Default LAN subnet
-
The wizard defaults the LAN subnet address to 192.168.1.1/24
a) More and more people are setting up a VPN server to connect back to home/office when away. For this it is better to have the LAN on some other subnet that does not conflict with this highly popular one.
b) They are more often making site-to-site links between their house and a friend, or their home and their small office. For that scenario the LAN at each end must be different.
IT people at medium to large offices should already now about designing an internal private network. But there are lots of home and small office users who need a bit more automated advice from the wizard.- Changing the default to something else helps (a) but not (b).
- Making the wizard default a "randomly-selected" private subnet helps (a) and (b) but makes subsequent connection after running the wizard a nightmare (new user's will have difficult working out what subnet the system picked for them!) and forum support would go through the roof :)
- Maybe a screen could be added to the wizard that asks if you are going to use this system for remote VPN access. Then it could give some recommendations about picking a LAN address/subnet, a box to generate a "random" one, instructions about how to make your client get an address in the new subnet when the wizard applies the settings…
Any bright ideas about how the system could be improved to help with initial config "design" without generating a support forum nightmare?
-
Could it be possible to have pfsense randomize at set up?
For instance, make it in the 192.168.x.1 Where x is randomized between say 5 and 200?
Or something similar so that a private address in the 10, 172 or 192 legit private space was chosen at random providing a /24 on the LAN?
I like the random idea as you mentioned. I don't think it will drive anyone crazy.
Its not like the settings don't appear in big bold letters right in front of their faces.
They shouldn't be lost. I do think it would be good.
As it stands, I have to reallocate those numbers on every install anyway, so I don't see the extra work it would generate. -
Defaulting to a random address seems like a bad idea. I can imagine many many forum posts! Also there are some boxes that require a default address to complete the initial setup using the webgui.
Using an address other than 192.168.1.1 could be a good idea if only because of the problems it causes with pfSense behind a soho router using that subnet. However I imagine changing the default LAN address would still cause problems.Steve
-
- Maybe a screen could be added to the wizard that asks if you are going to use this system for remote VPN access. Then it could give some recommendations about picking a LAN address/subnet, a box to generate a "random" one, instructions about how to make your client get an address in the new subnet when the wizard applies the settings…
Any bright ideas about how the system could be improved to help with initial config "design" without generating a support forum nightmare?
Some more text would be about the only thing we would do there. I don't see the wizard randomly picking a subnet. We have the default the default for a reason. There is no guessing involved, you know what it is, and it's the most common default out there. You don't have to check the console or anything to see what the default is, it's always 192.168.1.1.
Having the wizard change it automatically would be a POLA violation and if it randomized it on every run, someone could easily accidentally change their LAN without intending to if they re-run the wizard later to change something else (which is more common than you might think). If it were changed on first boot, then people without a console attached (e.g. new ALIX owners with no serial cable) would have no idea what their LAN IP is and would have to manually check their DHCP settings to find the firewall address (can't really rely on DNS there in 100% of cases).
At some point we have to put the burden on the user to actually pick correct settings. Adding automatic randomization crosses that line into territory that would cause more ill effects than good. Too much hand-holding/nannying and too much room for error.
-
- Maybe a screen could be added to the wizard that asks if you are going to use this system for remote VPN access. Then it could give some recommendations about picking a LAN address/subnet, a box to generate a "random" one, instructions about how to make your client get an address in the new subnet when the wizard applies the settings…
Any bright ideas about how the system could be improved to help with initial config "design" without generating a support forum nightmare?
Some more text would be about the only thing we would do there. I don't see the wizard randomly picking a subnet. We have the default the default for a reason. There is no guessing involved, you know what it is, and it's the most common default out there. You don't have to check the console or anything to see what the default is, it's always 192.168.1.1.
Having the wizard change it automatically would be a POLA violation and if it randomized it on every run, someone could easily accidentally change their LAN without intending to if they re-run the wizard later to change something else (which is more common than you might think). If it were changed on first boot, then people without a console attached (e.g. new ALIX owners with no serial cable) would have no idea what their LAN IP is and would have to manually check their DHCP settings to find the firewall address (can't really rely on DNS there in 100% of cases).
At some point we have to put the burden on the user to actually pick correct settings. Adding automatic randomization crosses that line into territory that would cause more ill effects than good. Too much hand-holding/nannying and too much room for error.
Somehow I go with phil.davis but it shouldn't be a randomized to avoid "collision". In my place, ISP commonly used 192.168.1.1 in all their deployed modem-routers and in it really cause collision in the PC being installed is connected to the source during installation. I was a "victim" of that collision for a very long time since I though I need to connect my PC when installing pfsense and once it successfully installed, my connection is lost since my box would have been installed a default WAN of 1.1 while my source WAN is also 1.1. I can't open the Web GUI at all and all my wireless connectivity from the source (ISP) is also lost.
I found that, it's better to detach or not to attach source to the PC when installing pfsense in that way all possible IP collision is avoided. Anyways, the default LAN IP can always be edited. It's just my opinion based on my experience.
