IP address set-up, best practices for multi WAN environment

  • We've got two WANs and one LAN interface on our pfSense server.

    The two WAN interfaces are each connected to individual ADSL modems, which provide our Internet access.

    WAN1 ADSL modem is set to mask
    WAN2 ADSL modem is set to mask

    WAN1 pfSense interface obtains a DHCP lease from the ADSL modem (typically
    WAN2 pfSense interface obtains a DHCP lease from the ADSL modem (typically

    LAN was previously set to, but as we've had an increase in the number of wireless clients, we've had to change the mask to 16bit and expand our DHCP range.

    LAN is now currently set to, mask

    Our DHCP server hands out address from > which is now ample for our environment (was previously just .1.100 > .1.254)

    Most things appear to work at present, but I'm looking for some best practice advice to streamline the setup of our system.  I understand that the WAN IPs may be conflicting with our set up, as they're a 24 bit mask and the rest of our network is now a 16 bit mask (so they're not really separate networks I guess?)

    We also can no longer access the two ADSL modems via any client on the network.  There are no firewall rules blocking it, so I would assume it's an issue with our IP and mask set up?  On the pfSense console, I can successfully ping the two ADSL modems.

    Any hints on how I could better set up the IP and masks would be much appreciated  :)

  • First let me ask you this, how many LAN hosts do you really need? As it stands right now using a 16 bit mask your LAN can be anything from to That's a total of 65543 hosts you could have. I'm going to guess you don't really need that many but took a quick change to open things up a little? You even state your DHCP now only hands out addresses from 1.100 to 2.254 which is only 408 addresses if my math is right. Is this DHCP just for wireless clients and there is another for hardwired? What about static clients?

    If you were to start with 192.168.0.x you could go up to a 21 bit mask ( before you would interfere with your existing WAN segments. This would give you a range of to for a total of 2046 hosts. If that isn't enough hosts, you will need to start your LAN segment at 192.168.32.x and you can start with a 20 bit mask ( and have 4094 hosts or a 19 bit mask ( and have 8190 hosts. There's plenty of other combinations you can come up with that don't encompass 10.x and 20.x on this tool: http://www.subnet-calculator.com/cidr.php if you need even more hosts.

    Now, if for some reason you really DO need a full 16 bit mask on the LAN side your best bet is to change the address range that the WAN uses. Stick the WAN in the 172.16.x.x range or a 10.x.x.x range. Though if you really are using ALL of the 192.168.x.x range, or plan to then I'd suggest moving your LAN to 172/10 instead of the WAN so you have more expansion room.

    Even if you aren't using the full /16 (which I strongly doubt you are since a /24 previously served your needs fine), I would still suggest moving your WAN segments. If you are able to, I would stick them on 254.x and 255.x so they are way out of the way. Even better would be shortening their mask from a /24 to a /30 or /29. You don't need a full /24 for two hosts each.

    If you can do that, I would set them to 255.1/255.2 and 255.5/255.6 on a /30 subnet each or 255.1/255.2 and 255.9/255.10 on a /29. Anything you can do to shorten the WAN segments as they definitely don't need to be on full /24's though depending on the kind of DSL modem they are, they may be "dumbed down" and might not be able to do anything less than a /24.

Log in to reply