Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is a large network address pool bad?

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 6 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shadowwizard
      last edited by

      The quick and dirty:
      I m planning my new upgraded home network, and I am going to use PFsence for the router. I am planning on using 192.168.3.1/17 for the IP address of the router so I have a large pool of IP addresses to choose from on my local home network.

      Additional information that may help to provide a correct/helpful answer:

      So lets start with the fact this is the first time I am really venturing outside /24 netmask. I should also state that the main reason I am considering such a large pool (is it called a large subnet?) is for organization. I have more devices then your average joe (Maybe 100 total) but want to organize them. 192.168.4.x for computers, 192.168.5.x for home automation stuff (Perhaps even narrowed down to 192.168.6.x for switches, and 192.168.7.x for plugs, and 192.168.8.x for lights, etc) There is nothing I am looking to air gap, and I am okay with every device talking to every other device on the network.
      I am planning on getting it to assign any DHCP IP addresses in the range 192.168.3.10-192.168.3.255, and everything else will be set either reserved in PFsence, or static on the device. I am skipping over 192.168.1.x and 192.168.2.x because the 2.x is used on the network I am replacing, and the 1.x is used my work (Small retail shop, maybe 30 devices tops) and I sometimes bridge the networks, and will likely look into a way to bridge them permanently (but that will come later) so I am not using those ip addresses to avoid conflicts.
      Can you think of any reason I shouldn't do this? Or a better way to do this?

      S 1 Reply Last reply Reply Quote 0
      • AndyRHA
        AndyRH
        last edited by AndyRH

        The number of hosts in a broadcast domain is a good reason to segment. Broadcasts can start using a noticeable amount of bandwidth.

        IMO I think a better way is to segment, in my case, cameras are on .2, Alexa is on .66, primary is .42 and so on. This allows me to isolate VLAN666 (.66) to make sure Alexa does no evil to everything else. My cameras, a popular hacker target, cannot get to anything else.

        On a single subnet all of these things would be able to freely interact.

        o||||o
        7100-1u

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @shadowwizard
          last edited by

          But with 100 total hosts is broadcast still a problem?

          @shadowwizard
          You could also consider a different range like 10.x.x.x because you can't just not use .1.x and .2.x and have it not be a problem...the /17 mask includes those on the local network. With a /17 you'd have to start at 191.168.128.1 to avoid overlap with .1.x.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          S 1 Reply Last reply Reply Quote 0
          • S
            shadowwizard @AndyRH
            last edited by

            @AndyRH

            Thank you so much for the info, however I only understand about 1/4 of it.
            I can guess that segmenting is creating smaller internal "sub networks" that do not communicate with each other. But I would like them to communicate if possible. I don't want to have to connect my main computer to a different "segment" just to modify a setting on a light switch.
            The line that started with IMO, I didn't understand a thing past the first sentence (New, remember?) .2 what? 192.168.2.x? 192.168.x.2? 2.2.2.2? VLAN666? HUH? In addition, if everything is set up on one subnet, but well organized, it should be easy to segment later I would guess?

            If the number of hosts are the number of devices I have connected, it is not expected to get to large levels. And as I said, I can segment later I would guess if ti does become an issue?

            Thank you so much for trying to help, but I really understand so little of your post...
            In a nut shell, would it be correct to say "No reason not to, but there may be better ways?" I never though of segmenting, but may want to do that to some stuff in the future..

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @shadowwizard
              last edited by

              @shadowwizard the only issue you can have with segmentation and talking to each other, is if some device is too stupid and can only find stuff via discovery that works only on the same layer 2 network.

              When you segment, you can set firewall rules to allow all, or you can filter if you want.. But creating some network with 32k possible IPs seems a bit over the top if you have 100 devices total.

              Segment it out, gives you better control, gives you easy to manage IP ranges for devices, etc. etc..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              S 1 Reply Last reply Reply Quote 0
              • S
                shadowwizard @SteveITS
                last edited by

                @SteveITS said in Is a large network address pool bad?:

                But with 100 total hosts is broadcast still a problem?

                @shadowwizard
                You could also consider a different range like 10.x.x.x because you can't just not use .1.x and .2.x and have it not be a problem...the /17 mask includes those on the local network. With a /17 you'd have to start at 191.168.128.1 to avoid overlap with .1.x.

