Class C WAN to Class B LAN?



  • So a little background, our school uses Winserver 2012, behind pfsense firewall (physical box). I recently switched us to a CISCO framework and wanted to take advantage of any downtime to switch us from a CLASS C network to a CLASS B SUBNET, specifically 160.12.16.0/20 as we've been running out of IP addresses and are a growing school.

    I've gone to redo our pfsense box and everything works when using any class c network (192.168.x.x) as my LAN with pfsense and my DNS server as my WINSERVER 2012. The way my setup is GATEWAY (192.168.1.1) to PFSENSE (192.168.2.1) grabbing DNS from (192.168.2.2) which forwards DNS requests from loopback and from OPENDNS.

    The issue has come where I have left my ADSL2 gateway (192.168.1.1) alone, and setup my LAN NIC to 160.12.16.1 with the WINSERVER as 160.12.16.2. The DHCP server is set to hand out 160.12.22.1-160.12.25.250 to give me roughly 1000 open IP addresses. I can ping the GATEWAY from PFSENSE box. I cannot for the life of me reach 192.168.1.1 from my server or any DHCP address on the LAN subnet.

    Any advice? I am almost certain the subnets are just not able to communicate.


  • LAYER 8 Global Moderator

    What are are you trying to do?  Why would you use 160.12.16.0/20

    I show that class /B your part of being owned by

    inetnum:        160.12.0.0 - 160.12.255.255
    netname:        KEGON
    country:        JP
    descr:          Utsunomiya University

    Is that you?

    You don't just pull addresses out of thin air and use them on your network.

    So you mention a ADSL gateway with a rfc1918 address so your natting with that, and then your also natting with pfsense?

    Do you just need more address space?  You could use say 10.x.x.x/8 on your local network if you need addresses - where did this 160 netblock come from?

    Why would you want to switch your local network ip space just because your changing your ISP?  Or internet connection?

    Are you trying to go from a natted setup to non natted..  I am assuming with your mention of that adsl that your actually using a double natted setup currently.



  • Agreed very confusing! Can you draw a network diagram? So All your computers at this university will have a public IP? www.gliffy.com will let you make a online diagram so we can help you with this puzzle.



  • @johnpoz:

    What are are you trying to do?  Why would you use 160.12.16.0/20

    I show that class /B your part of being owned by

    inetnum:        160.12.0.0 - 160.12.255.255
    netname:        KEGON
    country:        JP
    descr:          Utsunomiya University

    Is that you?

    You don't just pull addresses out of thin air and use them on your network.

    So you mention a ADSL gateway with a rfc1918 address so your natting with that, and then your also natting with pfsense?

    Do you just need more address space?  You could use say 10.x.x.x/8 on your local network if you need addresses - where did this 160 netblock come from?

    Why would you want to switch your local network ip space just because your changing your ISP?  Or internet connection?

    Are you trying to go from a natted setup to non natted..  I am assuming with your mention of that adsl that your actually using a double natted setup currently.

    What? This 160.12 network came from my sub-netting lessons in college 4 years ago because it is one that I remembered gave me room for a little over 4000 hosts. Why are you mad about what network address I am using in my local LAN.. does it really matter what class B subnet I use in our school's private network? On another note this is my network –->    INTERNET---(SOME DYNAMIC ISP IP)---GATEWAY ROUTER (192.168.1.1)---PFSENSE (160.12.16.1)--- WINSERVER DNS (160.12.16.2)--- LAN---DHCP. I am referring to my WAN'S internal address when I mention my ADSL router. I am doing this because we are a large school  (1000+)and the previous management did not make the necessary networking adjustments for the amount of hosts we use. I would rather have one large Class B pool with room for growth than various Class C pools for DHCP and want to standardize our network with captive portal to have one access point rather than 1st floor annex, 1st floor study, etc.

    After much testing and replication... I am only getting no connection from Lan to WAN when my LAN is not a CLASS C network. So I am wondering if anyone has a fix via the NAT in the pfsense firewall or has come across this odd issue. I can only communicate with 192.168.1.1(Gateway router) when pinging via the webconfig of pfsense. Any device, including my WINSERVER fails to ping the gateway.


  • LAYER 8 Global Moderator

    "Why are you mad about what network address I am using in my local LAN.."

