Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Class C WAN to Class B LAN?

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 6 Posters 8.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by

      "Why are you mad about what network address I am using in my local LAN.."

      I am not mad - sorry you got that impression.  What I am is CONFUSED!!  You don't just grab public space and use it on your local lan..  Bad Bad Network Admin!!

      There is plenty of rfc1918 space to play with!  Million and Millions of addresses that have been especially reserved for use on local networks.  There is NO point in using ip space assigned to someone else.

      10.x.x.x/8 192.168.x.x/16 172.16-31.x.x/12

      How is it you can not find address space in one of those networks to use?

      So actually want a /16 broadcast domain?  With every single box broadcasting to every single other box on your network - really??

      You can put whatever address space you want on the lan side of pfsense - as long as it doesn't step on what network your using on its wan.

      So for example you can not have 192.168.1.0/24 on its wan and expect to use 192.168.0.0/23 on its lan or 192.168.0.0/16

      As to your drawing – your missing something
      GATEWAY ROUTER (192.168.1.1)---PFSENSE (160.12.16.1)--- WINSERVER DNS (160.12.16.2)--- LAN

      What is the address pfsense is using to talk to your gateway router - its wan needs to be on that 192.168.1 network.  Now I will ask again - are you NATing on pfsense, this is the out of the box configuration.  So unless you turned it off you are.

      So going from internet - public IP (gateway router) private IP-A.1 --- private IPA.2 (pfsense) private IP-B.1 ---- private IP-B.X (lan)

      Your double NATTING - why??

      You can put whatever network you want on the pfsense LAN - it is best practice to use a rfc1918 space, or if your going to grab from public space - use something that you actually own..

      Why can you not use the 10.x.x.x/8 space to work with?  That is 16+ million addresses to work with, with 100's of thousands of subnets you can do..  But you pick some public space out of thin air and want to use that??  Just at a complete and utter loss to as why anyone would do that?  Other than they have not a clue in the first place.

      if you really want a /20 then sure use a /20

      internet -- pubIP gateway 192.168.1.1/24 -- 192.168.1.2/24 pfsense 10.0.0.1/20

      That gives you your 4094 addresses with 10.0.0.1-10.0.15.254

      So pfsense would be 10.0.0.1/20

      Your box on say 10.0.15.42/20 (255.255.240.0) needs to point to 10.0.0.1 as gateway.. And most likely your dns as well.  And yes that will work without issue.  If its not - your doing something wrong, clients have wrong mast or not pointing to pfsense lan IP, or not doing dns..  First test is can your client on the lan ping pfsense new lan IP?  If not then you got something messed up.  Sometimes when changing lan IP on pfsense you might want to reboot it.

      I would rethink using a /20 broadcast domain if you going to have 1000+ some devices online.  With anything more than /23 you can start to see issues with lots of noise... IMHO

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      1 Reply Last reply Reply Quote 0
      • J Offline
        jamesc892
        last edited by

        @johnpoz:

        "Why are you mad about what network address I am using in my local LAN.."

        I am not mad - sorry you got that impression.  What I am is CONFUSED!!  You don't just grab public space and use it on your local lan..  Bad Bad Network Admin!!

        There is plenty of rfc1918 space to play with!  Million and Millions of addresses that have been especially reserved for use on local networks.  There is NO point in using ip space assigned to someone else.

        10.x.x.x/8 192.168.x.x/16 172.16-31.x.x/12

        How is it you can not find address space in one of those networks to use?

        So actually want a /16 broadcast domain?  With every single box broadcasting to every single other box on your network - really??

        You can put whatever address space you want on the lan side of pfsense - as long as it doesn't step on what network your using on its wan.

        So for example you can not have 192.168.1.0/24 on its wan and expect to use 192.168.0.0/23 on its lan or 192.168.0.0/16

        As to your drawing – your missing something
        GATEWAY ROUTER (192.168.1.1)---PFSENSE (160.12.16.1)--- WINSERVER DNS (160.12.16.2)--- LAN

        What is the address pfsense is using to talk to your gateway router - its wan needs to be on that 192.168.1 network.  Now I will ask again - are you NATing on pfsense, this is the out of the box configuration.  So unless you turned it off you are.

        So going from internet - public IP (gateway router) private IP-A.1 --- private IPA.2 (pfsense) private IP-B.1 ---- private IP-B.X (lan)

        Your double NATTING - why??

        You can put whatever network you want on the pfsense LAN - it is best practice to use a rfc1918 space, or if your going to grab from public space - use something that you actually own..

