Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sub supernetting CIDR notation

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      godfather007
      last edited by

      I do not know how to call it but i know it is possible with iptables.

      We have locations with address notation like the following:

      10.11.193.0/24
      10.11.194.0/24
      10.11.195.0/24
      10.11.196.0/24
      10.11.197.0/24

      At all those locations we start wifi devices at 10.11.x.66

      10.11.193.64/27
      10.11.194.64/27
      10.11.195.64/27
      10.11.196.64/27
      10.11.197.64/27

      In 1 rule i could control those devices like 10.11.192.64/255.255.224.224

      Is this possible within the GUI so that the whole range 192-224 and 64-96  ?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        well depends if all your networks fall within a valid subnet..  So for example in your example trying to do 10.11.193 to 10.11.197 you could do /21 which would be 10.11.192-199, or you could do /22 which would be 10.11.192-195

        193 does not fall at a subnet break.  so you either have to include that in your rule even though not being used or use say

        10.11.193/24
        10.11.194/23
        10.11.196/23

        Or you could just use an alias to put in the range of IPs you want to be included.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • G Offline
          godfather007
          last edited by

          It is more that it would be nice to have a simple notation:

          10.11.193.66-94
          10.11.194.66-94
          10.11.195.66-94

          This way you could easily define the printer segment or the wifi-mgmt - segment.

          10.11.192.64/255.255.224.224 where the first 224 limits the 10.11.192-224.64 and the second 224 handles the 10.11.192.64-96

          Else you should define all your segments for the entire infrastructure.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            10.11.192.64/255.255.224.224

            255.255.224.224 ???

            That is not a valid mask..  why would 224 limit the 3rd octet to 192-224??  and then .64-96 for the forth octet?

            You can create whatever alias you want for ranges of IPs.  You can use a mask on a network address for whatever ranges of network segments you would that fall on correct subnet boundaries.

            If you want to use cidr masking in your network limits then I would suggest you use networks that fall on correct boundaries to allow for it.  If you want to limit a range of IPs in network sure you can use subnets as well

            So for example if you wanted to write a rule that only hit on 10.11.194.64-96 you could use 10.11.194.64/27 which would trigger on .64 to .95 which is close to your example.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • G Offline
              godfather007
              last edited by

              Hmmm strange …

              Right now we are having a handconfigured FW in our data-center made by someone.

              He is using (for example):

              10.11.193.0/27 for infra (like switches)
              10.11.193.32/27 for healthcare-devices
              10.11.193.64/27 for wifi mgmt
              10.11.193.96/27 door-readers

              over & over again...

              for location
              10.11.193.
              &
              10.11.194.
              10.11.195

              but some of our clients are using

              10.13.193.
              10.13.194.
              10.13.195.

              Because they come through a different ISP

              So it would be like using a wildcard for multiple subnets in 1 line so you can hit all the wifi-blocks in once.

              He made his own FW on debian, with a script to simplify things.

              I'm wondering if this could be possible on PF because i like a GUI to simplify things and adapt to rapidly changing environments.

              1 Reply Last reply Reply Quote 0
              • C Offline
                cmb
                last edited by

                @johnpoz:

                10.11.192.64/255.255.224.224

                255.255.224.224 ???

                That is not a valid mask..  why would 224 limit the 3rd octet to 192-224??  and then .64-96 for the forth octet?

                Yes, you can't just dream up new rules for IP subnetting.

                That can be done with a single alias with multiple members in the alias.

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  yes /27 in a firewall would match those IPs..  If your network was actually a /24 and you used 10.11.193.0/27 in a firewall rule - that rule would trigger on IP .1 to 31

                  If you used .32/27 it would trigger on .32 to .63, etc..  Yes you can use cidr in your firewall rules and they can be subnets of your actual network..  So sure if you always set your infrastructure IPs .1 to .31 on that network then you could use x.x.x.0/27 as a firewall rule to trigger on those IPs

                  This is very common practice to use specific IPs in a segment for specific sorts of things, which then yes makes creating firewall rules that match on those IPs easy to do with cidr..  Depends on the location but many will reserve the first part of a new IP range for static and the end as well.  And only use the middle ranges for normal dynamic clients in that segment, etc.

                  If you break at common subnet blocks then yes it makes easy to write firewall rules based on those borders.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07 | Lab VMs 2.8, 25.07

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.