|
|
|
Playing with a new router which does DHCP. In default setup its DHCP pool is from 192.168.1.38 to 192.168.1.243.
Why?!
Is there an RFC or some other rules suggesting where a pool starts and stops? Why not start at 1 and go to 254?
If its to 'protect' fixed addresses for routers or other devices, how come the suggested default client IP pool for VPN users runs from 240 to 249? Or is this just a misconfiguration on my part? Should I drop the DHCP pool back down to 239? Or increase it to 249?
|
|
|
|
Nope this seems a bit arbitrary. What box is it?
|
|
|
Why?! The decision of the network designer. Some like to leave .1 to .20 for networking devices in a subnet, others like to leave .240 to .254. On enterprise networks I've seen the default gateway as .1 or .254 and in at least one case the network designer chose .100. I have no idea what they were thinking 
22 years of broadband connectivity since 1999 trial - Live BQM
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
|
Btw typically the gateway is .1 so the pool would start from .2 on most setups.
|
|
|
What box is it?
EdgeRouter X. But I'm pretty sure I've noticed this on other routers like FritzBox and maybe DrayTek.
|
|
|
|
As said, a predilection of the designer. Personally would’ve set it to 42 - the answer to the life, the universe, and everything (of course) 🤣
There’s nothing written in any RFCs about starting or stopping a DHCP scope at a particular address. You can edit the scope as you see fit.
|
|
|
OK understood now. Unusually its simpler than expected!
Any comments about my VPN pool though? The default 38 to 243 is in the routers GUI but I've added
| Text | 1
23
4 | client-ip-pool {
start 192.168.1.240 stop 192.168.1.249
} |
in the CLI. Am I actually only going to be able to issue four addresses (240 to 243) to VPN clients?
|
|
|
|
Keep the pools no overlapping.
Otherwise set/adjust the size, depending on how many max simultaneous clients you need to accommodate.
|
|
|
Keep the pools no overlapping.
Otherwise set/adjust the size, depending on how many max simultaneous clients you need to accommodate.
Thanks. So this is really two different pools? Even though I can only see one of them via the GUI. Anyway, I will research more. Thanks again.
|
|
|
It's normal in Business to use separate DHCP pools for Clients and VPN users, just a bit weird to see it on a home device.
Also as someone else said, reserving the first 10-20 addresses for a Default Gateway and static stuff like switches is also good for OCD
Regards,
Neill
ZeN Fibre Active (FTTC 46.68/7.94)
Check Point SG730/Vigor 130
Exchange - Corby (EMCRRBY)
|
|
|
Btw typically the gateway is .1 so the pool would start from .2 on most setups.
Heretic. All right thinking people and in my experience the vast majority of networks have the gateway set as the last IP address in the network range. So typically .254 unless you are subnetting on none byte boundaries
|
|
|
|
Yep that’s me. The….ahem…heretic. 😉😎
|
|
|
For VPN, the client IP pool does not need to lie within the subnet of another LAN, and it can avoid certain problems in the long run as well as being able to route and firewall less ambiguously.
As it stands you will be relying on other physical hosts in the 192.168.1.0/24 network thinking the VPN clients are present at the MAC layer (2) and the router typically needs to reply on behalf of the remote clients such as using proxy ARP.
If you know you don't need more than 120 hosts in the physical LAN one alternative is to run that as a /25, and you could reserve the first 20 addresses for static and still have a DHCP pool of about 100 items, .21 to .120
I'd typically then number the client VPN pool from 201 to 250 to exceed any initial requirement but leave room to grow downwards (towards the boundary at .128).
As to the original question as others have said I think it's just an arbitrary choice to set aside some IPs for static when you run the wizard, not a recommendation as such.
38 to 243 happens to be 80% of the range, starting 15% in.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Sat 12-Mar-22 01:19:29)
|
|
|
|
You don't want overlapping pools.
It's nice to have some address space that isn't part of a DHCP pool, to give you somewhere to put things with static IPs.