    I am not mad - sorry you got that impression.  What I am is CONFUSED!!  You don't just grab public space and use it on your local lan..  Bad Bad Network Admin!!

    There is plenty of rfc1918 space to play with!  Million and Millions of addresses that have been especially reserved for use on local networks.  There is NO point in using ip space assigned to someone else.

    10.x.x.x/8 192.168.x.x/16 172.16-31.x.x/12

    How is it you can not find address space in one of those networks to use?

    So actually want a /16 broadcast domain?  With every single box broadcasting to every single other box on your network - really??

    You can put whatever address space you want on the lan side of pfsense - as long as it doesn't step on what network your using on its wan.

    So for example you can not have 192.168.1.0/24 on its wan and expect to use 192.168.0.0/23 on its lan or 192.168.0.0/16

    As to your drawing – your missing something
    GATEWAY ROUTER (192.168.1.1)---PFSENSE (160.12.16.1)--- WINSERVER DNS (160.12.16.2)--- LAN

    What is the address pfsense is using to talk to your gateway router - its wan needs to be on that 192.168.1 network.  Now I will ask again - are you NATing on pfsense, this is the out of the box configuration.  So unless you turned it off you are.

    So going from internet - public IP (gateway router) private IP-A.1 --- private IPA.2 (pfsense) private IP-B.1 ---- private IP-B.X (lan)

    Your double NATTING - why??

    You can put whatever network you want on the pfsense LAN - it is best practice to use a rfc1918 space, or if your going to grab from public space - use something that you actually own..

    Why can you not use the 10.x.x.x/8 space to work with?  That is 16+ million addresses to work with, with 100's of thousands of subnets you can do..  But you pick some public space out of thin air and want to use that??  Just at a complete and utter loss to as why anyone would do that?  Other than they have not a clue in the first place.

    if you really want a /20 then sure use a /20

    internet -- pubIP gateway 192.168.1.1/24 -- 192.168.1.2/24 pfsense 10.0.0.1/20

    That gives you your 4094 addresses with 10.0.0.1-10.0.15.254

    So pfsense would be 10.0.0.1/20

    Your box on say 10.0.15.42/20 (255.255.240.0) needs to point to 10.0.0.1 as gateway.. And most likely your dns as well.  And yes that will work without issue.  If its not - your doing something wrong, clients have wrong mast or not pointing to pfsense lan IP, or not doing dns..  First test is can your client on the lan ping pfsense new lan IP?  If not then you got something messed up.  Sometimes when changing lan IP on pfsense you might want to reboot it.

    I would rethink using a /20 broadcast domain if you going to have 1000+ some devices online.  With anything more than /23 you can start to see issues with lots of noise... IMHO



  • @johnpoz:

    "Why are you mad about what network address I am using in my local LAN.."

    I am not mad - sorry you got that impression.  What I am is CONFUSED!!  You don't just grab public space and use it on your local lan..  Bad Bad Network Admin!!

    There is plenty of rfc1918 space to play with!  Million and Millions of addresses that have been especially reserved for use on local networks.  There is NO point in using ip space assigned to someone else.

    10.x.x.x/8 192.168.x.x/16 172.16-31.x.x/12

    How is it you can not find address space in one of those networks to use?

    So actually want a /16 broadcast domain?  With every single box broadcasting to every single other box on your network - really??

    You can put whatever address space you want on the lan side of pfsense - as long as it doesn't step on what network your using on its wan.

    So for example you can not have 192.168.1.0/24 on its wan and expect to use 192.168.0.0/23 on its lan or 192.168.0.0/16

    As to your drawing – your missing something
    GATEWAY ROUTER (192.168.1.1)---PFSENSE (160.12.16.1)--- WINSERVER DNS (160.12.16.2)--- LAN

    What is the address pfsense is using to talk to your gateway router - its wan needs to be on that 192.168.1 network.  Now I will ask again - are you NATing on pfsense, this is the out of the box configuration.  So unless you turned it off you are.

    So going from internet - public IP (gateway router) private IP-A.1 --- private IPA.2 (pfsense) private IP-B.1 ---- private IP-B.X (lan)

    Your double NATTING - why??

    You can put whatever network you want on the pfsense LAN - it is best practice to use a rfc1918 space, or if your going to grab from public space - use something that you actually own..