                I had thought about 10.x.x.x, however I want the networks to overlap. That way if I forget something on my home network with a statis IP set on it, it will still work. And if I connect the network with my work, it will be on the same subdomain. Again, this is coming from someone that is new to the more advanced (I guess this isn't really that advanced, but is for me) networking. And #1 I need to be "If I forget something, It still needs to work untill I get around to fixing it"

                S 1 Reply Last reply Reply Quote 0
                • S
                  shadowwizard @johnpoz
                  last edited by shadowwizard

                  @johnpoz said in Is a large network address pool bad?:

                  @shadowwizard the only issue you can have with segmentation and talking to each other, is if some device is too stupid and can only find stuff via discovery that works only on the same layer 2 network.

                  When you segment, you can set firewall rules to allow all, or you can filter if you want.. But creating some network with 32k possible IPs seems a bit over the top if you have 100 devices total.

                  Segment it out, gives you better control, gives you easy to manage IP ranges for devices, etc. etc..

                  "Over the top" yea, proababily. But if its not bad, I shoudl be able to segment later, should it? Just put all 192.168.4.x on one segment, and 192.168.5.x on another, etc. As this isn't JUST a home lab where is something breaks, its not the end of the world. One test computer can't talk to another. Its my house. If lights don't turn on, or I can't SSH into one of my other boxes, or can't pull up my Home Assistant dashboard, I can't go to bed until its fixed.
                  Oh, and whats "Layer 2 network." please remember, very new. Most advanced networking I have done was to use wireguard to be able to access my shared folders at work from home...And still don't understand why I can access them... I just know I can.

                  1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @shadowwizard
                    last edited by

                    @shadowwizard said in Is a large network address pool bad?:

                    if I connect the network with my work

                    If you do that the packets won't leave your local network because the /17 mask says 192.168.1.x is on your network.

                    Using 10.0.0.x/17 would be a large range but not overlap with your work. However that doesn't overlap with 192.168.2.x as you noted.

                    Maybe use 192.168.2.x/24 on pfSense, and use .20-39 for switches, .40-.59 for PCs, etc.

                    I can't go to bed until its fixed

                    Always maintain realistic expectations with clients. ;)

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      shadowwizard @SteveITS
                      last edited by shadowwizard

                      @SteveITS said in Is a large network address pool bad?:

                      @shadowwizard said in Is a large network address pool bad?:

                      if I connect the network with my work

                      Yet thats what I do now with wireguard. Connect the VPN, and I can access all the shares. No idea why, but I just can.

                      If you do that the packets won't leave your local network because the /17 mask says 192.168.1.x is on your network.

                      Using 10.0.0.x/17 would be a large range but not overlap with your work. However that doesn't overlap with 192.168.2.x as you noted.

                      Maybe use 192.168.2.x/24 on pfSense, and use .20-39 for switches, .40-.59 for PCs, etc.

                      Not enough to seperate it. I was doing that. But ran out of .5x ip addresses for the plugs when I added a 11th.. So now it has to be 14x for the next plugs.. Etc. Just not enough room for error and tidyness. If I wasn't expecting the network to grow and change.. But I am, a lot.

                      I can't go to bed until its fixed

                      Always maintain realistic expectations with clients. ;)
                      The client is me... And if my lights arn't working, or I can't be sure the heat will come on, or not come on when I don't want it to..

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        shadowwizard @shadowwizard
                        last edited by

                        So, you have all been very helpful, thank you. But I think its better to get it working with the large IP address range, and work on the rest later, if possible.
                        #1 So if I just set it up, can I segment later? Or do things need to be planned a bit? Can I just put 192.168.4.x on one segment, and 192.168.45.x and 192.168.55.x on another after I am done. And if it does need to be planned, what would I read to learn how to plan it? (Don't know how to google "Can I just put 192.168.4.x on one segment, and 192.168.45.x and 192.168.55.x on another after I am done.")

                        and #2
                        Would setting it up this way and just leaving 192.168.1.x with no devices allow me to "join" my home and work network "permanently" somehow?

                        S johnpozJ 2 Replies Last reply Reply Quote 0
                        • S
                          SteveITS Galactic Empire @shadowwizard
                          last edited by

                          @shadowwizard said in Is a large network address pool bad?:

                          can I segment later

                          yes. Generally though segmenting involves having different physical NICs/interfaces in the router so they are isolated.

                          @shadowwizard said in Is a large network address pool bad?:

                          Would setting it up this way and just leaving 192.168.1.x with no devices allow me to "join" my home and work network "permanently" somehow

                          No, the mask would tell all the devices in your house that 192.168.1.x is on their network. You'd have to find something that doesn't overlap with it.
                          https://www.subnet-calculator.com/

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote ๐Ÿ‘ helpful posts!

