How PFSesne uses CIDR and slash notation

  • Not sure if this is the right forum so please move this to the right one if I got it wrong. :-)

    Got the book pfSense The Definitive Guide, Chirstopher Buechler, Jim Pingle.

    Page 12

    if you want to summarize through, run as follows.

    The book did not explain this but moved on to more of the scripts usage.  No information was given as to the number of desired host ids or subnets.  Not sure how to interpret this. the network ID?  All 1's subnet.  Same with the broadcast ID?  Looks like only 4 available hosts on ./././16 - ./././19.

    How does PFSense interpret this?


  • That means if you want to create a network alias that covers through, you have to use the 4 listed CIDR ranges (two of which are single IPs, /32).

  • Whoa!  The man himself!  A firewall rock star!  Quite the honor as far as I'm concerned. 
    First let me thank you for the opportunity to use your superior software.  Been looking at solutions for some time and although far from an expert, it would seem to me that PFSense is clearly the top of its class/the standard by which to judge others.  Well done.

    Have not read the whole book yet so maybe this would be clear with more understanding.  Maybe I should read it all first, but don't like to gloss over items that may be material as my experience is that if you don't understand pg 12, pg 13 is going to get worse.  But back to my unworthy noob questions.

    Was clear in the book that /32 = 1 IP, /31 = 2 IP etc.  You had listed the tables on page 10, as well as that being fundemental to CIDR.  Also did some cross referencing as failed to understand what was presented on a practical level, as in how these slash noted IPs were processed by the PFSense software.  What I surmised (guessing makes my blood run cold) was that, where as something like by itself might define a classless network range with 4 possible IPs, with 2 nodes/hosts, that the CIDR ranges generated by the script were for specific parameters used by PFSense hardware.  If that was/is the case, that the generated IPs are indeed treated as parameters by PFSense, then each of the generated IPs may correspond to a specific requirement for a given network, such as, the network ID, the gateway ID, the device/node/host range and the broadcast ID.

    Is that anywhere near to being on the right planet or do I need to start over with a different paradigm?  Again, maybe the answer is to finish reading the book and more or less wait until the end of the presentation and then ask questions.  Please don't hesitate to say so if that would seem a good idea to you.

    Thanks again,


  • Depends on the context of where you're using it (and those contexts are described in the other parts of the book where you can actually use such things). For instance a /30 configured on an interface is just a subnet with two usable IPs, one for the firewall and one usable for a connected client device. A /30 used in a firewall rule or alias defines 4 IPs matching that particular specification. A /30 in an IPsec phase 2 matches 4 IPs for the tunnel. A /30 static route or route in OpenVPN or similar routes 4 IPs as defined.

  • Thanks again cmb,

    Battle plan is to read through the material and play with it some.  No doubt can sort it out quick with some hands on.


Log in to reply