Home IP Address Scheme Change Q's
-
Right on, thanks!
That actually got me thinking about a slight reorganization. I could move my jails (with additional slight renumbers as well) in that spot after 100, do something else from 110 up to 127 (not yet sure what), reserve 128-191, and use 192-254 for dhcp. That would allow me to use /26 for rules in the future should I ever need it, both for the reserved and dhcp pools. Thanks for that!
Right now, the box is hooked up with both interfaces being hooked up to the same switch. It's very ugly, I know - only did that to test and "practice". Point is, I don't know which interest face is which, so I guess I'll have to go with option 1. I just hope I can access the auto detect protocol through it.
-
- (255 Class "C" subnets possible, 65534 addresses )
- ( 16 Class "B" networks possible, 1048574 addresses)
- ( 1 Class "A" network possible, 16777214 addresses)
We live in CIDR times since 1993 or so.
(RFC 1518, RFC 1519, RFC 4632)
Why do some people still reference to an abandoned standard more than 20 years later?Just show your examples as /24 /16 and /8 (or 255.255.255.0 255.255.0.0 and 255.0.0.0 whichever writing you prefer). It doesn't matter how many "Class C" networks 192.168.0.0/16 contains and it's easier to follow anyways.
-
OK, so….first foray wasn't successful at all. The IP address scheme change thing worked out pretty good - no real flaws that I can see so far (but I did have to restart my Replication on FreeNAS...other than that, it really was a total non-event).
The biggest thing is - I had no Internet! Truth be told, I haven't really searched the forums yet to see if this has happened before (I intend to), but I kept getting DNS errors. The error I was seeing in Chrome was "DNS_PROBE_FINISHED_BAD_CONFIG" or some such. Tried two computers (several restarts each, and flushed DNS on both in ipconfig), but no luck. Windows was showing me with access to Internet, but no name resolution at all. So maybe saying "I had no Internet" is not technically correct. It never dawned on me to check Internet connectivity via IP though - duh!
I tried with the Google DNS servers, then manually input the ISP ones (I had saved them on a piece of paper). One weird thing is that, last I checked, the default gateway (in the ISP-supplied router) was 184.160.113.1. When I went to the DNS page in pfSense, the gateway drop-down next to the addresses only said "None" or "Default WAN" or some such, with the address being similar to, but not exactly the same as, 184.160.113.1. I had no option to edit it.
Anyway - I quickly re-installed the ISP-supplied router (whose IP I had previously changed to my new scheme, in case this happened), and everything was just fine and dandy. Internet on all computers, etc.
So, at least I've got my new numbering scheme up and running, servers are purring along, my new WiFi AP is running fine. So, I'll do some research and try to figure this out. For now, it's a simple matter of dropping pfSense instead of the IPS router (the two ethernet cables, essentially), so it'll be quick for experimentation.
Ideas, anyone?
-
1: pfSense
2-9 : Network Devices
10-19 : Servers
20-49 : Statics
50-59 : Printers
60-79 : IoT
80-99 : A/V
100-199 : DHCP Range
200-209 : Jails (FreeNAS-ism - although I suppose pfSense could support them too, given it's FreeBSD-based…!)
210-254 : ReservedThis is how you would get about the same thing but with your groups of addresses on subnet boundaries so you could reference each group with one CIDR if desired.
1: pfSense +
2-14 : Network Devices (x.x.x.0/29)
17-30 : Servers (x.x.x.16/29)
33-62 : Statics (x.x.x.32/28)
65-78 : Printers (x.x.x.64/28)
81-94 : IoT (x.x.x.80/28)
97-110 : A/V (x.x.x.96/28)
129-190 : DHCP Range (x.x.x.128/26)
193-222 : Jails (x.x.x.192/27)
225-254 : Reserved (x.x.x.224/27) -
Interesting! That actually gave me some ideas. I've incorporated my very slight restructuring from before, with insight provided by Derelict. Newest is in pic below (figured it was quicker to simply take a screen capture via Snipping than to type it all out here…).
Of note, the yellow blocks are ones where, in the CIDR version, the numbers are reversed from the legend at the left, in order to follow the proper binary possibilities of the /27 and /28 numbers. Derelict, thanks for pointing me in this direction - I learned yet more this morning as I researched all this. =)
Now that I know that renumbering (a home network, anyway!) is relatively painless, I think I'll focus on getting pfSense up and running before renumbering to the CIDR version. Anybody got any insights on that? (I mean - the whole DNS thing.)