    Why can you not use the 10.x.x.x/8 space to work with?  That is 16+ million addresses to work with, with 100's of thousands of subnets you can do..  But you pick some public space out of thin air and want to use that??  Just at a complete and utter loss to as why anyone would do that?  Other than they have not a clue in the first place.

    if you really want a /20 then sure use a /20

    internet -- pubIP gateway 192.168.1.1/24 -- 192.168.1.2/24 pfsense 10.0.0.1/20

    That gives you your 4094 addresses with 10.0.0.1-10.0.15.254

    So pfsense would be 10.0.0.1/20

    Your box on say 10.0.15.42/20 (255.255.240.0) needs to point to 10.0.0.1 as gateway.. And most likely your dns as well.  And yes that will work without issue.  If its not - your doing something wrong, clients have wrong mast or not pointing to pfsense lan IP, or not doing dns..  First test is can your client on the lan ping pfsense new lan IP?  If not then you got something messed up.  Sometimes when changing lan IP on pfsense you might want to reboot it.

    I would rethink using a /20 broadcast domain if you going to have 1000+ some devices online.  With anything more than /23 you can start to see issues with lots of noise... IMHO

    Good points here, I obviously am not a networking guru, thanks for that explanation. Now as far as what you are asking, my network drawing is GATEWAY ROUTER (192.168.1.1)–-(192.168.1.2 wan nic)PFSENSE (lan nic 160.12.16.1)--- WINSERVER DNS (160.12.16.2)--- LAN. (Will rethink the network scheme for this.)

    Yes NAT is enabled... will do a few tests on what you mentioned and hopefully it'll work. Thanks for the help.



  • Wow sorry don't mean to pile on but this post is too funny! Just a word of advice you don't want 4000+ devices on the same network. The broadcasts are going to bring your network to a crawl. I wouldn't have more than 200 devices on a lan. I'm thinking that you are going to have to sit down with someone to help plan this out a little better. How many buildings is this lan going to span? What kind of switches are you going to use? You might want to think about having multiple routers and use something like ospf to route everything together. I wouldn't use this a your first network to learn network basics. There seems to be a serious gap in knowledge. We will help as much as possible if you are willing to learn. Sounds like a fun project!


  • Netgate Administrator

    Probably when trying to connect to your ADSL router from the 160.12.X.X LAN the reason you are not getting a reply from the router is that it already has a route to that address via it's WAN. Replies to your requests are ending up going to Japan!
    As the others have said switching to a private IP space on the LAN will solve this.

    Steve



  • @stephenw10:

    Probably when trying to connect to your ADSL router from the 160.12.X.X LAN the reason you are not getting a reply from the router is that it already has a route to that address via it's WAN. Replies to your requests are ending up going to Japan!
    As the others have said switching to a private IP space on the LAN will solve this.

    Steve

    Yep, I agree. Even if you manage to get it to work, you will never be able to comunnicate with that portion of the internet! That's why there are well defined ranges to be used on private networks



  • This 160.12 network came from my sub-netting lessons in college 4 years ago because it is one that I remembered gave me room for a little over 4000 hosts. Why are you mad about what network address I am using in my local LAN

    This is exactly why i've been saying for year that there is something seriously wrong with IT classes all over the world.

    Year in year out i meet interns that have had some random IT education in highschool/college or university. Generally they have been taught by "brilliant" minds that seem to have lost all sense of reality and them genius tend forget to mention a couple details: The stuff that matter in the real world!

    BTW: enjoy your network debugging, you'll probably find help here … in the real world


  • LAYER 8 Global Moderator

    " Replies to your requests are ending up going to Japan! "

    If he was not natting at pfsense, then sure that could be the case yes..  But since pfsense is natting - his adsl router shouldn't know he is coming from 160.x – it should look like whatever his pfsense wan ip is 192.168.1.2?

    Now he says natting is on -- but we don't have basic info like can the clients ping his pfsense box lan IP even?

    Maybe he clients were still on some 192 address when he changed pfsense to 160.  Maybe pfsense a reboot of pfsense would of cleared up any issues with changing the lan IP?

    What version of pfsense?  I do recall a bug https://redmine.pfsense.org/issues/2074

    Where if wan was PPPoE and you changed the lan IP interfaces got messed up, etc.