Personally, I use 192.168.2.0/23 as a subnet on my home network, I.e. 192.168.2.0-192.168.3.255.
I then have my router on 192.168.2.1, all my static things on 2.x, and 3.x is my DHCP pool.
VPN clients are on their own subnet.
|
|
|
I've always used the first address. If you decide to expand the subnet range (for example from a /24 to a /23) then you don't need to change the gateway address.
This means that the devices in the subnet that you haven't managed to change yet and still have the /24 mask keep working in the interim.
 Comms is hard |
|
|
|
Easy there Jon, you could be accused of networking heresy, despite the obvious logic.
|
|
|
I would say over the last 25 years the vast majority of subnets (be it /24, /23 or /22) in large organisations I have come across have used the last .254 on the range as the gateway, thats not to say using first .1 is not a good idea for the reason Jon said.
Edited by deleted (Sat 12-Mar-22 11:59:15)
|
|
|
Each to their own...I've been at it for 37 years.
Comms is hard
|
|
|
Each to their own... Indeed, just saying what I've seen.
|
|
|
Why?! The decision of the network designer. Some like to leave .1 to .20 for networking devices in a subnet, others like to leave .240 to .254. On enterprise networks I've seen the default gateway as .1 or .254 and in at least one case the network designer chose .100. I have no idea what they were thinking
It doesn't actually matter. But a practical reason could be the network started life as a smaller subnet - where .100 would be a perfectly "logical" decision and later got changed - so rather than change the gateway it was left.
It's not at all uncommon outside basic consumer networks for DHCP pools and Gateways etc to be in this scenario, and there's no "bad" way - I actually think .254 and .1 are poor choices on an IPv4 /24 for gateway for various reasons - not least because all it then takes is someone to connect something they shouldn't that also has a default IP on the same range on .1 or .254 and they will doubtless end up on that IP with the new device breaking connectivity for all - and sadly you can't always prevent someone doing something stupid.
Equally I would usually leave 'n' many IPs at the beginning of larger ranges for devices I explicitly want to be Statically assigned for whatever reason, so having a pool start further up makes sense. There is zero reason to care though as an end user with a client device - by design DHCP is supposed to mean you don't need to care
|
|
|
|
I'm currently using .5 on my home network, how does that make you feel ?
😉
|
|
|
I'm currently using .5 on my home network, how does that make you feel ?
😉
Bit much, I'll stick to /22 in my core network.
I don't really need a /24 to be honest, I am currently working on moving the IP ranges in the DHCP server and those that are reserved. I'm still researching how to best setup my VPN server as the IP ranges overlap (unintentionally).
All my static / reserved is between 10.0.0.2-10.0.0.60 the first 30 is for switches (even if some switches are no longer in use they still are static as some required java (these switches are for emergencies only due to security)) / network AP's and printers 2 are for NAS as they were assigned an IP a long time ago and it would mean remapping drives on some machines that are offsite and use a VPN for local network storage access. If anyone has any advice on the best way to set up a VPN that only shares mapped drives and doesn't transfer all network internet traffic i'm all ears. I use a Synology DS920+ for L2TP VPN and Storage at the moment.
Many Thanks,
RR-THE-IT-GUY
Virgin Media M100
Talktalk 2014-2018 → Virgin Media Vivid 50 2018-2019 → Virgin Media M100 2020-2022
|
|
|
I'll stick to /22 in my core network.
I don't really need a /24 to be honest Ryan
When you say core network I thought you lived with your parents and had not long left colleague and was looking for a job at Openreach.
Have things changed?
Edited by deleted (Sun 13-Mar-22 22:37:12)
|
|
|
Bit much, I'll stick to /22 in my core network.
I don't really need a /24 to be honest
...
You may mean the other way around
/22 is 1024 addresses and a /24 is 256
|
|
|
Playing with a new router which does DHCP. In default setup its DHCP pool is from 192.168.1.38 to 192.168.1.243.
Why?!
