Re: [pfSense Support] multi-wan, multi-lan security

Fri, 06 Aug 2010 19:31:15 -0700
----- Original Message ----- From: "Chris Buechler" <cbuech...@gmail.com> 
To: <support@pfsense.com>
Sent: Saturday, August 07, 2010 2:09 PM
Subject: Re: [pfSense Support] multi-wan, multi-lan security


On Fri, Aug 6, 2010 at 9:37 PM, Tortise <tort...@paradise.net.nz> wrote:


----- Original Message ----- From: "Nathan Eisenberg"
<nat...@atlasnetworks.us>
To: <support@pfsense.com>
Sent: Saturday, August 07, 2010 12:50 PM
Subject: RE: [pfSense Support] multi-wan, multi-lan security



Say I'm not being routed a /24. Say I'm on Comcast and I have a
192.168.0.0/24 LAN. The problem is now even bigger: your carrier, their
carrier, and Comcast won't route 192.168.0.0/24.


I think that is the theory however in practice I'm not so sure. It doesn't
take much to, for example, accidentally connect a LAN to the net and
suddenly...with some else doing the same...I think the private LAN becomes
public and pretty sick pretty quickly also... Maybe Comcast can control for
this but I doubt all ISP's do? My ISP advised us not use common private LAN
addresses for this (common problem) reason. (I now use randomly generated
addresses)



There are good reasons to use uncommon subnets, primarily because it

eases connecting with other networks without hacks like NAT, but
that's not among them. What subnet you use internally has no relevance
to your ISP. The risk isn't in the private subnet leaking out to WAN
unless you're talking about the ARP poisoning possibility, or the fact
if you do that on a medium like cable any of the thousands on your
segment could easily join your LAN (even inadvertently if that also
brings your internal DHCP server onto the ISP network, but that is
likely to either be blocked by the ISP or get you cut off very quickly
once it happens). An obscure subnet wouldn't matter in that scenario,
everyone on the segment would see what your subnet is.

---------------------------------------------------------------------
Yes I was referring to ARP poisoning and my cable connection experience.... which is the reason for the random (obscure) LAN subnet range selection... It just seemed an example of a situation that was outside the example posed where it was suggested there was no risk, when there may be? 

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Reply via email to