I'll try a full re-install - maybe some setting somewhere is hindering something, from my previous hack job at testing...
-
OK, re-install solved it! I am now typing this and sending data, accessing the Internet, through my pfSense box! Pretty exciting! =)
-
OK, re-install solved it!
How? Just a simple reinstall with all the same configuration? Details are key for helping others down the road.
-
I really wish I could be more specific! But, yes, a re-install with, as far as I can tell, the same configuration. Except that - for the very initial config (wizard), I used my ISP's DNS servers. I replaced them right away though (with the two Google ones), and didn't really see a difference. Seeing as part of the idea for me in doing all this pfSense install was consistency when moving, I figured the Google ones were a better match and I kept them. In any case, I did all that with the previous install too, no luck.
Other than that, I'm really not sure what's different in what I did with the clean install, and what I did with my post-hack-job install to try to make it work in this network. I don't remember all the things I did with the hack job, as I was exploring and trying things out. I must've messed something up somehow, but that's the best I can do, sorry.
-
One really nice thing about pfSense (IMHO) is the ability to capture the setup configuration in a single XML file.
In the future, think Backup,Backup,Backup!If you resort to a full rebuild and have a copy of the last "bad" configuration, you can quickly troubleshoot what went wrong by selectively restoring select pieces of the setup.
It's a great learning tool and you risk very little because you can bring the setup back to known states with a saved "Good" setup.
There really are some great tools in this little package.In case you didn't get the hint by now, I would humbly suggest you make and save a backup of your working config….. ;)
-
One really nice thing about pfSense (IMHO) is the ability to capture the setup configuration in a single XML file.
In the future, think Backup,Backup,Backup!If you resort to a full rebuild and have a copy of the last "bad" configuration, you can quickly troubleshoot what went wrong by selectively restoring select pieces of the setup.
It's a great learning tool and you risk very little because you can bring the setup back to known states with a saved "Good" setup.
There really are some great tools in this little package.In case you didn't get the hint by now, I would humbly suggest you make and save a backup of your working config….. ;)
I most certainly did, thanks. =) And believe me, it was on my mind, I just hadn't gotten there yet. (I'm obsessed about back-ups - I have two entirely separate FreeNAS machines for my data and pictures and such. I'd just put the pfSense config file on them too, to be readily accessed if the worst happened.)
Care to enlighten the n00b a bit? Not asking for step-by-step, just for a slight nudge in the right direction.
Cheers!
-
IMHO, the first six times I set up pfSense for the first time, I reinstalled each time. The system is very powerful and configurable, and with great power comes responsible configuration. I was very irresponsible the first 5x I set it up.
I'm glad you got it working, and punting each time you install is just a rite of passage. :)
-
Not asking for step-by-step, just for a slight nudge in the right direction.
I could say just RTFM ;)
Fortunately a nudge is just about a step-by-step in this case….
Go to "Diagnostics->Backup/restore" and click on "Download configuration".
Save the file somewhere you remember.
Done.The backup is saved into a single XML file that can be easily restored into a fresh (or any) install:
Go to "Diagnostics->Backup/restore"
Remember where you saved the file and choose it under "Browse".
Click on "Restore configuration".
Wait for the system to restart.
Done.A fairly new (I don't remember the release where it first appeared) feature of the XML file structure is its division into "Backup areas".
If you click on the "Backup area:" dropdown you'll see the possibilities.
Using these you can choose which particular areas you want to backup and/or restore individually.This gives you some wonderful tools for diagnosing problems, especially if you start with a complete backup a reference so you don't worry about messing things up while "testing". I suggest you put it to the test, save your current working config and then (gasp!) restore it again.
If you want to explore the "guts" of pfSense, a peruse of the XML file can be very informative (or very confusing).
Keep asking questions and keep learning, its the only way to survive :)
-
And something else really cool about pfSense is you can restore just sections of the backup (like just Traffic Shaping, for instance).
I only have one FreeNAS but it is RAIDZ2.
-
I only have one FreeNAS but it is RAIDZ2.
I had to look that up. I've not heard of RAID-Z2 (or Z1) before now. Cool stuff.
