Best way to change from /24 subnet to /23? Need more IP's



  • Hi,

    I am using a 192.168.12.1 IP scheme & I have 192.168.11.1 as my OpenVPN IP scheme.

    My DHCP is 70 IP's & I have a ton of other devices on the network.  Last week I ran out of DHCP addresses, set some static IP's & had just enough due to extra visitors on site.

    So I am looking to go to a /23 IP scheme & would like to know the best way to do that - just go through the PFsense wizard?

    In the end I think I would like:

    192.168.12.1-192.168.12.254 - Static IP's
    192.168.13.1-192.168.13.254 - DHCP Range
    192.168.11.1-192.168.11.254 - OpenVPN range

    Any help or advice would be appreciated.

    Thanks,
    Rich



  • If all should stay within the same network you can use 192.168.12.0/23 without any problems.
    Just change the Subnetmasks on your static clients and your router from 255.255.255.0 (/24) to 255.255.254.0(/23)
    Router IP can stay the same whereever it is in that rage.
    No need to run the wizard again.
    The LAN Net alias should update itself depending on the IP and Subnetmask of the interface.


  • Galactic Empire

    There will be no easy way with all those statics, you'll need to change the subnet mask of the 192.168.12.0/24 to a /23 then change the subnet mask on the end devices ( otherwise statics <-> DHCP won't be able to talk to each other ) and maybe their default gateway.

    What is the default gateway for the 192.168.12.0/24, is it 192.168.12.1 ?

    If it's 192.168.12.254 it will be bang in the middle when you change the subnet mask, I like to see the default gateways either the 1st or last address in a subnet.

    Back up your dhcp addresses then take a text editor to it if you have reserved addresses and change the IP to suit then import just the dhcp addresses.


  • LAYER 8 Global Moderator

    How many statics do you have?

    You might want to take the opportunity to change all your statics to dhcp, just setup reservations for them so they always get the same IP..  This way if you need to change your IP range again its real simple.



  • Hi,

    I changed the subnet to 23 as suggested.  I then went to my DHCP range & made 192.168.13.50 - 192.168.13.250 as the DHCP range.  I have a large number of VM's but can change them to DHCP & give them leases - which would help for next time.

    We have three freenas boxes & none worked for the DHCP range until changing the freenas box to the 23 subnet - then it started working.  I am a little afraid to change those devices to DHCP but probably shouldnt fear it.

    More of an issue if the PFsense router breaks for some reason & I swap in an off the shelf in a pinch to get the connectivity working again.  Is that a real fear or just my own paranoia?

    Thanks,
    Rich



  • Make your spare a pfsense also and load the config from your current pfsense on it if you need to swap in the spare.



  • Hello everyone, all this pain and "paranoia" can be easily wiped away and able to realize in two well known
    and/or common ways. There is mostly a need for many more IP addresses as we all could imagine, but leaving
    for that the entire or more common rail way means often also, running in many traps related to all the extra fiddling´s
    and special done´s.

    • Get a pfSense appliance with many LAN ports and add on each one or more dump Layer2 switches (unmanaged) that
      get their own IP address range and let the pfSense firewall route between them all. That is plain routing and it works great!

    • Get a managed Layer2 switch, set up VLANs and let the pfSense firewall route between them all.

    • Get a managed Layer3 switch, set up VLANs  and let the switch do the entire routing to relieve
      the pfSense firewall being able to work on other things.

    We have three freenas boxes & none worked for the DHCP range until changing the freenas box to the 23 subnet - then it started working.  I am a little afraid to change those devices to DHCP but probably shouldnt fear it.

    More of an issue if the PFsense router breaks for some reason & I swap in an off the shelf in a pinch to get the connectivity working again.  Is that a real fear or just my own paranoia? 
    Shorten down the entire broadcast areas means also able to find more easy failures, miss configurations and
    other issues faster. The entire network becomes more responsive and stable if there will be smaller broadcast
    areas and "rooms".  If the entire network will grow step by step I would more suggest on top of this to work with
    proper switches that are able to stack them into switch stacks that acts then more agile and are coonected to
    a pair or redundant core switches.



  • @kejianshi:

    Make your spare a pfsense also and load the config from your current pfsense on it if you need to swap in the spare.

    This isnt a bad idea.  What is the cheapest off the shelf 'backup' box i can use for PFsense?  Any router I can just flash?



  • If you want cheap, buy a used off lease or refurbished box off newegg, for example.

    Assuming you have a server made of server hardware with intel nics just make sure to add in the same number of em interfaces to your new(ish) backup.



  • @johnpoz:

    How many statics do you have?

    You might want to take the opportunity to change all your statics to dhcp, just setup reservations for them so they always get the same IP..  This way if you need to change your IP range again its real simple.

    So i have been giving this a lot of thought as i have been changing my static subnets from 255.255.255.0 to 255.255.254.0.

    The plus side of static is that things (IP phones - at least internal intercoms - , cameras, etc) still work if the router is down or rebooted.  I have about 40 static IP's & this is the first time I have ever changed from /24 to /23.  I wont say I am unlikely to outgrow this but I doubt it.

