DHCP Netmask

Marge · Oct 13, 2014, 1:55 PM

Hello.
I searched for an answer but i did not find one.
I have at LAN IP 10.144.0.0/255.255.192.0
Of course that the Netmask DHCP are with 255.255.192.0
Can I change the DHCP netmask somehow in 255.255.248.0 without changing the pfsense netmask?
Tryed in "Additional BOOTP/DHCP Options", number 2 as in the link with text 255.255.248.0 but it's not working

cmb · Oct 13, 2014, 4:57 PM

No. That wouldn't be a valid configuration.

divsys · Oct 13, 2014, 5:53 PM

Short answer (as per cmb) - No.

Longer answer - what are you trying to accomplish?

What's your setup and what's it doing or not doing for you?

johnpoz · Oct 14, 2014, 4:17 PM

To elaborate a bit, you can not have devices with different masks that you expect to talk to each other without a layer 3 route happening without all kinds of problems. While you might get some to work that Ips cross over depending how your masks are setup and the hosts in those masks. Its a big big no no when setting up a network to expect that to be a valid configuration.

If your pfsense lan interface is on a network with a mask of /18, then your other devices on that network need to also use /18 not /21

If what your wanting to accomplish is have your dhcp clients use a specific section of that /18 then sure you can address the pool size of addresses handed out so they fall all inside your /21 subnet of the /18 – but the clients actual mask needs to be the /18 since that is the actual network they are on.

Marge · Nov 3, 2014, 7:57 AM

Many of the people don't know how to work with netmask. So I have some IP's that regular people don't need to access. That's why regular people have /23 netmask and the other things that they don't need to access directly /18.
But it's ok. I'll set them up manually. :)

johnpoz · Nov 3, 2014, 12:05 PM

Yeah that is not how it would be done, segment your network if you need to isolate - then firewall between them or don't even allow access to the whole segment from another segment. Changing a clients mask like your doing it broken!!

phil.davis · Nov 3, 2014, 12:39 PM

I will admit to having done a similar thing in places where we just do not want to go to all the hassle and expense of putting guest WiFi and wiring around a building in addition to the office LAN (whether with duplicate cabling, or smart APs that can do multiple SSIDs and VLANs, which means VLAN switches or something…).

It is only "security by obscurity" but it does mean that most private/guest users, who accept their DHCP lease parameters and do not try to hack, will have some default level of exclusion, and can also be bandwidth limited.

I do it the reverse way - giving all normal clients the ordinary DHCP with full-size netmask, then turn down the size of the subnet (turn up the CIDR) on the server, network printer, AP interfaces... which have static IPs typed into them. e.g.

Full subnet 10.11.12.0/22 (provides 4*256 address = 1024 subnet)

DHCP pool at the end - 10.11.15.0-254
Static map known employee/guest personal devices (tablets, phones...) into 10.11.14.0-255
Real work client laptops and desktops go in 10.11.13.0-255
Servers, network printers, AP management interfaces, any network resource, goes in 10.11.12.1-255 but with CIDR /23

So the servers and network resources only talk to 10.11.12.0-10.11.13.255 - they do not talk to 10.11.14 (private static mapped) and 10.11.15 (DHCP pool)

On pfSense LAN, block everything from DHCP pool 10.11.15.0/24 - then people have to come to IT and get their device static mapped in order to get any internet.

Block any pfSense LAN traffic from LANnet to 10.11.14.0/23 - if a server tries to reply to a private device, the server thinks the private device is not in the same subnet, so sends the reply to pfSense. Block it, otherwise pfSense will deliver it back on LAN to the private device. This stops the private devices from getting any response from the servers...

Put a limiter and schedule on the static mapped private device range 10.11.14.0/24 - then those tablets and phones can only suck up so much bandwidth during office hours.

In a smallish office with a reasonably well-known group of users this can work in practice. Of course if you really want to secure the office LAN from private devices then you have to use a completely separate interface for a private/guest LAN and not let those devices onto the office LAN at all.

johnpoz · Nov 3, 2014, 2:58 PM

Just because you admit to doing such a thing, does not mean its not broken ;)

I wouldn't even call it obscurity - I would just call it a broken configuration. Actual isolation of segments can be done for pennies.. Your talking the cost of a nic pfsense - could be under $30 for sure, and worse case some cheap switches also can be had for pennies! You can get a 8 port gig switch for say $30, 16 and 24 for under 100.

