In message <8c8f0f7add704cf491998cbe298fb...@dp2000xp> Tortise <tort...@paradise.net.nz> was claimed to have wrote:
>Yes I was referring to ARP poisoning and my cable connection experience.... >which is the reason for the random (obscure) LAN subnet >range selection... It's worth noting that even if you use an uncommon LAN subnet range selection internally, anyone in your broadcast domain could easily observe your ARP packets and find your IP range, so you're not gaining much security by obscurity here, although you are decreasing the odds that two random 192.168.0.0/24 networks will cross-talk if you both made the same configuration error at once. This assumes the case of a large ancient cable modem network that still broadcasts ARPs between client side networks on different modems, and assuming a configuration error directly connects a LAN to the WAN bypassing the firewall. In reality it's been a while since this was that big a deal on cable modem networks (or at least any that I've touched), around here it's probably been 5+ years since you could see floods of ARP requests. I think that the cable modems only transmit ARP requests from WAN to LAN for MAC addresses already known to exist on the LAN side, so strictly speaking your cable modem won't pass valid traffic after the modem is rebooted until the LAN side machine sends at least one packet up to the modem. This is a handy side effect of cable modems already needing to track valid MAC addresses to limit the number of machines connected for billing purposes. 10/8 is huge, 172.16/12 is a little less widely used and also significantly large enough that I've never ever personally seen any remote network overlapping with the /21 that I picked out for myself, and I VPN into remote client sides regularly, and travel somewhat frequently. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
