Tunnel subnet masks
-
I am not sure what subnet mask should be used when creating an interface for a peer or when specifying allowed IPs
I have read examples where the tunnel is specified as /29, /32 & /24
I understand:
- 32 = single address
- 29 = 8 addresses
- 24 = 256 addresses
It would make sense to me that an interface IP should be specified using /32 as the interface is a single IP however the official Netgate docs use a /29 netmask.
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2ms.html#assign-interfaceSimilarly, with Allowed IPs, if I have a dedicate tunnel then it would make sense to allow all IPs on the tunnel however the official docs use a /32 subnet
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2ms.html#peer-configurationThanks in advance...
-
@McMurphy notice the allowed IP is the other side of the tunnels IP..
you have a 172.16.0.2 and a .3 on the .3 site you allow the remote .2/32 address and on the .2 site you allow the other ends .3/32
Yes the interface would use a different mask, a /29 for example or it wouldn't be able to talk to any other address..
-
Is this correct?
Site A:
Interface = 172.168.0.2/29
Allowed: =172.168.0.3/32Site B:
Interface = 172.168.0.3/29
Allowed = 172.168.0.2/32So the interface address is both and endpoint IP and the mask specifies the range of addresses it can talk to?
-
@McMurphy yes the mask says how big the network is before it has to send traffic to a gateway.
so with a /29 the addresses would be 172.16.0.0 - 172.16.0.7 with .0 being the network address (the wire) and .7 being broadcast. so if an address was 172.16.0.12 for example that would be a different network and to talk to it would need to send that traffic to a gateway to be routed to that network.
Oh my bad its not 172.168 its 172.16 - .168 was typo - sorry I have corrected it. The /32 is just the firewall rule allowing the other IP to talk to it..
-
If I have multiple peers on the VPN can I specify the allowed IP as being:
172.16.0.0/24 instead of 172.16.0.2/32 -
@McMurphy sure you can - its just an example.. You can use whatever tunnel network you want, as large or as small as you need as long as it doesn't overlap with any of your other networks.
As to what you allow, sure you could just allow the whole tunnel network if you want, etc.