                          S 1 Reply Last reply Reply Quote 0
                          • AndyRHA
                            AndyRH
                            last edited by

                            Let me try again, My segments allow me to organize my hosts in a way that makes sense to me. Through the use of firewall rules communication is open between segments, but only the traffic I want to allow. Unknown traffic is blocked, this is the safety part.
                            For instance, I distrust my cameras, but I want them, so only the security server has limited access to the internet and no access to any other network. My PC on the primary network has full access to the camera's and security server. It is a one-way ruleset. Should a camera or the security system get comprised the damage is limited.

                            Because you are new, the question on the method is very valid. Most of the people here deal with larger networks and a paranoia diagnoses, so the solutions presented back to you will be more secure than the one you started with. Learning networking and IP addressing is a big task. My best advice is try to start in a way that allows you to improve. I started with 1 subnet, now I have 5. As suggested, if you really want such a large address space to start, it might be best to not use 192.168.0.0, but instead start with something inside 10.0.0.0 or the underused 172.16.0.0 space. Later I am confident you will break up the large IP space into smaller pieces. That will be a whole new conversation.

                            Also there are other ways to calm the OCD:
                            addresses ending in:
                            .1 - .10 / network devices
                            .120 - .128 / DNS
                            .200 - .225 / Rokus and TVs
                            .11 - .50 / servers or services
                            .51 - 199 / DHCP leases
                            .151 - 160 / cameras

                            o||||o
                            7100-1u

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @shadowwizard
                              last edited by

                              @shadowwizard other option would be to use say a /21 vs 17.. this would give you 8 different 3rd octet networks to work with for your separation of devices by IP, this wouldn't be actual segmentation..

                              so say 192.168.8.0/21 this gives you 192.168.8.1 to 192.168.15.254 to work with.. And would not overlap with the 192.168.0 or .1 networks.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • S
                                shadowwizard @SteveITS
                                last edited by

                                @SteveITS said in Is a large network address pool bad?:

                                @shadowwizard said in Is a large network address pool bad?:

                                can I segment later

                                yes. Generally though segmenting involves having different physical NICs/interfaces in the router so they are isolated.

                                Okay, so segmenting will not happen. The little computer I am using has 2 NICs, and is one of those mini computer type things, so I can't add additional. I thought I could do it with just the one NIC.

                                @shadowwizard said in Is a large network address pool bad?:

                                Would setting it up this way and just leaving 192.168.1.x with no devices allow me to "join" my home and work network "permanently" somehow

                                No, the mask would tell all the devices in your house that 192.168.1.x is on their network. You'd have to find something that doesn't overlap with it.
                                https://www.subnet-calculator.com/

                                But that part that is confusing me is, don't I want it to think its on my network? Isn't that what permits me to access the shares (I should have said, they are windows shares)
                                That was kinda the whole Idea I was thinking. "Join" the networks, so its one big network, just using the internet to connect them. Is that not ideal? (Sorry, should have made that clearer)
                                But that asside, doing it the other way.. then I was thinking of 192.168.127.1/18 That will give me a big pool to choose from.

                                But then I guess we need to get into how to "Connect" the two networks? I will have PFsence at home. I have wireguard set up in a docker container at work, and can of course run any other docker container to do it. The main router for the store runs DDWRT.
                                Hopefully that should be the information needed to find the "best" way to do it.

                                johnpozJ S 2 Replies Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator @shadowwizard
                                  last edited by johnpoz

                                  @shadowwizard said in Is a large network address pool bad?:

                                  The little computer I am using has 2 NICs

                                  You could still segment with vlans.. Just need a switch that can do them, an 8 port gig that can do vlans is like 40$, and then if you have wifi a AP that can do them.. This could be as cheap as any old AP that you can run say openwrt or dd-wrt on.. Or you could get a AP that does them.. there some cheap options here as well.. I think the TP-Link EAP225 is like 60$ does AC..

                                  So for like a $100 you could be cooking with gas, have the ability to fully segment your network.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  S 1 Reply Last reply Reply Quote 0
                                  • S
                                    shadowwizard @johnpoz
                                    last edited by

                                    @johnpoz said in Is a large network address pool bad?:

                                    @shadowwizard said in Is a large network address pool bad?:

                                    The little computer I am using has 2 NICs

                                    You could still segment with vlans.. Just need a switch that can do them, an 8 port gig that can do vlans is like 40$, and then if you have wifi a AP that can do them.. This could be as cheap as any old AP that you can run say openwrt or dd-wrt on.. Or you could get a AP that does them.. there some cheap options here as well.. I think the TP-Link EAP225 is like 60$ does AC..

