smaller CIDR network on larger Class C network

Question

I have a network: 192.168.31.0/24 and computers on the network have static IPs 192.168.31.*

I'd like to segregate 5 of those computers (say 192.168.31.201 - 192.168.31.205) and put them behind a router/firewall (ClearOS) with firewall rules to only allow outgoing traffic to 192.168.31.0/24 and block traffic to the rest of the internet.

Can I setup a 192.168.31.192/28 within the 192.168.31.0 Class C network?

192.168.31.192 = Network
192.168.31.193 = Gateway
192.168.31.201 to 192.168.31.205 = computer IPs
192.168.31.207 = Broadcast

Answer 1

You don't even need to go so far as to subnet them off. It is possible to use your firewall on layer-2 and firewall across the bridge. The caveat here is that those 5 machines probably need to be on a different switch than the rest of 'em. But this method doesn't require changing subnet settings anywhere.

As for your stated question, what you're looking to do is entirely possible. It'll be easier on everything else if you can subnet off the rest of your network so you don't have overlapping subnets, but that firewall may be smart enough to handle the proxy-arps needed to connect the non-firewalled machines to the firewalled ones.

Answer 2

Thanks, I got it to work!
The mistake I made was assigning the network IP (192.168.31.192) to the router computer.

Here is my working setup:

Router computer has 2 NICs:

1. 192.168.31.190 = (eth0) on the network 192.168.31.0 /24
2. 192.168.31.193 = (eth1) on the network 192.168.31.192 /28

The smaller subnet is:

• subnet = 192.168.31.192/28
• netmask = 255.255.255.240
• 192.168.31.192 = network
• 192.168.31.193 = gateway (eth1)
• 192.168.31.194 ~ 192.168.31.206 = usable IPs
• 192.168.31.207 = broadcast