I would never suggest anyone mess with masks in this manner - it is just plain broken!

phil.davis · Nov 3, 2014, 4:20 PM

Yes, I agree - I am just sometimes running on an absolute power budget, 12V DC devices like Alix/APU that have nowhere to put an extra NIC (don't want to connect a USB NIC), want to avoid the complexity of maintaining a VLAN switch in a very remote place,… so do something "broken" so that at least the network is a little bit self-policing to restrict access and manage bandwidth.
Perhaps I should not have posted this - it will give me a bad reputation :o

johnpoz · Nov 3, 2014, 4:42 PM

complexity of a vlan switch? Your grasping at straws now to justify a broken setup you admit to doing ;) heheheh

vlan support on a switch can also be done on shoestring budgets..

phil.davis · Nov 3, 2014, 4:51 PM

The problem is when the VLAN switch at the remote site loses its settings or breaks. With an unmanaged switch, the receptionist just walks down to the bazaar, buys whatever switch happens to be there for a few rupees, and plugs the cables into it.
If VLANs are required, then someone has to source a VLAN switch when one dies. When one forgets its settings it is a bit of a nightmare to talk the reception through setting it up! And even when it is working, the painters come, some Wally moves the cables and can't read the labels to put them back where they came from, then devices end up in the wrong VLAN

johnpoz · Nov 4, 2014, 6:44 PM

if you buying switches for a few rupees there is your problem ;) heheeh

If they are only a few rupees buy a few of them and use physical isolation for your segments.

Why would a switch forget its settings? Never heard or seen such a thing in all my years working with switches - is this one of those few rupees switches? ;) And even if it does fail.. You connect it to your pfsense, and from pfsense you can add/change whatever IP you need to talk to the switch default IP, if not dhcp out of the box and connect to it and set it up that way.

Why would painters be painting in a wiring closet?? ;) If wally can not read to replace the cables then get the receptionist to plug the cables back in - does she not read either? how and the hell are they using computers if they can not read?? ;) Or if you really have monkeys – color code the cables and ports.. Even monkeys can tell colors ;)

There is doing things on a budget, and there is just nonsense!!

cmb · Nov 4, 2014, 6:37 PM

@johnpoz:

Why would a switch forget its settings?

Not uncommon with cheap switches where the power's flaky. They seem to have a tendency to lose their config in that circumstance. Guessing Phil likely is working with a very slim budget, and hit and miss power, there in Nepal.

johnpoz · Nov 4, 2014, 6:45 PM

So you agree stop buying crap, and get a ups ;)

phil.davis · Nov 5, 2014, 5:19 AM

Yes, would love to stop buying crap - but a lot of the locally available stuff imported here is bottom end, locals don't want to pay for quality, so if I want better quality I usually have to get someone to bring it from overseas. (Direct importing is such a pain at the air cargo terminal in Kathmandu, I just don't want to go there!).
And yes, almost got everything on a UPS at all sites, and then also have to get staff used to the idea that servers and network gear can be doing things at night without anyone there (backups to remote site, synching files…). The staff feel the urge to just unplug everything as they walk out the door - at least that is environmentally friendly :)
Software is the easy bit, hardware a bit harder but layer 0 is the big challenge, keeping electron pressure in the power cables.

kejianshi · Nov 5, 2014, 5:27 AM

I know you run solar. How is wind there? If you have any, per/$ its usually better than solar or at least augments it well.
I'm also a big fan of lead/acid when it comes to bang for the buck if weight isn't an issue.

On the hardware side, I'm a big fan of old stuff as long as it does the job.

phil.davis · Nov 5, 2014, 5:50 AM

Hmm, seemed to have hijacked this thread for a layer 0 discussion - apologies to the OP, hope you are enjoying it.
We have to have batteries anyway, these days we are using Exide Inva Tubular with 4 year warranty, and they look like they will last 8 years. Local porters are able to carry a 50-60kg battery over crazy mountain passes, 20kg is enough for me!
Solar is good, some offices are quite close to the sun :)
We have almost got all on solar, and gradually getting direct 12V DC wiring in place, and testing a smart charging controller that remembers when the sun was up/down, mains power was on/off… and if the battery is getting low tries to make an educated guess as to whether the sun is not coming up any time soon, and the mains is going to die also, so should pump some charge into the batteries from mains during the night.
I now go for low-power 12V DC capable (=new) stuff all the time - every watt counts.

kejianshi · Nov 5, 2014, 5:56 AM

OK - I am PMing you then.

cmb · Nov 8, 2014, 5:55 PM

Interesting stuff. I think a number of us would be interested in that discussion in public, no need to switch to PM. The General Discussion board always open for completely OT topics.