    I personally am just not a fan of double nat -- I deal with multiples all the time and it drives me nuts ;)  I like to joke when something is not working - throw in another nat, if there is not atleast 3 it has not been engineered enough..

    Once you figure out changing your lan network -- I would look to removing your double nat, can you not put your adsl router into bridge mode?  So that pfsense wan gets the public IP?  This just makes for a cleaner setup.  If you don't you can run into issues getting somethings to work.  ftp can be a pain in such setups - if you need to forward ports inbound, that can be a pain as well have to set up pfsense wan IP as dmz on the adsl router or creating the forward both on adsl router and pfsense, etc.



  • Johnpoz You took the words right out of my mouth. If he is natting then the world never sees his 160.x.x.x address. But as others have suggested it just not good practice to use someone elses address space because that part of the Internet is dark to you.

    Jamesc892 just a little information for you:

    1. You can apply a class B subnet mask to a Class C network like 192.168.x.x (Although I would just use 172.16-31).
    2. Like Johnpoz has stated, see if you can put your DSL modem in bridge mode where your PfSense get's a public IP (probably requires you leasing an additional IP though.

    3. Keep your broadcast domains small Less than 500 users (for me I don't like anything more than 200)
    4. Diagram everything first, start with your VLAN structure, figure out how many subnets you are going to need then allow for expansion
    5. Choose an IP Network on your LAN side that is appropriate, taken into account any site to site vpns you might have in future.
    6. Remember 10.x.x.x, 172.16.x.x-172.13.x.x,169.254.x.x,192.168.x.x are private IP address ranges you should use on your lan
    7. In regards to point 6 try not to use 169.254.x.x it's used for auto-configuration if your DHCP goes down
    8. If you have too many interfaces off your router/firewall depending on the hardware you might want to add a second pfsense box
    9. In a multi-router setup set your rules as close to the user as possible that way there is not wasted CPU clocks
    10. When you have questions ask. People on these forums are more than wiling to help. I can't speak for everyone but I consider it fun, it keeps your skills sharp and you learn something new that you didn't know before. With that said remember that everyone thinks they are an expert so consider what others say but analyze for your self.

    Hope this helps and I hope you will share your networking adventures with us!


  • Netgate Administrator

    @johnpoz:

    If he was not natting at pfsense, then sure that could be the case yes..  But since pfsense is natting - his adsl router shouldn't know he is coming from 160.x – it should look like whatever his pfsense wan ip is 192.168.1.2?

    Doh! Of course you´re right.  ::)
    Too used to looking NAT in the other direction I guess.

    Steve



  • Okay guys, thankful for the bridging advice as it has actually given me a bit more speed. I have PPPoE running off pFsense as my WAN and after doing a bit of my own mapping of my static addresses, etc. have put myself on a 10.0.x.x /20 network. The issue after running traceroute and ping from a lan computer was I was getting communication with pfsense and even handed addresses fine by the DHCP server but was not getting any communication whatsoever, via actual DNS I had configured in. So I went through my LAN interface configuration settings to realize that for some reason (maybe I did this out of rushing) the Gateway field had LAN interface selected therefore not allowing any lan address to ever reach the WAN. I've redone the entire school today (we are off here in Ghana, Africa) and have had tremendous success with our captive portal, etc. and new equipment the school has had in storage for years.

    As to the comments about my schooling, I am an SQL Database Programmer working in Ghana, Africa as a volunteer with a school for middle class and poorer students. Our technologist left, and I was dumped with a bigger mess that you could image (even to my limited experience, this guy got his degree in the 80s and still manually configured every desktop vs. pushing MSIs and images). So spare me a bit, though all was helpful and I appreciate the help, my background and situation really did not lend to the criticism. Thanks for all the help guys! :)


  • Netgate Administrator

    It can be hard to judge the level of experience of new forum users. Assuming more or less experience can lead to comments that seem harsh or patronizing. Sounds like you've been left in a difficult situation. Keep asking questions, people will help.  :)

    Steve



  • it's allways difficult to put yourself in another persons' shoes. thats why a problem so "easy' for some is incredibly 'hard' for others that aren't familiar with the material at hand.

    figuring out what is wrong with```
    SELECT * MORF mytable;

    
    in my experience, people here are friendly and will allways try to help.

Log in to reply