Re: [pfSense Support] how to manage 2 subnets for LAN ?
Am 21.11.2010 03:01, schrieb Chris Buechler: A broadcast domain is the layer 2 segregation of the network. If you're not using VLANs, and have one switch, you have one broadcast domain. The broadcast address is different, but those broadcasts all go to every device. In the case of buggy phone firmware maybe they don't listen to the broadcast address on other subnets, but they're still receiving those broadcasts and still on the same broadcast domain. http://en.wikipedia.org/wiki/Broadcast_domain Ah, yes, that's right. Technically spoken, of course all ethernet packages that go through the wire will hit the NICs of the devices connected to the wire (that's L2). But the logic (= firmware, IP stack) of the device will only answer those broadcasts that belong to the L3 subnet the NIC is member of. In my case the problem is really the answering of the phones to the Windows broadcasts which results in a slow responiveness of the phone user interface. Regards Karsten -- Karsten Becker Head of Information Technology Ecologic Institute Berlin - Brussels - Vienna - Washington DC Pfalzburger Strasse 43/44 | 10717 Berlin | Germany Tel. +49 (30) 86880-0 | Fax +49 (30) 86880-100 http://www.ecologic.eu/ | http://www.ecologic-events.eu/ Ecologic Institute publishes a monthly newsletter. To subscribe, please register at: http://www.ecologic.eu/subscribe.htm - - - Ecologic Institut gemeinnuetzige GmbH GF/Director: R. Andreas Kraemer | AG Charlottenburg HRB 57947 | USt/VAT-IdNr. DE811963464 'Ecologic' is a Trade Mark (TM) of Ecologic Institut gemeinnuetzige GmbH, Berlin. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
hi, just my simple idea, not sure if it fits perfectly. setup the interface on the firewall to 192.168.0.0/23 p.e. if-address 192.168.0.1 add a second virtual IP (carp) to the Lan IF 192.168.1.1 ( as gateway address for the second /24 ) add certain rules for it if neccessary. TROUBLESHOOTING: for checking if you have trouble with fw rules log in to the shell per ssh, press 8 and type in tcpdump -ni pflog0 ( not 100% sure if i remember right) fits to 192.168.0.0/24 and 192.168.1.0/24 clients can still use /24 as subnetmask use ipcalc for calculating the right numbers where should be fitting to your purposes if i remember well you cannot use 192.168.1.1 as starting net, thats against the subnetting rules of tcp-ip ( masking with a bitmask leads to 192.168.0.0/23) NO GO: DHCP in that interfaces with splitted solution for both /24 speak: dhcpd cannot easy differ to what /24 range he should give asked addresses ( wlan/wired will result in same addressrange than) everything beside that needs more setup e.g. putting mac-addresses in the DHCP-config. hth greetings michael -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
Le Fri, 19 Nov 2010 15:58:35 -0800 (PST), Gé Weijers g...@weijers.org a écrit : We'd like to separate IPs of bacbone antennas from client ones, for example 192.168.1.0/24 for antennas and 192.168.2.0/24 for people. How this could be done ? [...] I hope you realize that your customers can manually switch subnets on their end and talk directly to the management ports on your wireless accesspoints in the multiple subnet scenario. Yes, but in our current network, they are in the same net, so it's even easier for them ! The nice thing about using VLANs is that the traffic has to go through the router to get to the management network, which firewall rules can prevent. If you use two subnets on one interface you do not get to filter the traffic if someone wants to mess with your AP. I never used VLAN yet, so I'm a bit confused about that solution, even after the nice PfSense book ;-P And I have to look in our old Cisco antenna's documentation is VLAN is supported… Fred. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On 11/20/2010 09:04 PM, Frédéric Boiteux wrote: I'm not sure to understand well : in the case I gave, 192.168.1.0/24 and 192.168.2.0/24, the two nets don't share the same broadcast domain (192.168.1.255 and 192.168.2.255), isn't it ? Fred. I'm also in doubt. Because your example is exactly why I see the need to have two subnets on the same interface. I have one subnet for VoIP phones and one for computers, just to have the f*cking broadcasting from Windows not bailing onto my phones which makes them slow and #+?1-up the speech quality. So I need to have both subnets on the FW interface to reach both the internet. Regards Karsten - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On 10-11-20 08:25 PM, Karsten Becker wrote: On 11/20/2010 09:04 PM, Frédéric Boiteux wrote: I'm not sure to understand well : in the case I gave, 192.168.1.0/24 and 192.168.2.0/24, the two nets don't share the same broadcast domain (192.168.1.255 and 192.168.2.255), isn't it ? Fred. I'm also in doubt. Because your example is exactly why I see the need to have two subnets on the same interface. I have one subnet for VoIP phones and one for computers, just to have the f*cking broadcasting from Windows not bailing onto my phones which makes them slow and #+?1-up the speech quality. So I need to have both subnets on the FW interface to reach both the internet. Regards Karsten Regardless of number of subnets and their masks you configure on *one* physical interface they all belong to one L2 broadcast domain. Thus any broadcast packet generated by any host from any subnet will be received by all hosts connected to this segment. Let's put it this way - your L3 broadcast segment differs from your L2 segment in this case which does not prevent broadcast packets to hit all machines. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
