Can't get second subnet to connect to the internet
-
Hi guys. I realize there are a lot of threads like this, but none have gotten me any further than where I'm at.
My main lan is currently running 192.168.1.0 /24 and it's getting full. Rather than retrofit this subnet I'm just going to to make a new subnet and slowly move things over to it. It will be 172.16.0.0/16.
I have the interface set to 172.16.0.1 and I setup the firewall rules so that I can ping my main lan and the main lan can ping the new subnets interface.
What I can't do is connect to the internet from the new interface. I set up an outbound nat rule that matches my main lan rule, but still something is missing. The firewall log shows nothing related to this so I don't think it's being blocked. Also I don't have an upstream gateway set. My main gateway is set to be the default. I've basically mimiced my main lan as closely as possible
It's also not something related to my pc either because I can go into the ping section of the pfsense interface and select my new lan and my gateway and it times out there as well.
-
For anyone that finds themselves in the same situation I figured it out.
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description Actions
VERIZON50 172.16.0.0/16 * * * VERIZON50 address * Auto created rule for LAN to PTDT1
CAMERASUBNET 172.16.0.0/16 * * * CAMERASUBNET address * Auto created rule for LAN to VERIZONT1I had added the second entry in my outgoing nat, but I added the first one here and it started working. I disabled the second rule and things are still working so all looks good.
-
It will be 172.16.0.0/16.
Wow so you have like 65K hosts from your 250 ish? Huge jump ;)
Simple mask change and to /23 would give you 192.168.0.1 to 192.168.1.254
Change in your dhcp scope and reboot of your boxes and you would double your available space on the same layer 2.
When you created a new opt interface - you would have to put rules on it. But unless you changed your outbound nat from auto that would of been done for you.
-
Huge jump ;)
I don't ever want to be short again :).
Well maybe that is a better way of doing it. What will happen with all of my static ips I have assigned to various things? Will things on the /23 subnet still communicate with the /24 subnet? I figured no since they weren't on the same subnet anymore.
Also I did change the outbound nat at some point to fix an issue I had a long time ago.
-
Don't take this the wrong way but a /16 mask is just stupid… That sort of mask would never be on an interface, its a mask that would be used in a summary route or a firewall rule.
You could of used a /22 which would give you 1k address.. Which would be prob about the max you would ever ever want to put on the same layer 2 network anyway.
I have no idea what your statics.. But yeah you prob would not had any issues with a ./24 talking to a /23 that overlaps it.. But would be way easier to adjust your static machines vs moving every single device to a new layer 2 just because you want to change the address space.
As to what you did to "fix" your outbound nat - not a clue.. In the 10 some years been using pfsense there has never been any reason to go to manual, hybrid ok when I wanted to add something specific for outbound.
Here is something that happens when you go to manual - its going to come to bite you later when you forget to mention it in asking for help or you forget that you did and wondering why something as simple as adding a vlan doesn't work, etc.
Hope your never going to want anyone to vpn into your network... Cuz you just made it so a HUGE amount of networks that could be used on the remote site going to have a hard time talking to your network.
Personally if going to change your network would of moved off the first part of the netblocks and used a mask appropriately sized for your network.
-
Alright I'll try going to a /22 and see how it goes. It's mostly just my servers and cameras that are assigned static ips. Shouldn't be too bad to move over. My vpn users already have their own subnet so they are all good there. They always use 192.168.20.x.
I'll try taking the nat back to auto and see if I have any issues as well. Like you said I wouldn't have had the issue I did today if I had it on auto.
Thanks for the advice.
-
I don't ever want to be short again :).
I'm not really proposing a solution for your v4 problem, but, when you have some time, take a look what v6 /64 can do for you ;D