Is there an RFC or some other rules suggesting where a pool starts and stops? Why not start at 1 and go to 254?
If its to 'protect' fixed addresses for routers or other devices, how come the suggested default client IP pool for VPN users runs from 240 to 249? Or is this just a misconfiguration on my part? Should I drop the DHCP pool back down to 239? Or increase it to 249?
That looks as though it was a choice made by the previous owner or software designer (if the router has been reset)
Anyway you can use any of the private IP ranges https://www.arin.net/reference/research/statistics/a...
Virgin (ADSL) => Namesco => Newnet => O2 => Plusnet => Zen => Newnet => Zen => Freeola => Vivaciti (using O2 Wholesale DSL) => Xilo (C&W Wholesale) => Xilo (O2 Wholesale) => Xilo (TT Wholesale due to O2 Wholesale closure) => Zen LLU =>> ZeN FTTP (Openreach 300 Mbps down, 47 Mbps up)
Router: Fritzbox 7530
Note: I don't lay turf for anyone. astro or otherwise, all views and opinions expressed are my own based on experience.
|
|
|
Btw typically the gateway is .1 so the pool would start from .2 on most setups.
Heretic. All right thinking people and in my experience the vast majority of networks have the gateway set as the last IP address in the network range. So typically .254 unless you are subnetting on none byte boundaries
I have my gateway set to 1 too and the third octet set to my house number for the sheer hell of it
(playfully thumbs nose at jabuzzard)
Virgin (ADSL) => Namesco => Newnet => O2 => Plusnet => Zen => Newnet => Zen => Freeola => Vivaciti (using O2 Wholesale DSL) => Xilo (C&W Wholesale) => Xilo (O2 Wholesale) => Xilo (TT Wholesale due to O2 Wholesale closure) => Zen LLU =>> ZeN FTTP (Openreach 300 Mbps down, 47 Mbps up)
Router: Fritzbox 7530
Note: I don't lay turf for anyone. astro or otherwise, all views and opinions expressed are my own based on experience.
|
|
|
I'll stick to /22 in my core network.
I don't really need a /24 to be honest Ryan
When you say core network I thought you lived with your parents and had not long left colleague and was looking for a job at Openreach.
Have things changed?
First part hasn't changed, but I didn't mention that a few family members have companies who I do some IT for, I won't go into detail because it will turn into a 5 page list of things, put it this way we have a ticket system with set SLA's and they are kept to, (80% of the time).
I think you inferred the last bit, I haven't looked at jobs at openreach, they aren't quite what i'm looking for long term. I have a job at a Cyber Security Contractor, as an IT service desk and delivery team technician. I'm also currently looking at degree apprenticeships across the UK for even longer prospects into various IT roles.
I just referred to core network as various bits are shared and end up linked, for various reasons, one being that its easier to have a internal shared site between family and friends hosted with failover across multiple NAS drives one in Cambridgeshire, Nord Pas Calais (France), Barnet (London), and one in Northampton. It just means we can share storage and information easily without needing to all buy onedrive or online storage subscriptions. (I know I have the biggest amount of storage across my NAS's, 12TB in the raid i use on one and 12 on the other.
Account's are mapped and accessed through explorer like this
Network drives across the whole configuration are set up something like this, please note I have some extra drives mapped as I manage it, the users only have 3 or 4 depending on the access they require
Obviously everything is encrypted as thats standard practice.
Many Thanks,
RR-THE-IT-GUY
Virgin Media M100
Talktalk 2014-2018 → Virgin Media Vivid 50 2018-2019 → Virgin Media M100 2020-2022
|
|
|
Bit much, I'll stick to /22 in my core network.
I don't really need a /24 to be honest
...
You may mean the other way around
/22 is 1024 addresses and a /24 is 256
Ops, you got me, been a busy day, been prepping powerpoints on DNS and DNS resolution for a job interview at an MSP on Friday.