2010/11/20 Karsten Becker karsten.bec...@ecologic.eu: On 11/20/2010 09:04 PM, Frédéric Boiteux wrote: I'm not sure to understand well : in the case I gave, 192.168.1.0/24 and 192.168.2.0/24, the two nets don't share the same broadcast domain (192.168.1.255 and 192.168.2.255), isn't it ? I'm also in doubt. Because your example is exactly why I see the need to have two subnets on the same interface. I have one subnet for VoIP phones and one for computers, just to have the f*cking broadcasting from Windows not bailing onto my phones which makes them slow and #+?1-up the speech quality. So I need to have both subnets on the FW interface to reach both the internet. A broadcast domain is the layer 2 segregation of the network. If you're not using VLANs, and have one switch, you have one broadcast domain. The broadcast address is different, but those broadcasts all go to every device. In the case of buggy phone firmware maybe they don't listen to the broadcast address on other subnets, but they're still receiving those broadcasts and still on the same broadcast domain. http://en.wikipedia.org/wiki/Broadcast_domain - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
I use Engenius equipment quite often. They support a management interface and up to 4 SSIDs all controlled with VLAN tagging. --Original Message-- From: Fred Boiteux To: support@pfsense.com ReplyTo: support@pfsense.com Subject: Re: [pfSense Support] how to manage 2 subnets for LAN ? Sent: Nov 18, 2010 2:39 PM Le Thu, 18 Nov 2010 14:10:18 +0100, Seth Mos seth@dds.nl a écrit : Hi, As we use an Alix 2d3 board with 3 ethernet interfaces, there is one free at now : could we use this OPT interface to manage backbone network, with an address in its subnet 192.168.1.0/24, and put an address from 192.168.2.0/24 subnet on the LAN interface to serve clients, provided these two LAN and OPT will be connected through a switch to the first antenna of the backbone where all traffic is passing ? I think you want a managed switch that has vlan support. You can then use the 3rd port on the alix for connecting all the vlans. The different LAN subnets' trafic aren't VLAN tagged, and all traffic comes from one Ethernet port (from the nearest antenna), so I don't understand how VLAN could be used there ? Fred. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Kevin Tollison Sent from my Blackberry
Re: [pfSense Support] how to manage 2 subnets for LAN ?
I do this all the time and using a separate nic is simpler and easier to manage than an alias. Unless I am missing something, a vlan for this case is overkill. -- Richard On Thu, Nov 18, 2010 at 4:13 PM, David Burgess apt@gmail.com wrote: On Thu, Nov 18, 2010 at 3:51 PM, fi...@7technw.com fi...@7technw.com wrote: Another easy solution is to just add another nic. Not an option in this case. The OP described a wireless network where the client subnet and management subnet exist on the same physical network. You can't change that in this case, so your two options are to separate them virtually (vlans) or just run them on the same physical network. Yes, he could use another NIC and plug it into a switch along with the first NIC and the wireless network, but this still doesn't separate the two networks, and is no better than creating an alias on the existing NIC. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On 2010-11-19 9:56 AM, Richard Amerman fi...@7technw.com wrote: I do this all the time and using a separate nic is simpler and easier to manage than an alias. Unless I am missing something, a vlan for this case is overkill. I discussed this with the m0n0wall list back in '07 where cmb and others essentially said that it's a bad idea to run 2 subnets on a physical network, mostly for security reasons, I think. Given the option I would do the vlan thing, just for the added layer separating the hostile users from my stuff. db
Re: [pfSense Support] how to manage 2 subnets for LAN ?
When there is a good use-case I completely agree with you, and it is probably my fault for not remembering that his traffic probably needed to be kept more separate. In many cases it is completely a non issue. In most of the cases I use this method it is all within a single internal organization so no risk at all. -- Richard On Fri, Nov 19, 2010 at 10:14 AM, David Burgess apt@gmail.com wrote: On 2010-11-19 9:56 AM, Richard Amerman fi...@7technw.com wrote: I do this all the time and using a separate nic is simpler and easier to manage than an alias. Unless I am missing something, a vlan for this case is overkill. I discussed this with the m0n0wall list back in '07 where cmb and others essentially said that it's a bad idea to run 2 subnets on a physical network, mostly for security reasons, I think. Given the option I would do the vlan thing, just for the added layer separating the hostile users from my stuff. db
Re: [pfSense Support] how to manage 2 subnets for LAN ?
