Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DSL, Cable, and another Cable Connection Question

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 4 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      np247
      last edited by

      First and foremost I am not experienced with pfSense but have used several similar products.
      For the purpose of this original post, the network is as follows

      (172.16.2.0/16) Cable 1 -> |
                                          |–-> |PC| ---> LAN (172.16.1.0/16)
      (172.16.3.0/16) Cable 2 -> |

      I originally tried to setup the above configuration using the official pfSense documentation with no luck.

      Along the way I read that pfSense should be basically "plug and play" with a single network connection.

      I then tried this:

      (172.16.2.0/16) Cable 1 -> |PC| -> LAN (172.16.1.0/16) with no luck.

      I entered the interface configurations and unchecked "block RFC's" etc. etc.

      The address used is out of my control, but this should be possible.

      Anyone who can point me in the right direction, it would be greatly appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • N
        np247
        last edited by

        Forgot to mention, pfSense is actually running on a VM within ESXi 4.x.

        With the latter diagram, a client can access the pfSense PC @ 172.16.1.254. The pfSense box cannot ping the default gateway.

        If I connect my laptop directly to the 172.16.2.0/16 network, I CAN ping the 172.16.2.0/16 default gateway (172.16.2.1), so ICMP is enabled.

        ESXi built in firewall perhaps?

        Rules required?

        Static routes required?

        Thanks

        1 Reply Last reply Reply Quote 0
        • D
          danswartz
          last edited by

          Your subnet masks are wrong.  For the 172 range, the usual is /12, not /16.  You have overlapping networks.

          1 Reply Last reply Reply Quote 0
          • N
            np247
            last edited by

            Thanks for the reply, but are you sure?

            172.16.x.x - 172.31.x.x/16?

            Class B?

            1 Reply Last reply Reply Quote 0
            • D
              danswartz
              last edited by

              RFC-1918 stipulates 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.  All of the subnets you enumerated end up in 172.16.0.0 after applying the /16 mask.

              1 Reply Last reply Reply Quote 0
              • N
                np247
                last edited by

                So my internal network should be as follows:

                Internal: 172.16.1.x/255.240.0.0

                WAN1: 172.16.2.x/255.240.0.0

                WAN2: 172.16.3.x/255.240.0.0

                Or, do I need to break it down further?

                1 Reply Last reply Reply Quote 0
                • D
                  danswartz
                  last edited by

                  You're still not quite getting it.  /12 means the upper twelve bits of the network address are significant.  You need to make the second octet unique in the range of 16-31.  e.g. that block of private IP is in the range of 172.16.0.0/12 to 172.31.0.0/12.  So for example, 172.16.0.0/12, 172.17.0.0/12 and 172.18.0.0/12.

                  1 Reply Last reply Reply Quote 0
                  • N
                    np247
                    last edited by

                    Sad that I have forgotten as much as I have….

                    172.16.x.x = 10101100.00010000.x.x

                    ... meaning

                    From here > 0001| < To here -- is usable -- 0001, 0010, 0011, etc.

                    So, for my subnet mask I would use 255.240.0.0 to reflect this?

                    Eg:
                    172.16.1.x/255.240.0.0 for Internal.
                    172.17.1.x/255.240.0.0 for WAN1
                    172.18.1.x/255.240.0.0 for WAN2

                    Forgive how much I have forgotten here.

                    Thanks

                    1 Reply Last reply Reply Quote 0
                    • D
                      danswartz
                      last edited by

                      Yes, this should work :)

                      1 Reply Last reply Reply Quote 0
                      • N
                        np247
                        last edited by

                        Could I continue to use /16 – so much easier?  8)
                        Again, thank-you for the quick and positive responses, even to stupid questions I really should have known the answer to (/me looks at Cisco certs and shakes fist)

                        1 Reply Last reply Reply Quote 0
                        • D
                          danswartz
                          last edited by

                          Sure, as long as you keep the upper 16 bits unique.  BTW, this pain is one reason I hate the 172.16-31 address block :)  I always use either 10.x.x.x or 192.168.x.x :)

                          1 Reply Last reply Reply Quote 0
                          • N
                            np247
                            last edited by

                            Thanks – never been a fan either.

