View Single Post
  #4   (View Single Post)  
Old 8th May 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by Ghost3d View Post
Thank you,

I'm new to this raspi thing, but I'm a Linux Desktop user and primarily FreeBSD for serving little LAN projects.
I don't know anything about Raspberry platforms, and don't use Linux or FreeBSD. So all guidance here just comes from general Ethernet and TCP/IP networking knowledge.
Quote:
...I looked up aliases and understand that an alias requires a different subnet...
An alias address is just an extra IP address that a NIC will answer to. An individual NIC may have multiple aliases. Dozens. Hundreds. Thousands.

All an alias address will do is cause the NIC to respond to any Address Resolution Protocol ("ARP") query broadcast for that IP address on the local Ethernet segment.
Quote:
...giving me a second network interface listing in ifconfig...
While you may have an "alias" assignment variable for your rc.conf(8) configuration file, this isn't a separate NIC. It is an merely an additional IP address the NIC will respond to.

In your post, you show a topology where two subnets share the same physical Ethernet segment, from the Modem (your ISP gateway router) to every device. There is no isolation between subnets -- they all share the same Ethernet network.

If you're planning to use this new device as a firewall, with set policies to enforce, your device and its policies can be bypassed merely by someone changing a device's IP address from one subnet to the other -- from an address on the 10.0.0.0/24 "inner" subnet to an address on the 192.168.1/24 "outer" subnet. That's all it takes to bypass your device.

The VLAN technology I mentioned in my post above is quite different -- untagged (standard Ethernet) ports assigned to unique VLANs on the switch are on separate Ethernet segments. Traffic is physically isolated.
Reply With Quote