Hi, Le Thu, 18 Nov 2010 15:16:24 -0700, David Burgess apt@gmail.com a écrit : In that case you can add an alias to the LAN interface. IIRC, you just run ifconfig appending 'alias' to the end. Don't quote me on it though. Get that working, then use shellcmd to make it stick across reboots. You will also want to check the box in the UI to supress arp errors in the logs. I saw the http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf but I was doubtful about how well it's supported in PfSense :-/ vlans are still the preferred method if your radios support it. What brand are you using? We have a mix of old and newer hardware, from Cisco, Linksys (WRT54GL), and trying also Ubiquity. I'm not sure all these wifi routers can manage VLAN, but I'll look at this. I was thinking about the other solution, pluging another nic of the Pfsense (Alix) on the same wire (with a switch) and allocating each nic a different subnet. Many thanks to all people for suggestions and feedback, Fred. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Fri, Nov 19, 2010 at 4:27 PM, Fred Boiteux fblis...@free.fr wrote: I saw the http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf but I was doubtful about how well it's supported in PfSense :-/ Works fine. Generally bad network design to have multiple IP subnets on the same broadcast domain, but works. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, 18 Nov 2010, Fred Boiteux wrote: We'd like to separate IPs of bacbone antennas from client ones, for example 192.168.1.0/24 for antennas and 192.168.2.0/24 for people. How this could be done ? [...] I hope you realize that your customers can manually switch subnets on their end and talk directly to the management ports on your wireless accesspoints in the multiple subnet scenario. The nice thing about using VLANs is that the traffic has to go through the router to get to the management network, which firewall rules can prevent. If you use two subnets on one interface you do not get to filter the traffic if someone wants to mess with your AP. Ge' - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
Hi, As we use an Alix 2d3 board with 3 ethernet interfaces, there is one free at now : could we use this OPT interface to manage backbone network, with an address in its subnet 192.168.1.0/24, and put an address from 192.168.2.0/24 subnet on the LAN interface to serve clients, provided these two LAN and OPT will be connected through a switch to the first antenna of the backbone where all traffic is passing ? I think you want a managed switch that has vlan support. You can then use the 3rd port on the alix for connecting all the vlans. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
Le Thu, 18 Nov 2010 14:10:18 +0100, Seth Mos seth@dds.nl a écrit : Hi, As we use an Alix 2d3 board with 3 ethernet interfaces, there is one free at now : could we use this OPT interface to manage backbone network, with an address in its subnet 192.168.1.0/24, and put an address from 192.168.2.0/24 subnet on the LAN interface to serve clients, provided these two LAN and OPT will be connected through a switch to the first antenna of the backbone where all traffic is passing ? I think you want a managed switch that has vlan support. You can then use the 3rd port on the alix for connecting all the vlans. The different LAN subnets' trafic aren't VLAN tagged, and all traffic comes from one Ethernet port (from the nearest antenna), so I don't understand how VLAN could be used there ? Fred. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, Nov 18, 2010 at 12:39 PM, Fred Boiteux fblis...@free.fr wrote: The different LAN subnets' trafic aren't VLAN tagged, and all traffic comes from one Ethernet port (from the nearest antenna), so I don't understand how VLAN could be used there ? Most carrier-grade radios support tagging packets from the management interface, so client traffic comes through untagged and management happens on the management vlan. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] how to manage 2 subnets for LAN ?