-
I could say just RTFM ;)
OK - I think that, if there's ONE thing I'm struggling with with regards to pfSense, it's the documentation (or lack thereof). Granted, after I saw your post, I went into the documentation, and did indeed find some entries on config backup and auto config backup (haven't read them yet, but I now know they're there).
BUT - I honestly find it really, really grating that the main reference book, is only available for purchase. I guess I'm coming from FreeNAS, where the whole documentation, which has recently been redone (and is quite fantastic, I believe) is readily available. In fact, it now comes as part of the installer, so it's written to the installation media (in other words, accessible even offline). Is it me or is the currently-available pfSense online documentation a bit lacking…? I'm not saying this is the way things are, just the way I currently perceive them to be.
P.S. - I actually have two separate FreeNAS boxes, each RAIDZ2. =) As the guys on the FreeNAS forums are fond of saying : "RAIDZx does NOT constitute a backup!!!". =)))
-
The wiki is pretty much open to anyone, request an account have at updating it ;)
To be honest, if you can not just look at the gui in pfsense and figure out the basics – then maybe you shouldn't even be using pfsense in the first place..
Pretty much every single option has some note on it, etc. Most pages if you click the ? in the upper right takes you to docs - for example the firewall rules page ? takes you to
https://doc.pfsense.org/index.php/Firewall_Rule_BasicsWhen click to create a rule - pretty much every single option has notes on it, etc. etc..
-
You're right, and the more I play around with pfSense, the more I'm seeing that too. I was referring to OpenVPN more specifically, where I had to tool around with third party guides (one in particular was excellent), that went a fair ways past what the wizard did. But hey - I accept that this is part of open-source. FreeNAS was/is the same, to a large extent, but like I said, its documentation is (now) a fair bit better, I believe.
In any case, I am enjoying pfSense more and more as I tool around with it, and this community so far has been awesome.
-
I would not look to 3rd party guides - they are almost always nonsense and out dated.. If you have questions on how openvpn works - I would consult the actual documentation from openvpn.
I have never had issue with setting up pfsense for openvpn just running thru the wizard. Click, click done and up and running.
-
This thread was great as I've been contemplating the same thing as I wrangle my home office LAN into shape with my new pfSense router.
One thing I'm curious about that I didn't see specifically being called out, why subdivide your network into such small partitions like this:
1: pfSense +
2-14 : Network Devices (x.x.x.0/29)
17-30 : Servers (x.x.x.16/29)
33-62 : Statics (x.x.x.32/28)
65-78 : Printers (x.x.x.64/28)
81-94 : IoT (x.x.x.80/28)
97-110 : A/V (x.x.x.96/28)
129-190 : DHCP Range (x.x.x.128/26)
193-222 : Jails (x.x.x.192/27)
225-254 : Reserved (x.x.x.224/27)instead of just using a separate class C err.. /16 for each use case?
I'm wondering if it might because of problems broadcasting or multicasting, but I thought that if you specified the subnet mask as 255.255.0.0, it would make those able to propagate through the whole network.. -
instead of just using a separate class C err.. /16 for each use case?
I'm wondering if it might because of problems broadcasting or multicasting, but I thought that if you specified the subnet mask as 255.255.0.0, it would make those able to propagate through the whole network..You could do that if you wished and in some cases it would be desirable (larger enterprise/many user setups) but for home use it gets a little awkward pretty fast.
There's something nice about only having to remember the last octet of a network address to specify your printer or Xbox, etc.The other consideration is when you try and connect to other networks that aren't under your control (VPN, etc.)
Assigning yourself an (overly) large block makes it that more likely you'll be stepping on someone else's subnet and cause yourself routing headaches.The breakdown suggested is pretty thorough - in many home setups too thorough.
I would guess most people could easily get away with only a DHCP, Static, and "other" section given that 40 network devices in a home network is a "big" number.
Indeed I'm sure many people just leave it at DHCP and don't worry too much about the rest.As always it's up to you how intricate you want to make this: Design==Choices.
Please note, I'm definitely NOT knocking SilverJS's effort at structuring his (her?) network.
On the contrary as I said earlier, it's refreshing to see someone think about where their design choices will take them - before they have to say oooops ;)Just my $.02, YMMV.