                                    So for like a $100 you could be cooking with gas, have the ability to fully segment your network.

                                    The switch I am using I think is managed. I will need to look into if it supports vlans, but can't get access to it now (I am on vacation, planning for when I get home.) But, that isn't until much later. I wanna get set up and running first., and as long as I can set up vlans that encompas whatever I want (both 192.168.155.x and 192.168.160.x but NOT 192.168.156.x) then we should be good to do that later.

                                    The one thing I am just working out the details on is how to "Connect" the networks. Details of my equipment, etc in my previous post.

                                    johnpozJ J 3 Replies Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator @shadowwizard
                                      last edited by

                                      @shadowwizard yeah anything that mentions smart or managed on the switch would/should support vlans for sure.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        Jarhead @shadowwizard
                                        last edited by

                                        @shadowwizard
                                        I agree with AndyRH, just the broadcast bandwidth alone is reason enough not to use a large subnet. And it's a total waste of addresses but that's not a big deal.

                                        As far as connecting the networks, that's what routing is. Allows you to connect different networks to communicate between them.
                                        So no, you don't want it to think it's on your network but it will still talk.

                                        You really should do yourself a favor now and not do what you're thinking. It'll save you trouble down the road but if you're set on doing it, go for it. You'll fix it later.

                                        As for the subnet range, I always use the home/business owners birthday as a 10.x subnet. This allows me to use 192.x networks for vpn tunnels and stops most chances of overlaps.
                                        Meaning if today is your birthday, I would make your LAN network 10.1.10.0 = 10.birth-month.birth-day.0.
                                        You can then use 10.1.11 for IoT, 10.1.12 for cameras etc.
                                        I then break down vpn tunnels into smaller subnets as needed, ie 192.168.100.0/30 for a point to point, and 192.168.100.128/29 for multisite etc.

                                        As said, you can then allow 10.1.10 to talk to any of the other networks in pfSense, and better yet, NOT allow them to talk. With a single large subnet you have no control (unless you get equipment that can isolate layer 2) over who talks to what.

                                        Again, it's obviously up to you but you will end up with what has been suggested eventually. Going the way you're thinking will be a learning experience so it wouldn't be completely useless.

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @shadowwizard
                                          last edited by johnpoz

                                          @shadowwizard as mentioned before the only problem you could run into is discovery protocols don't work across vlans/networks..

                                          Example airprint is one of these discovery protocols.. If your phone is on 192.168.x/24 and your printer is on 192.168.y/24 your phone wouldn't be able to find your airprint printer.. If you are actually segmented and not just on some big network like a /17 or /21 etc..

                                          not an issue if you can put in fqdn or IP with the software your printing with. But pure discovery will not work.. Now since airprint uses mdns - you could prob use the package avahi to let your phone discover it. You could also maybe do some dns stuff to allow it to find, etc.

                                          For me to work around that specific sort of issue, I just put my printer on the wifi vlan I would be printing from so devices could discover it via airprint.. My pc that prints to it, that is on another vlan I can just point to the printers IP, etc. This was the simple solution without having to do any sort of tricks to circumvent the L2 barrier, etc.

                                          People with stuff like sonos speakers that use discovery also come to mind that could be problematic with segmentation..

                                          But if you just want to assign some specific IPs and keep everything on one network, you sure don't need a /17 to accomplish that.. 100 devices for sure would work on just /24 and just use the last octet or for your origination of different types of things.

                                          The better option for sure is true segmentation.. This gives you way more flexibility, the ability to actual firewall between different sort of devices. For example I have all my roku, TVs, firesticks, shield TV devices all on their own vlan, I call my roku vlan.. These devices can only talk to my plex server on port 32400.. They can not talk to any other vlan or device on any of my other local networks.

                                          I just put up a camera - I created a new vlan for this.. This is the only thing on it at the moment.. It can not talk to anything else on my network at all.. Camera's are horrible from a security point of view.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            SteveITS Galactic Empire @shadowwizard
                                            last edited by

                                            @shadowwizard said in Is a large network address pool bad?:

                                            I was thinking. "Join" the networks, so its one big network, just using the internet to connect them. Is that not ideal?

                                            When your PC tries to connect to 192.168.1.5 it will look at that address and say, oh, that's part of 192.168.0.0/17, I don't need to send that anywhere else I can just ask the local network.

                                            So if your network was 192.168.128.0/17, and your VPN to work used 192.168.1.0/24, that would work since it wouldn't overlap.

                                            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                            Upvote ๐Ÿ‘ helpful posts!

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.