I think the OP was referring to running two subnets concurrently on the same wire, something I often have to do for various reasons, sometimes to solve co-existence issues while renumbering a network. I have no idea how to accomplish this in pfSense; apparently I haven't had to do this since I started using pfSense! (An example is when I have a server subnet that's too small - either it was undersized to begin with or it grew beyond expectations - and I can't widen the subnet mask because I've already used the subnets above and below it elsewhere, so I have to at that point run two subnets concurrently on the same VLAN until I can get rid of all the old addresses.) -Adam -Original Message- From: David Burgess [mailto:apt@gmail.com] Sent: Thursday, November 18, 2010 13:56 To: support@pfsense.com Subject: Re: [pfSense Support] how to manage 2 subnets for LAN ? On Thu, Nov 18, 2010 at 12:39 PM, Fred Boiteux fblis...@free.fr wrote: The different LAN subnets' trafic aren't VLAN tagged, and all traffic comes from one Ethernet port (from the nearest antenna), so I don't understand how VLAN could be used there ? Most carrier-grade radios support tagging packets from the management interface, so client traffic comes through untagged and management happens on the management vlan. db --- -- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, Nov 18, 2010 at 3:11 PM, Adam Thompson athom...@athompso.net wrote: I think the OP was referring to running two subnets concurrently on the same wire, something I often have to do for various reasons, sometimes to solve co-existence issues while renumbering a network. I have no idea how to accomplish this in pfSense; apparently I haven't had to do this since I started using pfSense! In that case you can add an alias to the LAN interface. IIRC, you just run ifconfig appending 'alias' to the end. Don't quote me on it though. Get that working, then use shellcmd to make it stick across reboots. You will also want to check the box in the UI to supress arp errors in the logs. vlans are still the preferred method if your radios support it. What brand are you using? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On 11/18/2010 11:16 PM, David Burgess wrote: On Thu, Nov 18, 2010 at 3:11 PM, Adam Thompson athom...@athompso.net wrote: I think the OP was referring to running two subnets concurrently on the same wire, something I often have to do for various reasons, sometimes to solve co-existence issues while renumbering a network. I have no idea how to accomplish this in pfSense; apparently I haven't had to do this since I started using pfSense! In that case you can add an alias to the LAN interface. IIRC, you just run ifconfig appending 'alias' to the end. Don't quote me on it though. Get that working, then use shellcmd to make it stick across reboots. You will also want to check the box in the UI to supress arp errors in the logs. Read this document: http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf Tried that out with the latest stable pfSense yesterday and it worked fine. Regards Karsten -- Karsten Becker Head of Information Technology Ecologic Institute Berlin - Brussels - Vienna - Washington DC Pfalzburger Strasse 43/44 | 10717 Berlin | Germany Tel. +49 (30) 86880-0 | Fax +49 (30) 86880-100 http://www.ecologic.eu/ | http://www.ecologic-events.eu/ Ecologic Institute publishes a monthly newsletter. To subscribe, please register at: http://www.ecologic.eu/subscribe.htm - - - Ecologic Institut gemeinnuetzige GmbH GF/Director: R. Andreas Kraemer | AG Charlottenburg HRB 57947 | USt/VAT-IdNr. DE811963464 'Ecologic' is a Trade Mark (TM) of Ecologic Institut gemeinnuetzige GmbH, Berlin. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
Another easy solution is to just add another nic. Sent from my iPhone On Nov 18, 2010, at 2:46 PM, Karsten Becker karsten.bec...@ecologic.eu wrote: On 11/18/2010 11:16 PM, David Burgess wrote: On Thu, Nov 18, 2010 at 3:11 PM, Adam Thompson athom...@athompso.net wrote: I think the OP was referring to running two subnets concurrently on the same wire, something I often have to do for various reasons, sometimes to solve co-existence issues while renumbering a network. I have no idea how to accomplish this in pfSense; apparently I haven't had to do this since I started using pfSense! In that case you can add an alias to the LAN interface. IIRC, you just run ifconfig appending 'alias' to the end. Don't quote me on it though. Get that working, then use shellcmd to make it stick across reboots. You will also want to check the box in the UI to supress arp errors in the logs. Read this document: http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf Tried that out with the latest stable pfSense yesterday and it worked fine. Regards Karsten -- Karsten Becker Head of Information Technology Ecologic Institute Berlin - Brussels - Vienna - Washington DC Pfalzburger Strasse 43/44 | 10717 Berlin | Germany Tel. +49 (30) 86880-0 | Fax +49 (30) 86880-100 http://www.ecologic.eu/ | http://www.ecologic-events.eu/ Ecologic Institute publishes a monthly newsletter. To subscribe, please register at: http://www.ecologic.eu/subscribe.htm - - - Ecologic Institut gemeinnuetzige GmbH GF/Director: R. Andreas Kraemer | AG Charlottenburg HRB 57947 | USt/VAT-IdNr. DE811963464 'Ecologic' is a Trade Mark (TM) of Ecologic Institut gemeinnuetzige GmbH, Berlin. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, Nov 18, 2010 at 3:51 PM, fi...@7technw.com fi...@7technw.com wrote: Another easy solution is to just add another nic. Not an option in this case. The OP described a wireless network where the client subnet and management subnet exist on the same physical network. You can't change that in this case, so your two options are to separate them virtually (vlans) or just run them on the same physical network. Yes, he could use another NIC and plug it into a switch along with the first NIC and the wireless network, but this still doesn't separate the two networks, and is no better than creating an alias on the existing NIC. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