    That being said - if I use DHCP & need to reboot a PC & the router is down, I think I am out of luck for internal communications.  Am I missing a big Pro beyond it would be much easier to change subnets?



  • @kejianshi:

    If you want cheap, buy a used off lease or refurbished box off newegg, for example.

    Assuming you have a server made of server hardware with intel nics just make sure to add in the same number of em interfaces to your new(ish) backup.

    So my main box is this:  https://www.amazon.com/gp/product/B019Z8T9J0?ref_=pe_623860_70668520
    J1900 with 8gb ram & a SSD (64 or 128 - i forget).

    Should i get something better & my original box becomes the spare?



  • That system will not be able to run the next major release of PFsense as it does not support the AES-NI CPU instruction set that will be required. you might plan on purchasing a replacement and a spare.



  • Buying a new box from netgate to use as the main or building your own and making it the main also works.

    Just be sure the wattage is low enough for your tastes, the cpu supports AES-NI, it is 64 bit and you build it with compatible intel nics.

    I prefer speed to maximum energy efficiency, so these processors are my pick for building a new pfsense.

    My way includes fans.  May not make you happy.

    https://ark.intel.com/products/codename/82879/Kaby-Lake    (You have to love one of them)

    Otherwise, you can buy one of those reasonably powerful server board that come with a 8 core atom chip and a whole bunch of intel nic ports built in.  $$$$

    Or a board with only 2 intel nics.  1 for lan and 1 for wan.  And a managed switch with a nice web gui and vlan support.  So long as your 1 LAN port can match the speed of your ISP


  • LAYER 8 Global Moderator

    "if I use DHCP & need to reboot a PC & the router is down"

    Why would your router be down.. This is when dhcp failover becomes important for any org that needs dhcp to work because systems are on and off the network all the time, etc.



  • @MervinCM:

    That system will not be able to run the next major release of PFsense as it does not support the AES-NI CPU instruction set that will be required. you might plan on purchasing a replacement and a spare.

    Whats amusing is I started running PFsense with as a VM on my Esxi box & moved it to that physical box for the sake of ensuring a dedicated box would be running.  It looks like i may have to go back to running it on a VM .



  • I bought a 10" samsung windows tablet which has a Kaby Lake processor & man it is fast!  Right on par with my 4th Gen I7 laptop in terms of speed.

    I will have to look at what is available off the shelf.  I prefer lower energy consumption if possible as electricity gets expensive with all these 24/7 devices.  The fan noise is OK with me as its in a server room / wiring closet.

    Anything less spendy than $550 for a small form factor fanless AES-NI 64 bit system?

    @kejianshi:

    Buying a new box from netgate to use as the main or building your own and making it the main also works.

    Just be sure the wattage is low enough for your tastes, the cpu supports AES-NI, it is 64 bit and you build it with compatible intel nics.

    I prefer speed to maximum energy efficiency, so these processors are my pick for building a new pfsense.

    My way includes fans.  May not make you happy.

    https://ark.intel.com/products/codename/82879/Kaby-Lake    (You have to love one of them)

    Otherwise, you can buy one of those reasonably powerful server board that come with a 8 core atom chip and a whole bunch of intel nic ports built in.  $$$$

    Or a board with only 2 intel nics.  1 for lan and 1 for wan.  And a managed switch with a nice web gui and vlan support.  So long as your 1 LAN port can match the speed of your ISP



  • @johnpoz:

    "if I use DHCP & need to reboot a PC & the router is down"

    Why would your router be down.. This is when dhcp failover becomes important for any org that needs dhcp to work because systems are on and off the network all the time, etc.

    I think I need to do some reading on DHCP failover - however could i use a VM as the Secondary DHCP?

    Is this what I need to make it happen: https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

    I cant find any video online but any hints would be great!



  • Some of those Kaby lake processors have low enough power requirements to run fanless.

    Still, I think the 4 and 8 core atom boards would be fire and forget reliable.

    I'm running one atom system fanless…  The fan died and it made no difference in cpu temps so I just pulled off the fan.



  • @richtj99:

    That being said - if I use DHCP & need to reboot a PC & the router is down, I think I am out of luck for internal communications.  Am I missing a big Pro beyond it would be much easier to change subnets?

    1. You can have multiple DHCP servers.  DHCP is designed that way, so the client goes with the first server that responds.  You can configure the DHCP servers to hand out different blocks to prevent multiple devices from getting the same address, but these days, duplicate address detection is used to prevent that.  Of course that's not an issue when you map IP to MAC addresses.

    2. You can set a long lease time that will likely see you through any failure.  Once a device has an address, it owns it for the duration of the lease.


  • LAYER 8 Global Moderator

    Yeah the simple way to run multiple dhcp is just have them hand out different blocks..  But there are much better ways to do it where the dhcp servers exchange the leases so, etc.  Sure you could run pfsense via carp to do it.  But you can also set it up on other systems like MS latest server versions dhcp has added a lot of dhcp failover and redundancy features.


Log in to reply