On Sat, Feb 28, 2009 at 01:53, Tortise <tort...@paradise.net.nz> wrote: > I have since tried configuring as: > LAN1: 10.aaa.bbb.ccc/8 > LAN2: 10.(aaa+1).bbb.ccc/9 > > I presume I have still got it wrong.
Yes. Any /9 is still a subset of a /8 with the same prefix, and unless you really know what you're doing will always create routing problems. For that matter, you can generalize that to "any /n is a subset of /n-X with the same prefix". It operates the same in the other direction: a /n subnet consists of two /n+1 subnets. The solution is to use another address space (as you did with the 172.x) or to use parallel spaces: 10.0.0.0/9 and 10.128.0.0/9. Unless you have a truly monstrous user network, you really should consider using much narrower bands of addresses - /20 (which still contains >4000 addresses) or smaller. That way when you start adding new subnets you don't have to screw around with allocations so much. Also, to stay within RFC1918 (private) IP space, you need to move that 172.x up into the 172.16.0.0/12 range. Finally, once you have the two LANs with non-overlapping IP space, you can create the rules. If LAN1's rules are unchanged from the default, it should probably already be allowed LAN2 access; if not, you'll need to add a rule on LAN1 allowing a source of "LAN1 subnet" to a destination of "LAN2 subnet". --------------------------------------------------------------------- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org