        Why can you not use the 10.x.x.x/8 space to work with?  That is 16+ million addresses to work with, with 100's of thousands of subnets you can do..  But you pick some public space out of thin air and want to use that??  Just at a complete and utter loss to as why anyone would do that?  Other than they have not a clue in the first place.

        if you really want a /20 then sure use a /20

        internet -- pubIP gateway 192.168.1.1/24 -- 192.168.1.2/24 pfsense 10.0.0.1/20

        That gives you your 4094 addresses with 10.0.0.1-10.0.15.254

        So pfsense would be 10.0.0.1/20

        Your box on say 10.0.15.42/20 (255.255.240.0) needs to point to 10.0.0.1 as gateway.. And most likely your dns as well.  And yes that will work without issue.  If its not - your doing something wrong, clients have wrong mast or not pointing to pfsense lan IP, or not doing dns..  First test is can your client on the lan ping pfsense new lan IP?  If not then you got something messed up.  Sometimes when changing lan IP on pfsense you might want to reboot it.

        I would rethink using a /20 broadcast domain if you going to have 1000+ some devices online.  With anything more than /23 you can start to see issues with lots of noise... IMHO

        Good points here, I obviously am not a networking guru, thanks for that explanation. Now as far as what you are asking, my network drawing is GATEWAY ROUTER (192.168.1.1)–-(192.168.1.2 wan nic)PFSENSE (lan nic 160.12.16.1)--- WINSERVER DNS (160.12.16.2)--- LAN. (Will rethink the network scheme for this.)

        Yes NAT is enabled... will do a few tests on what you mentioned and hopefully it'll work. Thanks for the help.

        1 Reply Last reply Reply Quote 0
        • M Offline
          mikeisfly
          last edited by

          Wow sorry don't mean to pile on but this post is too funny! Just a word of advice you don't want 4000+ devices on the same network. The broadcasts are going to bring your network to a crawl. I wouldn't have more than 200 devices on a lan. I'm thinking that you are going to have to sit down with someone to help plan this out a little better. How many buildings is this lan going to span? What kind of switches are you going to use? You might want to think about having multiple routers and use something like ospf to route everything together. I wouldn't use this a your first network to learn network basics. There seems to be a serious gap in knowledge. We will help as much as possible if you are willing to learn. Sounds like a fun project!

          1 Reply Last reply Reply Quote 0
          • stephenw10S Online
            stephenw10 Netgate Administrator
            last edited by

            Probably when trying to connect to your ADSL router from the 160.12.X.X LAN the reason you are not getting a reply from the router is that it already has a route to that address via it's WAN. Replies to your requests are ending up going to Japan!
            As the others have said switching to a private IP space on the LAN will solve this.

            Steve

            1 Reply Last reply Reply Quote 0
            • G Offline
              georgeman
              last edited by

              @stephenw10:

              Probably when trying to connect to your ADSL router from the 160.12.X.X LAN the reason you are not getting a reply from the router is that it already has a route to that address via it's WAN. Replies to your requests are ending up going to Japan!
              As the others have said switching to a private IP space on the LAN will solve this.

              Steve

              Yep, I agree. Even if you manage to get it to work, you will never be able to comunnicate with that portion of the internet! That's why there are well defined ranges to be used on private networks

              If it ain't broke, you haven't tampered enough with it

              1 Reply Last reply Reply Quote 0
              • H Offline
                heper
                last edited by

                This 160.12 network came from my sub-netting lessons in college 4 years ago because it is one that I remembered gave me room for a little over 4000 hosts. Why are you mad about what network address I am using in my local LAN

                This is exactly why i've been saying for year that there is something seriously wrong with IT classes all over the world.

                Year in year out i meet interns that have had some random IT education in highschool/college or university. Generally they have been taught by "brilliant" minds that seem to have lost all sense of reality and them genius tend forget to mention a couple details: The stuff that matter in the real world!

                BTW: enjoy your network debugging, you'll probably find help here … in the real world

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  " Replies to your requests are ending up going to Japan! "

                  If he was not natting at pfsense, then sure that could be the case yes..  But since pfsense is natting - his adsl router shouldn't know he is coming from 160.x – it should look like whatever his pfsense wan ip is 192.168.1.2?

                  Now he says natting is on -- but we don't have basic info like can the clients ping his pfsense box lan IP even?

                  Maybe he clients were still on some 192 address when he changed pfsense to 160.  Maybe pfsense a reboot of pfsense would of cleared up any issues with changing the lan IP?

                  What version of pfsense?  I do recall a bug https://redmine.pfsense.org/issues/2074

                  Where if wan was PPPoE and you changed the lan IP interfaces got messed up, etc.

