Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tunnel subnet masks

    Scheduled Pinned Locked Moved WireGuard
    6 Posts 2 Posters 376 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McMurphy
      last edited by

      I am not sure what subnet mask should be used when creating an interface for a peer or when specifying allowed IPs

      I have read examples where the tunnel is specified as /29, /32 & /24

      I understand:

      • 32 = single address
      • 29 = 8 addresses
      • 24 = 256 addresses

      It would make sense to me that an interface IP should be specified using /32 as the interface is a single IP however the official Netgate docs use a /29 netmask.
      https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2ms.html#assign-interface

      Similarly, with Allowed IPs, if I have a dedicate tunnel then it would make sense to allow all IPs on the tunnel however the official docs use a /32 subnet
      https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2ms.html#peer-configuration

      Thanks in advance...

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @McMurphy
        last edited by johnpoz

        @McMurphy notice the allowed IP is the other side of the tunnels IP..

        you have a 172.16.0.2 and a .3 on the .3 site you allow the remote .2/32 address and on the .2 site you allow the other ends .3/32

        Yes the interface would use a different mask, a /29 for example or it wouldn't be able to talk to any other address..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        M 1 Reply Last reply Reply Quote 0
        • M
          McMurphy @johnpoz
          last edited by McMurphy

          @johnpoz

          Is this correct?

          Site A:
          Interface = 172.168.0.2/29
          Allowed: =172.168.0.3/32

          Site B:
          Interface = 172.168.0.3/29
          Allowed = 172.168.0.2/32

          So the interface address is both and endpoint IP and the mask specifies the range of addresses it can talk to?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @McMurphy
            last edited by

            @McMurphy yes the mask says how big the network is before it has to send traffic to a gateway.

            so with a /29 the addresses would be 172.16.0.0 - 172.16.0.7 with .0 being the network address (the wire) and .7 being broadcast. so if an address was 172.16.0.12 for example that would be a different network and to talk to it would need to send that traffic to a gateway to be routed to that network.

            Oh my bad its not 172.168 its 172.16 - .168 was typo - sorry I have corrected it. The /32 is just the firewall rule allowing the other IP to talk to it..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            M 1 Reply Last reply Reply Quote 0
            • M
              McMurphy @johnpoz
              last edited by

              @johnpoz

              If I have multiple peers on the VPN can I specify the allowed IP as being:
              172.16.0.0/24 instead of 172.16.0.2/32

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @McMurphy
                last edited by

                @McMurphy sure you can - its just an example.. You can use whatever tunnel network you want, as large or as small as you need as long as it doesn't overlap with any of your other networks.

                As to what you allow, sure you could just allow the whole tunnel network if you want, etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.