Many Thanks,
RR-THE-IT-GUY
Virgin Media M100
Talktalk 2014-2018 → Virgin Media Vivid 50 2018-2019 → Virgin Media M100 2020-2022
|
|
|
I haven't looked at jobs at openreach Sorry I meant BT but typed Openreach
has anybody actually seen what the actual price increases are?Can't see anything on the BT website
They do have a page on it as I saw it when I was applying to a job there
Edited by deleted (Mon 14-Mar-22 09:23:03)
|
|
|
Personally, I use 192.168.2.0/23 as a subnet on my home network, I.e. 192.168.2.0-192.168.3.255.
I then have my router on 192.168.2.1, all my static things on 2.x, and 3.x is my DHCP pool.
VPN clients are on their own subnet.
OK, I'm using /24 because I don't know enough about networking but (after reading a bit) also because I have four VPN connections between sites and each of those needs to ne on lits own subnet. As far as I understand. So if I ran a 192.168.1.0/23 LAN here I couldn't have the the office which uses 192.168.2.0 VPN in.
So VPN on their own subnet but I want to have access to file shares on the office LANs. If I come in on a different subnet I won't be able to access them.
Jings, this seemed simple and the original answer was. Now we're down on of them rabbit holes...
|
|
|
Jings, this seemed simple and the original answer was. Now we're down on of them rabbit holes...
You’ve broadened the scope to multi site IP address assignments and multi site VPNs. Its a big leap from the original question 😉
|
|
|
Personally, I use 192.168.2.0/23 as a subnet on my home network, I.e. 192.168.2.0-192.168.3.255.
I then have my router on 192.168.2.1, all my static things on 2.x, and 3.x is my DHCP pool.
VPN clients are on their own subnet.
OK, I'm using /24 because I don't know enough about networking but (after reading a bit) also because I have four VPN connections between sites and each of those needs to ne on lits own subnet. As far as I understand. So if I ran a 192.168.1.0/23 LAN here I couldn't have the the office which uses 192.168.2.0 VPN in.
So VPN on their own subnet but I want to have access to file shares on the office LANs. If I come in on a different subnet I won't be able to access them.
Jings, this seemed simple and the original answer was. Now we're down on of them rabbit holes...
Having VPN connections on their own subnet isn't what determines whether they will have access to file shares.
One should still check if they have added any firewall rules affecting traffic between internal networks.
However sometimes people rely to heavily on local network browsing to discover shares, and if this is depending on multicast or broadcast across the same network that's when they might not automatically show up.
However any shares should be on computers or servers that have consistent names in DNS, and specifying an internal DNS server for VPN clients use, so that one can list the shares by browsing to the named computer.
For Windows-like shares historically a computer browse list spanning multiple networks was centralised using WINS,
but having DNS resolve properly is the more generalised way for connections between computers and services. There is a reason we moved away from distributing a big hosts file by scripting!
Note that trying \\computername\sharename often relies on LLMNR or a fallback to the older NBNS (NetBIOS Name Service) both of which will fail unless the VPN has hacks to act as a kind of repeater (which doesn't scale well to multiple sites and/or remote clients).
Worst case for client-to-site remote access they may be broadcasting these requests locally to them instead of over the VPN potentially accessing a third party's computer.
Whereas \\fully.qualified.domain.name\sharename should first translate the FQDN to an IP then browse the target machine (unicast).
Try to avoid your FQDNs using .local otherwise devices will trying to do mDNS (aka Bonjour formerly Rendezvous) which again is local multicast rather than a routeable protocol.
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Edited by prlzx (Mon 14-Mar-22 13:17:45)
|
|
|
Gone off my original question but still, I'd like to know....
Having VPN connections on their own subnet isn't what determines whether they will have access to file shares.
So I thought I need to be on the same subnet to access a file server and that's what the VPN is doing. From my LAN address 192.168.1.2 I'm connecting to another LAN which uses 192.168.2.0/24 and I get an IP address there of 192.168.2.123 (say). The VPN isn't on its own subnet here, is it?
