IPv4 Network setup question - Subnet 24 or 23? Upside/Downside?


  • Hi,

    I am currently looking to migrate over to PFSense from a regular DDWRT router at the office.  My existing network has a 192.168.5.1 - 192.168.5.255 network scheme (/24) with a 255.255.255.0 subnet.

    Is there an issue changing the subnet to 255.255.254.0 which would double the IP range?

    In the office we have close to 200 devices & I would prefer to make a change now for futureproofing later - if it is wise to do so.

    If I change the subnet to 255.255.254.0 would my IP range be 192.168.5.1 - 192.168.6.255?

    We have a PBX in the office & some people do use cell phones to connect while in the office wifi.  I am looking to setup a VPN so they can access softphones externally (and securely).  The same goes for the camera server.

    Any suggestions would be great.

    Thanks,
    Rich


  • its certainly possible todo, specially with devices that get ip by dhcp - this is easy | for statically ip's on the network you'd have to manually change their subnet.

    in general its always best to keep the size of the subnet as small as possible (broadcasts + security)
    it might be better to split off your |wireless clients / phones / servers | into their own vlan with a small subnet for each. this will allow you to use firewalling, so, for example the cell phones of the employees can't reach your domain controllers

    to easily calculate cidr ranges: http://www.subnet-calculator.com/cidr.php

    sort of related: pfSense 2.3 shows the the number of leases in use on status page / you can also enable RRD graphing for dhcp to monitor your lease-count historically

  • LAYER 8 Global Moderator

    I agree with heper here, having all devices on the same network/vlan does not really make security easy..  Its best to isolate different devices types of devices to their own vlan, both for security and limiting broadcast as heper mentions.

    Wifi for example normally would be on its own network.  Phones are another thing that should be on their own.. talking desk type phones (voip)  Your servers quite often are different than your users.  And anything that is accessed from the internet normally in a dmz/firewalled segment.

    As to the question about changing to a /23 vs /24 - yes quite easy to do.. but your direct question about the range no it wouldn't go to 6 is not where /23 would split.  Your network would be 192.168.4.0 - 192.168.5.255 with a /23 if you want to have the 5 in there.

    192.168.0 -1
    192.168.2 -3
    192.168.4 -5
    192.168.6 -7

    etc.. would be the /23 networks..


  • This may be a dumb question but…

    If i have phones, printers, desktops, wifi, wired all on separate nextworks - how would I use a laptop or desktop to control everything?

  • LAYER 8 Global Moderator

    huh??  You do understand pfsense routes right..  You allow whatever traffic you want to allow between your network segments..  Be it all or none would be up to you..