                  I personally am just not a fan of double nat -- I deal with multiples all the time and it drives me nuts ;)  I like to joke when something is not working - throw in another nat, if there is not atleast 3 it has not been engineered enough..

                  Once you figure out changing your lan network -- I would look to removing your double nat, can you not put your adsl router into bridge mode?  So that pfsense wan gets the public IP?  This just makes for a cleaner setup.  If you don't you can run into issues getting somethings to work.  ftp can be a pain in such setups - if you need to forward ports inbound, that can be a pain as well have to set up pfsense wan IP as dmz on the adsl router or creating the forward both on adsl router and pfsense, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    mikeisfly
                    last edited by

                    Johnpoz You took the words right out of my mouth. If he is natting then the world never sees his 160.x.x.x address. But as others have suggested it just not good practice to use someone elses address space because that part of the Internet is dark to you.

                    Jamesc892 just a little information for you:

                    1. You can apply a class B subnet mask to a Class C network like 192.168.x.x (Although I would just use 172.16-31).
                    2. Like Johnpoz has stated, see if you can put your DSL modem in bridge mode where your PfSense get's a public IP (probably requires you leasing an additional IP though.

                    3. Keep your broadcast domains small Less than 500 users (for me I don't like anything more than 200)
                    4. Diagram everything first, start with your VLAN structure, figure out how many subnets you are going to need then allow for expansion
                    5. Choose an IP Network on your LAN side that is appropriate, taken into account any site to site vpns you might have in future.
                    6. Remember 10.x.x.x, 172.16.x.x-172.13.x.x,169.254.x.x,192.168.x.x are private IP address ranges you should use on your lan
                    7. In regards to point 6 try not to use 169.254.x.x it's used for auto-configuration if your DHCP goes down
                    8. If you have too many interfaces off your router/firewall depending on the hardware you might want to add a second pfsense box
                    9. In a multi-router setup set your rules as close to the user as possible that way there is not wasted CPU clocks
                    10. When you have questions ask. People on these forums are more than wiling to help. I can't speak for everyone but I consider it fun, it keeps your skills sharp and you learn something new that you didn't know before. With that said remember that everyone thinks they are an expert so consider what others say but analyze for your self.

                    Hope this helps and I hope you will share your networking adventures with us!

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Online
                      stephenw10 Netgate Administrator
                      last edited by

                      @johnpoz:

                      If he was not natting at pfsense, then sure that could be the case yes..  But since pfsense is natting - his adsl router shouldn't know he is coming from 160.x – it should look like whatever his pfsense wan ip is 192.168.1.2?

                      Doh! Of course you´re right.  ::)
                      Too used to looking NAT in the other direction I guess.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        jamesc892
                        last edited by

                        Okay guys, thankful for the bridging advice as it has actually given me a bit more speed. I have PPPoE running off pFsense as my WAN and after doing a bit of my own mapping of my static addresses, etc. have put myself on a 10.0.x.x /20 network. The issue after running traceroute and ping from a lan computer was I was getting communication with pfsense and even handed addresses fine by the DHCP server but was not getting any communication whatsoever, via actual DNS I had configured in. So I went through my LAN interface configuration settings to realize that for some reason (maybe I did this out of rushing) the Gateway field had LAN interface selected therefore not allowing any lan address to ever reach the WAN. I've redone the entire school today (we are off here in Ghana, Africa) and have had tremendous success with our captive portal, etc. and new equipment the school has had in storage for years.

                        As to the comments about my schooling, I am an SQL Database Programmer working in Ghana, Africa as a volunteer with a school for middle class and poorer students. Our technologist left, and I was dumped with a bigger mess that you could image (even to my limited experience, this guy got his degree in the 80s and still manually configured every desktop vs. pushing MSIs and images). So spare me a bit, though all was helpful and I appreciate the help, my background and situation really did not lend to the criticism. Thanks for all the help guys! :)

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Online
                          stephenw10 Netgate Administrator
                          last edited by

                          It can be hard to judge the level of experience of new forum users. Assuming more or less experience can lead to comments that seem harsh or patronizing. Sounds like you've been left in a difficult situation. Keep asking questions, people will help.  :)

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • H Offline
                            heper
                            last edited by

                            it's allways difficult to put yourself in another persons' shoes. thats why a problem so "easy' for some is incredibly 'hard' for others that aren't familiar with the material at hand.

                            figuring out what is wrong with```
                            SELECT * MORF mytable;

                            
                            in my experience, people here are friendly and will allways try to help.
                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.