Is there any downside of having large LAN ip pool?
-
Hello guys,
Is it not recommended to set LAN IPv4 subnet prefix to /16?
By default, pfSense set the LAN IP subnet prefix to /24 which only provides 245 IP addresses. For example, in my original setting, my "Static IPv4 Configuration" on "Interface -> LAN" was configured to have IPv4 address at 192.168.10.1 and the subnet prefix is /24. Therefore, in "Services -> DHCP Server", I can only configure my IP range from 192.168.10.10 to 192.168.10.255.
I am not in terrible needs of more than 245 LAN IP addresses, but I just want to manage my devices with more freedom. Having the ability to put devices to IP pools other than 192.168.10.x can make firewall settings easier. For example, I can designate 192.168.251.x to devices that does not need to connect to OpenVPN. Devices in this IP range will connect to the internet directly. And I can designate devices in another pool to only connect to certain VPNs.
Currently, I changed my LAN subnet prefix to /16, which already caused weird issues. I've read some other posts where someone run out of IP addresses and asked for help. But people don't recommend to set the subnet number too low. Generally, they recommend to set subnet to /23 or /24.
Could someone please help me understand why /16 is not recommended? So far the issue I've experienced is that the SPICE remote desktop won't work any more on Proxmox. I don't know exactly whether it was caused by the subnet prefix change, but it started after the change. And it happened on all devices.
-
@ydyw8rdm8i7dfd
What you want to do is have separate vlans for your devices.
Common practice is a LAN, Iot network, camera network etc.
So each of these can be a small subnet as required.
What you are doing is setting different pools for your devices, kinda weird to do.
The larger the subnet, the more unnecessary traffic ie think of the broadcasts alone on a /16! Completely unneeded. -
@jarhead Thank you!!!
I thought VLANs are disconnected from each other. Is that not true? In my mind, devices on 192.168.10.x won't be able to connect to 192.168.11.x if the later is in another VLAN.
If I was wrong, what would be the difference of having subnet prefix /16 and having multiple VLANs? Aren't they both just giving out IP addresses?
Also, would you recommend config VLANs on a switch or pfSense? I have a cisco 37xx something switch that could also support VLAN. Currently all devices are connected to this switch including the pfSense.
Sorry I am so ignorant on VLANs.
-
@ydyw8rdm8i7dfd VLANs separate broadcasts, like a TV looking for a DLNA server, a phone looking for a printer, those kinds of things. In those cases, it is easier to have them on the same VLAN.
For directed connections pfSense will route (if allowed) and the devices can talk, you are unlikely to be able to see a difference. For example, my security system has a VLAN to itself with very limited access to the primary VLAN, but the primary has free access to the Camera VLAN. My Alexa VLAN has no access to any other VLANs to contain the evil.VLANs will up your game, just be prepared to yell of the computer a few times while learning.
-
@andyrh Got it! Thanks!! I guess I will so much new to learn. Thank you so much for your response!
