pfSense Support Subscription

Author Topic: Changed netmask to /20 and now no internet  (Read 481 times)

0 Members and 1 Guest are viewing this topic.

Offline zer0

  • Jr. Member
  • **
  • Posts: 46
  • Karma: +1/-0
    • View Profile
Changed netmask to /20 and now no internet
« on: December 19, 2017, 10:47:16 am »
Hello,
I changed the netmask from 24 to 20 so this gives me range from 192.168.0.0 to 192.168.15.254.  My DHCP lease is 192.168.1.120 to 192.168.1.250 and anything outside of that (ie:192.168.1.1 to 192.168.1.119) is static IP. If I assign a computer with static IP of 192.168.3.9, subnet mask: 255.255.240.0, gateway: 192.168.1.1. I cannot access the internet, I am able to ping other systems like my desktop for example (192.168.1.10), but I cannot ping 192.168.3.9 from my desktop. What am I doing wrong?

any help will be greatly appreciated.

Thank you


Offline dotdash

  • Hero Member
  • *****
  • Posts: 1929
  • Karma: +99/-3
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #1 on: December 19, 2017, 12:00:35 pm »
IMO, a broadcast domain with over 4k hosts is doing it wrong. Aside from that, did you make sure it was changed everywhere- LAN interface, AON rules, etc? You need to have the same netmask on all the thousands of devices you have on your network- the firewall, all the hosts... You do have thousands of devices, right?

Offline zer0

  • Jr. Member
  • **
  • Posts: 46
  • Karma: +1/-0
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #2 on: December 19, 2017, 12:19:57 pm »
Well not really thousands... but hitting close to 800 right now... about 200 computers and adding another 100 in a next couple of months, and rest are bunch of different networked devices, like data loggers, IP phones etc.
I would be OK with /22 but i think I would run into same issues as /20.

Yes the netmask is updated everywhere


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9565
  • Karma: +1084/-309
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #3 on: December 19, 2017, 12:22:48 pm »
You have to change the netmask on all of the devices too.

Either a release/renew, reboot, reconfiguration of static, etc.

As an aside, I agree that some segmentation is probably in order.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline zer0

  • Jr. Member
  • **
  • Posts: 46
  • Karma: +1/-0
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #4 on: December 19, 2017, 12:24:29 pm »
like VLANs?

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #5 on: December 19, 2017, 12:26:30 pm »
Quote
like data loggers, IP phones etc.

In larger networks, IP phones are generally put on a separate VLAN.  In addition to reducing the broadcasts on the main network, it also allows for giving priority to VoIP traffic.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9565
  • Karma: +1084/-309
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #6 on: December 19, 2017, 12:28:35 pm »
like VLANs?
Separate broadcast domains.

If you choose to use VLANs that would work.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline zer0

  • Jr. Member
  • **
  • Posts: 46
  • Karma: +1/-0
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #7 on: December 19, 2017, 01:01:17 pm »
Is it possible to perform administrative tasks on separate VLANs from one computer? for example, VLAN 101 = Computers, 102 = data loggers, VLAN 103 = IP phones. If i wanted to manage data loggers or IP phones, would I need to make my computer part of that VLAN in order to access them?

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #8 on: December 19, 2017, 01:07:31 pm »
like VLANs?
Separate broadcast domains.

If you choose to use VLANs that would work.

Just to clarify, with VLANs, the traffic is still on the wire, but not bothering as many devices.

The problem with broadcasts is that all devices have to receive and process them, whether they're interested or not.  Broadcasts are used for a lot of things, including ARP, initial DHCP requests, Windows networking and more.  The trend is to use multicasts, which target selected groups of devices, so others don't have to handle them.  On IPv6, there are no broadcasts, only multicasts and most multicasts only go to the desired groups, down to a single device.  The closest thing to a broadcast on IPv6 is the all hosts multicast and those are used only for things like router advertisements that have to go to all devices.

With VLANs, the traffic is split into logically separate networks, for example the VoIP phones I mentioned in another message.  It could also be split according to departments or function, for added security.  Whatever the reason, VLANs reduce the size of "broadcast domains" and the amount of processing wasted on handling unwanted broadcasts.

Bottom line, it is possible to have a network with a large number of devices on it, but that means every device has to handle all those broadcasts, rather than just a portion of them.


Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #9 on: December 19, 2017, 01:08:44 pm »
Is it possible to perform administrative tasks on separate VLANs from one computer? for example, VLAN 101 = Computers, 102 = data loggers, VLAN 103 = IP phones. If i wanted to manage data loggers or IP phones, would I need to make my computer part of that VLAN in order to access them?

Yes, while it's possible to have multiple VLANs on a single computer, the VLANs can normally be reached through a router, just as though they were separate networks.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14753
  • Karma: +1372/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #10 on: December 20, 2017, 03:16:07 am »
JKnott - I have to say I was waiting for you to say you could just run all the same vlans on the same dumb switch.. I am very happy with your last response ;)

To the OP.. Why are you wanting to use a /20?  As already mentioned you should be looking to segment your different devices.. not put them all on the same network..

What you should do is sit down and think about the different sorts of devices on your network.. Printers, servers, clients be it desktops, wireless tablets phones, etc. etc..  And then put the different devices/users you want to be able to isolate from each other on their own vlans... Then using pfsense you can easy firewall between these vlans.

If you give us some details we can help you try org your network better.. Vs you just growing larger and larger flat network..   What happens when you get over 4k devices.. Do you then move to a /19?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #11 on: December 20, 2017, 06:10:57 am »
Quote
JKnott - I have to say I was waiting for you to say you could just run all the same vlans on the same dumb switch.

You still can on a small network, but there's no way I'd recommend it for a large one.  In my own network, my original intent was to have a guest WiFi, with it's own SSID/VLAN.  However, as discussed elsewhere, my TP-Link AP wasn't up to the task.  In this situation, a performance hit caused by a lot of broadcasts was not a concern, only separating the guest network from the regular one and it wasn't worth buying a managed switch just for that task.


Offline zer0

  • Jr. Member
  • **
  • Posts: 46
  • Karma: +1/-0
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #12 on: December 20, 2017, 11:52:24 am »

If you give us some details we can help you try org your network better.. Vs you just growing larger and larger flat network..   What happens when you get over 4k devices.. Do you then move to a /19?

Thank you guys!. I have sketched a network diagram as it stands today.... basically all switches are acting as dumb switches at the moment. When we started small we just kept adding switches and plugging things into open ports.

Any advice on how i should organise this would be greatly appreciated.

Please see attached.

Online JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #13 on: December 20, 2017, 12:23:18 pm »
Quote
When we started small we just kept adding switches and plugging things into open ports.

A suggestion, instead of chaining switches in that manner, choose one to be the root switch and connect the other switches to it.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14753
  • Karma: +1372/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Changed netmask to /20 and now no internet
« Reply #14 on: December 20, 2017, 12:28:23 pm »
What are the make of these managed switches and what port density?  Your going to need to get rid of those dumb switches unless you can leverage them all on the same network for all devices plugged into them.

What is the physical layout?  Where are these switches.  Do they sit in IDFs, or they all in the MDF or are they sitting under some guys desk?

And you have more dumb switches downstream.. Just caught that.. Wow sounds like a real mess... You have your phones running on the same broadcast domains as all your other users and computers.. Same as your wifi network even?  you do understand all your broadcast traffic is going out over your wifi network right... And its shared bandwidth... So yeah lots of noise on your wifi for no reason.

That is part of the reason you don't just connect your wifi to a /20 ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)