But if you landed into my LAN 192.168.1.0/24 and the VPN is on the 192.168.5.0 subnet you won't be able to access the file server at 192.168.1.99. That's my understanding and how I have different sites setup. Please do tell me if I'm wrong
For Windows-like shares
We're all Mac but i'd love to have my internal DNS setup properly. At the moment we use Finder's 'Connect to server...' and access smb://192.168.2.100 which gets a list of shares which can be mounted. I can get there using smb://domain (no suffix) but don't because it only seems to work locally (not over the VPN). I and users know how to the 'Connect to server...' and as it works I haven't tried to improve things.
Are you saying I could use smb://server.domain.tld/share if I had DNS set up correctly. And users couldn't access that share without being either on the LAN or VPN? On a Mac!
|
|
|
I'm currently using .5 on my home network, how does that make you feel ?
😉
Bit much, I'll stick to /22 in my core network.
I said .5, not /5, as in I've ended up with my pfSense gateway on .5 (because at one point it was running alongside my existing router which was on .1 and .2-.4 were already in use for servers).
On 192.168.7.5 to be precise.
Using 192.168.7.0/24 for my home LAN was a fair arbitrary choice, I mainly wanted to get away from 192.168.0.0/24 and 192.168.1.0/24 as far too much stuff at the time was coming preconfigured on those.
I also use 192.168.11.0/24 for my WireGuard VPN and 192.168.10.0/24 for an OpenVPN setup I don't really use much anymore.
And my Mikotik LTE router is setup with 192.168.9.0/24 (with DHCP enabled plugged into its own port on the pfSense box), because then if the whole of the rest of my network goes wrong for some reason, I can just plug that directly into one of my access points, bypassing everything else.
|
|
|
Gone off my original question but still, I'd like to know....
So I thought I need to be on the same subnet to access a file server and that's what the VPN is doing. From my LAN address 192.168.1.2 I'm connecting to another LAN which uses 192.168.2.0/24 and I get an IP address there of 192.168.2.123 (say). The VPN isn't on its own subnet here, is it?
But if you landed into my LAN 192.168.1.0/24 and the VPN is on the 192.168.5.0 subnet you won't be able to access the file server at 192.168.1.99. That's my understanding and how I have different sites setup. Please do tell me if I'm wrong
For Windows-like shares
We're all Mac but i'd love to have my internal DNS setup properly. At the moment we use Finder's 'Connect to server...' and access smb://192.168.2.100 which gets a list of shares which can be mounted. I can get there using smb://domain (no suffix) but don't because it only seems to work locally (not over the VPN). I and users know how to the 'Connect to server...' and as it works I haven't tried to improve things.
Are you saying I could use smb://server.domain.tld/share if I had DNS set up correctly. And users couldn't access that share without being either on the LAN or VPN? On a Mac!
SMB so yes they are Windows-like shares
So this part is all about client remote access VPN rather than site-to-site.
Well have a think about what the server at 192.168.2.100 does when it replies to a client. If the client is 192.168.2.123 but isn't actually present, how does the server know to send the traffic to the (VPN) router? Normally it wouldn't talk to the router to reply to the same subnet, it would do an ARP broadcast and ask for the MAC address corresponding to the target, to find out who "owns" the IP.
You can see the router does something funky to make it look like they are actually the source of the client's traffic.
Now look at the default gateway from the perspective of your server. if the default gateway points to your router and that is also the VPN router, the server is quite capable of responding to requests from outside its own subnet, because replies would be sent via the router.
In this case the server does not broadcast to locate the client.
The router in turn would know the IP belongs to a VPN client and forward (route) it over the tunnel.
Have a look at the virtual interface created on the client when it brings up VPN.
You may find it is really receiving a /32 but also a setting making the tunnel the default route interface for all non-local traffic.
The VPN client also usually adds an exception for the public IP of the VPN endpoint to reach that directly for the already-encrypted traffic (as seen by the Internet).
prlzx on Zen: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
|
Pages in this thread: 
Print Thread
Woolwich
