LAN IP Range Rule



  • First time with any kind of actual firewall so please forgive me in advance if terminology is wrong or other obvious mistakes…

    As of right now I just have everything blocked on the WAN side/tab.  I'm setting up rules on the LAN tab allowing HTTP, email, a few IM services and such.  In the DHCP server I set up IP addresses for each MAC address on my LAN with my own little sorting (ie: servers are 10.0.3.x and work stations are 10.0.5.x).  I am wanting to make a rule for a IP range, because a file server with IP 10.0.3.x has no reason to access the internet on port 80.  On the other hand I very much need/want 10.0.5.x to be able to access the internet on port 80.

    Is this possible?  TY for reading my question.



  • Yes, your addressing scheme actually makes it quite easy to do. When you are creating your allow rule for HTTP, set the Source to Network and set it to 10.0.5.0 / 24.
    The slash 24 indicates only devices that have address that match the first three octets of the address you entered.
    That way when a 10.0.3.x address attempts to get online, the traffic wont match that rule and pass down the list to the eventual implicit deny at the end if it doesn't match anymore rules.



  • Well you answered about 20 of my questions with the " / 24 " part!  Now all I wonder is where the actual number 24 comes from?  Is there a way to make sure it only matches the first 2 octets or rather what would the / number be?



  • That's called subnetting and there are a lot of calculators that can help you do it if your not sure how. Just search for a subnet calculator.
    Here are a few quick ones.
    10.x.x.x would be /8 for the last three octects
    10.0.x.x would be /16 for the last two octects
    10.0.0.x would be the /24 would be the last octect



  • Homework for MrVining: what is the subnet if you are given IP 10.0.0.147/26 ?


Log in to reply