Need help with pfSense VPN and subnetting

  • Hello everyone!

    I need to reconfigure my IP address space on one of my VPN endpoints that we are using pfSense to support to provide access to our internal training network. We are currently using an IP addressing scheme but we will run out of IP addresses so I wanted to change it to be a network. I would still like to split that network into a series of /24's like so:

    • - General network
    • - Training network
    • - IoT device network
    • - WiFi network
    • - Windows AD #1 network
    • - Windows AD #2 network
    • - Windows AD #3 network

    I currently have pfSense configured with the LAN interface using and I have an OpenVPN on that interface which pushes down routes to the OpenVPN clients for those networks. I'm able to currently able to see the traffic get routed to the proper subnet but when the machine tries to respond it can't because I'm using a /24 instead of a /16 so it doesn't have a gateway it can reach.

    My question is what is the best approach to get gateways for all the /24 subnets within the /16 network? Is it using VLANs or is there a better approach to this? Our core switch is a Cisco Catalyst 3560G-48 which supports VLANs and has four currently configured already.

    Thanks in advance!

  • LAYER 8 Global Moderator

    @h0w1tzr said in Need help with pfSense VPN and subnetting:

    I currently have pfSense configured with the LAN interface using

    Thats not a very good idea.. You have need to grow to a single L2 of like 65K ips?

    If you have a bunch of networks that all fall into that /16 space then sure you could push that as a route, and use as firewall rule, etc. But its really large, and you could end up overlapping or stepping on other networks or routes you need to get to as your network grows.

    Looks like you have 7 segments you need.. You could say almost double that to have room for growth and use a /20 that would give you

    10.0.0-10.0.15 to work with for space.. Which you could then use as /24s

    But pfsense would not have a /20 on one of its interfaces unless you were just going to use that as one large L2.. Pfsense would either have interfaces in each vlan, or would have a transit network connection to your downstream router that would be routing your different /24 vlans..

    Its a good idea to also keep your vlans that you use in a larger space in one section of the overall space, say the lower half or the upper half of the space so you can always split that if need be - when you need/want to use the space else where so you don't have to renumber large networks..

    So for example while you could use a /20 to give you 16 /24s either try to keep the vlans you use next to each other so its easier to split off at some future time unused space.

    Vs doing what you have with those .50 and .100 segments... keep them tighter grouped.. You can always skip so you can say grow to a /23 on each segment if needed..


    etc.. so now each of those could be moved to /23 without much issue.. But your still only using smaller amount of concurrent space in your larger space.. So if you need to split off some of the larger space you don't have to renumber your current vlans.

    Or if need be you could use the /24 between for other vlans, etc..

    IP space management is quite often overlooked in early spin up of networks, and comes to bite you later.. I have the whole 10/8 to work with... Lets give every site their own /16 in that for example... Or lets put this vlan at the beginning of my /20 and this other vlan at the end of that.. Now what happens when you need to drop that /20 to a /21 or /22 etc..

Log in to reply