Sub supernetting CIDR notation



  • I do not know how to call it but i know it is possible with iptables.

    We have locations with address notation like the following:

    10.11.193.0/24
    10.11.194.0/24
    10.11.195.0/24
    10.11.196.0/24
    10.11.197.0/24

    At all those locations we start wifi devices at 10.11.x.66

    10.11.193.64/27
    10.11.194.64/27
    10.11.195.64/27
    10.11.196.64/27
    10.11.197.64/27

    In 1 rule i could control those devices like 10.11.192.64/255.255.224.224

    Is this possible within the GUI so that the whole range 192-224 and 64-96  ?


  • Rebel Alliance Global Moderator

    well depends if all your networks fall within a valid subnet..  So for example in your example trying to do 10.11.193 to 10.11.197 you could do /21 which would be 10.11.192-199, or you could do /22 which would be 10.11.192-195

    193 does not fall at a subnet break.  so you either have to include that in your rule even though not being used or use say

    10.11.193/24
    10.11.194/23
    10.11.196/23

    Or you could just use an alias to put in the range of IPs you want to be included.



  • It is more that it would be nice to have a simple notation:

    10.11.193.66-94
    10.11.194.66-94
    10.11.195.66-94

    This way you could easily define the printer segment or the wifi-mgmt - segment.

    10.11.192.64/255.255.224.224 where the first 224 limits the 10.11.192-224.64 and the second 224 handles the 10.11.192.64-96

    Else you should define all your segments for the entire infrastructure.


  • Rebel Alliance Global Moderator

    10.11.192.64/255.255.224.224

    255.255.224.224 ???

    That is not a valid mask..  why would 224 limit the 3rd octet to 192-224??  and then .64-96 for the forth octet?

    You can create whatever alias you want for ranges of IPs.  You can use a mask on a network address for whatever ranges of network segments you would that fall on correct subnet boundaries.

    If you want to use cidr masking in your network limits then I would suggest you use networks that fall on correct boundaries to allow for it.  If you want to limit a range of IPs in network sure you can use subnets as well

    So for example if you wanted to write a rule that only hit on 10.11.194.64-96 you could use 10.11.194.64/27 which would trigger on .64 to .95 which is close to your example.



  • Hmmm strange …

    Right now we are having a handconfigured FW in our data-center made by someone.

    He is using (for example):

    10.11.193.0/27 for infra (like switches)
    10.11.193.32/27 for healthcare-devices
    10.11.193.64/27 for wifi mgmt
    10.11.193.96/27 door-readers

    over & over again...

    for location
    10.11.193.
    &
    10.11.194.
    10.11.195

    but some of our clients are using

    10.13.193.
    10.13.194.
    10.13.195.

    Because they come through a different ISP

    So it would be like using a wildcard for multiple subnets in 1 line so you can hit all the wifi-blocks in once.

    He made his own FW on debian, with a script to simplify things.

    I'm wondering if this could be possible on PF because i like a GUI to simplify things and adapt to rapidly changing environments.



  • @johnpoz:

    10.11.192.64/255.255.224.224

    255.255.224.224 ???

    That is not a valid mask..  why would 224 limit the 3rd octet to 192-224??  and then .64-96 for the forth octet?

    Yes, you can't just dream up new rules for IP subnetting.

    That can be done with a single alias with multiple members in the alias.


  • Rebel Alliance Global Moderator

    yes /27 in a firewall would match those IPs..  If your network was actually a /24 and you used 10.11.193.0/27 in a firewall rule - that rule would trigger on IP .1 to 31

    If you used .32/27 it would trigger on .32 to .63, etc..  Yes you can use cidr in your firewall rules and they can be subnets of your actual network..  So sure if you always set your infrastructure IPs .1 to .31 on that network then you could use x.x.x.0/27 as a firewall rule to trigger on those IPs

    This is very common practice to use specific IPs in a segment for specific sorts of things, which then yes makes creating firewall rules that match on those IPs easy to do with cidr..  Depends on the location but many will reserve the first part of a new IP range for static and the end as well.  And only use the middle ranges for normal dynamic clients in that segment, etc.

    If you break at common subnet blocks then yes it makes easy to write firewall rules based on those borders.