks.


  • LAYER 8 Netgate

    Not in every sense. I was referring to "traffic passing in and out the same interface".

    But in the sense that matters, which is the router's view of the network, yes. Two VLANs is two interfaces as far as it is concerned. Multiple DHCP servers, different subnets, routing in one and out the other, no problem.


  • LAYER 8 Global Moderator

    so you want to run different layer 3 networks on the same layer 2?  Yeah that is BROKEN, Period… Nobody in their right might should even think of doing such a thing..  Especially someone that is an admin or network guy.

    If you want multiple layer 3 networks, then use different physical for your layer 2, or get switch and AP that support vlans.  Depending on your existing hardware for your accesspoints, running 3rd party firmware may be allow for vlans.  Or better yet get a real accesspoint that does.  You can get the new unifi ac lite for under $90.. So very budget friendly.

    As to vlan switches, they can be had very cheap as well depending on the feature set and port density.. For home use you can get a 8 port gig vlan supported switch for like $40..  Shoot I just got a netgear one $30..  Its not all that smart, but its smart enough to do vlans..

    There really is no excuse for trying to do what your doing..  None..



  • Wow. That's what I call friendly. So I am out of my mind and do not know what I am doing. Strong statement considering you do now know me, my experience, my home infrastructure or what exactly I am doing or why. But thanks anyway.

    My switches are all VLAN capable. Thanks for pointing that out though.

    And I might be thinking about the new ACs once they finally support DFS in Europe/Germany.

    And no, there is no third party firmware for this ASUS router but again, why have I not thought about that.

    Sorry for sounding annoyed. I just fail to understand why you make these statements. And especially after the underlying question was already answered. But thanks for trying to help.


  • LAYER 8 Global Moderator

    Just pointing out what is clearly nonsense…  Thinking to run multiple layer3 on the same layer 2 is BROKEN..  Why would you even think of doing such a thing if your so experienced and have switches that support vlans??

    If your AP does not support vlans, then connect it to a switch port that has a vlan on it and then you go your wifi is on specific network different then your other vlans.

    DFS for EU has been supported on unifi for some time..  Pretty sure it was enabled in the controller back in 4.9.1 that was released back in early feb for the Gen 2 devices..

    http://community.ubnt.com/t5/UniFi-Beta-Blog/UniFi-4-9-1-alpha-is-released-for-testing/ba-p/1476425
    [UAPG2] Enable DFS for approved countries (US/CA Not approved yet)

    I know they also enabled it if your just using the ios/android app to manage your AP as well..

    Unlike the US when who knows when it will be enabled.. Freaking FCC ;)



  • @johnpoz:

    Just pointing out what is clearly nonsense…  Thinking to run multiple layer3 on the same layer 2 is BROKEN..  Why would you even think of doing such a thing if your so experienced and have switches that support vlans??

    If your AP does not support vlans, then connect it to a switch port that has a vlan on it and then you go your wifi is on specific network different then your other vlans.

    Because I need my main AP infrastructure to serve my normal LAN and not this particular "LAN". Otherwise I would have done this. There are reasons for doing this (assuming you cannot use Multi-VLAN/Multi-SSID) even though it is not perfect and you might not be able to see these reasons. I appreciate the security concerns you are raising which is why I pointed this out in the very first post I believe. Still no reason to offend me. I am well aware of the cons of such a solution. And "nonsense" might just not be correct in every circumstance. I accept it appears to be nonsense to you.

    To answer you question: I can either have a webcam connected to the ONE AND ONLY WLAN SSID IN THE HOUSE within my normal LAN address space so if it is hacked or the manufacturer is "not trusted" and uses the outbound connection this webcam might make (in order to operate as announced) it can see all other devices. Or I can at least try to make it a tiny bit harder and put it into a different address space. Can it still do damage? Of course it can. But instead of doing a broadcast ping it would have to do a bit more which hopefully would be a bit harder through the firmware.

    If a burglar comes to your house and is not able to break the window in 1 minute it is very likely he/she will go to your neighbours house. Would be be able to break the window in let's say 5 minutes? Sure!

    DFS for EU has been supported on unifi for some time..  Pretty sure it was enabled in the controller back in 4.9.1 that was released back in early feb for the Gen 2 devices..

    http://community.ubnt.com/t5/UniFi-Beta-Blog/UniFi-4-9-1-alpha-is-released-for-testing/ba-p/1476425
    [UAPG2] Enable DFS for approved countries (US/CA Not approved yet)

    I had seen references to this but no one stating that it actually works. After buying the old ACs and waiting for this to work for many months just to understand they will never implement it and I have to buy new equipment made me extra cautious. Will order a sample and see for myself.

    Thanks for the information you provided. I suggest we agree to disagree on the "nonsense" part and leave it be.

    Regards,
      JP


  • LAYER 8 Global Moderator

    You can come up with all the excuses you want..  Sorry but running multiple layer 3 on the same layer 2 is just plain Broken no matter how many excuses you come up with to try and justify it plain and simple.

    http://community.ubnt.com/t5/UniFi-Wireless/UAP-PRO-and-DFS-Channels/td-p/1502217
    Just to confirm that updating the controller to 4.9.1 and the firmware on the radios, DFS channels are working flawlessly on AC-LITE.

    I can not actually confirm this since in the US with US hardware, etc.  But there are many a post of DFS working in different countries in the EU..  Might be some problems for like Switzerland??  Pretty sure seen confirmation from UK and DE, etc that they have it working.

    I would for sure grab yourself one and give it a test run. If not working for your part of the EU, it should be very soon..  US and CA seem to be the unwanted step children in this rollout..

    As to the old versions not supporting stuff.  Yeah sometimes that happens, I wasn't too happy about a $300 ACv2 I bought not doing ATF and band steering, etc.. not sure will ever be?  So I sold it to someone here on pfsense for $75.. I believe it was good deal for both of us.  It offset cost of new AC pro to go along with my LR and Lite.  Which the purchase and use and discussion about on the forum got me on the testing list of the new AC line and they sent me free LR and Lite..  So taking that into account, and then the 75$ back, and the use of it while I had it, etc.  Still pretty happy with the unifi stuff..  And while they do quite often state features that are note quite prime time ready yet, etc.  Overall I think for the pricepoint and actual quality of the products I am very happy with them..  The for sure blow away any sort of soho wifi router used as a AP ;)


Log in to reply