                            However, the company I work uses both the 192.168.x.x and 10.x.x.x ranges so the VPN application pukes when I try to connect.

                            Ty, I'll make these changes and get back to you with (hopefully positive) results.

                            1 Reply Last reply Reply Quote 0
                            • D
                              danswartz
                              last edited by

                              Keep us posted…

                              1 Reply Last reply Reply Quote 0
                              • Cry HavokC
                                Cry Havok
                                last edited by

                                @np247:

                                Could I continue to use /16 – so much easier?  8)
                                Again, thank-you for the quick and positive responses, even to stupid questions I really should have known the answer to (/me looks at Cisco certs and shakes fist)

                                You could just use /24 instead and be done with it - that gives you 3 unique networks (172.16.1.0/24, 172.16.2.0/24 and 172.16.3.0/24).  I'm not sure why danswartz is so tied to it having to be treated as a single /12 - the whole point of CIDR is that you don't need to do that.

                                I'd also point out that 172.16/12 covers 172.16.0.0 to 172.31.255.255 as a single network.  The examples he provided of 172.16.0.0/12, 172.17.0.0/12 and 172.18.0.0/12 are all the same network - 172.16.0.0/12:

                                172.016.000.000 - 10101100.00010000.00000000.00000000
                                255.240.000.000 - 11111111.11110000.00000000.00000000
                                  network      - 10101100.00010000.00000000.00000000 (172.16.0.0)

                                172.018.000.000 - 10101100.00010010.00000000.00000000
                                255.240.000.000 - 11111111.11110000.00000000.00000000
                                  network      - 10101100.00010000.00000000.00000000 (172.16.0.0)

                                1 Reply Last reply Reply Quote 0
                                • D
                                  danswartz
                                  last edited by

                                  Havoc, you misunderstood my point.  I was not advocating for /12 or anything else, just pointing out that the /12 defines the RFC-1918 network range (one of the three, at any rate.)  Certainly he can subnet it as he wishes, as long as his netmask is correct.

                                  1 Reply Last reply Reply Quote 0
                                  • Cry HavokC
                                    Cry Havok
                                    last edited by

                                    Your posts were very confusing on that point, particularly here:@danswartz:

                                    You're still not quite getting it.  /12 means the upper twelve bits of the network address are significant.  You need to make the second octet unique in the range of 16-31.  e.g. that block of private IP is in the range of 172.16.0.0/12 to 172.31.0.0/12.  So for example, 172.16.0.0/12, 172.17.0.0/12 and 172.18.0.0/12.

                                    and@danswartz:

                                    Your subnet masks are wrong.  For the 172 range, the usual is /12, not /16.  You have overlapping networks.

                                    Yes, your point about wrong subnet masks and overlapping networks is right, but there is no "usual" subnet for any prefix and the prefix you provided was not helpful to the OP.  Particularly your response to@np247:

                                    Eg:
                                    172.16.1.x/255.240.0.0 for Internal.
                                    172.17.1.x/255.240.0.0 for WAN1
                                    172.18.1.x/255.240.0.0 for WAN2

                                    saying@danswartz:

                                    Yes, this should work :)

                                    is obviously wrong.

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      danswartz
                                      last edited by

                                      Ugh, this should teach me to post on low blood sugar :(  Yes, the /12 is not in fact correct in that context.  As far as CIDR goes, I agree with you, my point (not well put) was historical.  His /16 would have been fine if he had moved the 16, 17 and 18 up one octet (172.16.0.0/16, 172.17.0.0/16 and 172.18.0.0/16).

                                      1 Reply Last reply Reply Quote 0
                                      • GruensFroeschliG
                                        GruensFroeschli
                                        last edited by

                                        I wonder how this will end with IPv6 and RFC4193 if there are already confusions with /8, /12, /16 subnets.
                                        Where will this end with /48 ~ /64 subnets? :D

                                        We do what we must, because we can.

                                        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.