Lan IP change
-
Good day,
I actually run multiple sites with PFS, linked through VPN
I will need to change the ip's on each of those site..
I always change the ip's at the PFS setup, but not while in production
What is the easiest way ?
I was thinking creating a VLAN with then new subnet, create a new IPSEC Phase 2, then change my switch to that new VLAN..
But one site, I cant do Vlan..
What do you suggest me.
Thanks
Frank
-
@froussy do you have devices on this remote site that are not dhcp? If you do, can you change their IP - be it via ssh or rdp or something?
If all dhcp - just lower the lease to something really low, like 10 minutes. Wait til all the devices would be using new short lease.
Then connect to different IP on pfsense, create a vip if you need to that you can get through the vpn.
Once your connected to that IP, change your pfsense lan IP to your new scheme. This should remind you to change your dhcp, etc.
Now things should should switch over to your new IP range. Worse case create a vip now with the old IP for things that haven't gotten new lease with new info, or for stuff you need to change manually, etc.
You would of course updated your vpn settings for your new network range.
There you go - other than say changes to dns entries to reflect new IPs, and routing for your other sites to this new network you should be good to go.
-
@johnpoz said in Lan IP change:
If all dhcp - just lower the lease to something really low, like 10 minutes. Wait til all the devices would be using new short lease.
Or just do it over a weekend, if there are no users then, assuming you haven't set a very long lease time. Default is 7200 seconds. You might also send an email before hand, explaining it might be necessary to reboot, if the computers are left running. If there are static devices, change them before you change the DHCP range.
-
@JKnott sure if you can wait out the lease - sure 2 hours is default, but mine has been set to 8 days.. Why have clients ask for dhcp ever hour if unless your making changes all the time.
I would do it over a weekend or after hours still sure, but a few days before your going to do it - I would lower the lease so you know right away that all your devices will or should have moved..
If you have a short lease - vs having to wait a hour or so to know your clients have moved, you should know in like 10 minutes tops if clients are going to move or not. Then you can go back to enjoying your weekend or off hours. ;)
-
@johnpoz Another trick is to just reboot the switch. That will trigger the clients to request an address.
-
@JKnott that could work too - but then you for sure creating an outage ;)
And depending on your switch - some of them can take a while.. Cisco for example, depending on the image, are you using vss, can have some pretty extended boot times.
-
@johnpoz
Hi,forgot to mention i will be local.. dont want to do that remotely :)
so, changing the router ip, DONT APPLY, then DHCP, and then apply, in a simple word, right?
So that way will be simpler than creating a vlan, moving everything and come back right?
Yes, for the IPSEC, i know to adjust.. that's a detail:)
-
@froussy if you're local.. Sure just change the ip on the lan and your good to go.. Since you would be able to touch anything that is not dhcp, etc.
And you can always console into pfsense, etc