Multiple network help

[Babbino]

Hello everyone!

At my apartment I'm current running a FreeBSD-based router which has two networks on separate interfaces for different devices:

Interface 1 with subnet 192.168.200.x for just about everything on the network
Interface 2 with subnet 192.168.199.x for Iot stuff, printers, and stuff I want to keep next to the router

My current problem is that since these devices are on separate subnets, devices connecting through interface 1 can't discover devices connecting through interface 2 and vice-versa. Currently I have to configure devices through manually inputting the device's ip, while for this isn't a problem for most devices, it makes getting a foreign computer to print or use a NAS on my network an unnecessary and time consuming process.
I haven't been able to find much information on how to set up a config like this so any information is appreciated!

Thanks in advance!

 

[Phishfry]

Currently I have to configure devices through manually inputting the device's ip

Sounds like your DHCP server is not configured correctly. What are you using? I prefer dnsmasq.
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dhcp.html

Have you configured DNS and routes?
https://www.cyberciti.biz/faq/freebsd-setup-default-routing-with-route-command/

If this machine is directly tied to the internet then you need a firewall running at minimum.

More on routing and gateway.
https://www.freebsd.org/doc/handbook/network-routing.html

NAT with IPFW
https://docs.freebsd.org/doc/7.4-RELEASE/usr/share/doc/handbook/network-natd.html

 

[Babbino]

I'm using the isc-dhcp-server as was suggested by the FreeBSD Handbook and it has the following config file:

option domain-name-servers 8.8.8.8, 8.8.4.4;

default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

subnet 192.168.200.0 netmask 255.255.255.0 {
  range 192.168.200.10 192.168.200.254;
  option routers 192.168.200.1;
  option broadcast-address 192.168.200.255;
}

Subnet 192.168.199.0 netmask 255.255.255.0 {
  range 192.168.199.10 192.168.199.254;
  option routers 192.168.199.1;
  option broadcast-address 192.168.199.255;
}

I haven't configured a local DNS server yet, was hoping to leave that for when I have more time available, not have I really messed with routes.

This machine is running pf, wouldn't connect it to the internet otherwise

 

[SirDice]

I haven't been able to find much information on how to set up a config like this so any information is appreciated!

Most of these devices find each other by using (or abusing depending on your view) broadcasts. Since these networks are split up into two broadcast domains they're not going to find each other. So the easiest solution is to put them all on the same network.

 

[Babbino]

Most of these devices find each other by using (or abusing depending on your view) broadcasts. Since these networks are split up into two broadcast domains they're not going to find each other. So the easiest solution is to put them all on the same network.

Would there be anyway of "correctly" getting around this? I've thought about just adding a pf rule to redirect packets destined for an unused ip to the ip of the device I'd like to be found, but that seems a bit of a messy way of accomplishing this.

 

[Deleted member 9563]

What do you gain by having two subnets? I didn't understand the purpose.

 

[Babbino]

What do you gain by having two subnets? I didn't understand the purpose.

I'm not a fan of having something like a cheap network camera or printer being on the same subnet as all the things that handle my personal data so I use second subnet in conjuction with pf to ensure their on a separate physical network which cannot communicate with anything outside of it.

 

[SirDice]

I'm not a fan of having something like a cheap network camera or printer being on the same subnet as all the things that handle my personal data so I use second subnet in conjuction with pf to ensure their on a separate physical network which cannot communicate with anything outside of it.

This directly contradicts your other wish, namely to find these devices automatically. What would be the point of separating them on different networks when you also want to be able to use them without having to configure something?

 

[Babbino]

What are the reasons for not trusting the own infrastructure?

Are those devices accessible from the Internet?
Are those devices accessible from WiFi?
Are they configured to use UPnP?
Do they make unwanted connections to the manufacturer?


Obviously you are successful with your layout. Why do you want to break it?

Their not accessible from the internet. They are accessible from Wi-Fi but only from allowed internal ips through pf. That shouldn't matter since I don't have UPnP enabled on the router. Not trying to break it, just wondering if anyone knew of a way of making my life a little easier since I wasn't able to find anything on my own, but you do bring up a good point.

This directly contradicts your other wish, namely to find these devices automatically. What would be the point of separating them on different networks when you also want to be able to use them without having to configure something?

I was more interested in making certain devices discoverable while maintaining them isolated, but I guess I hadn't clarified that in the original post. Fair enough, it was probably an ill advised move on my part to even put the devices in question on the isolated network and expect interaction with them to be user friendly lol. Thanks for the input though!

 

[SirDice]

That shouldn't matter since I don't have UPnP enabled on the router.

Note that UPnP is used for a lot more than just opening up a port on your router. That's only a small part of it; http://upnp.org/specs/gw/igd2/

https://en.wikipedia.org/wiki/Universal_Plug_and_Play