Netmask Puns

Hello everyone,

is it possible to also use other netmasks beside /24 - e.g. /30 for only two nodes.

Any tutorial I found online always use a /24 netmask.

Have already opened a TAC case, but hoping some of the folks here can shed some light or may have seen this before.

We purchased some MR72 in early June. plugged all in, connected to network and speed tested them all at time of delivery to determine best antenna. Then removed from network (didn't have LICs yet, as deployment is not until now). Fast forward 2 months, going to drop these into the network and getting "Subnet mask must be valid netmask format" error. Will not let me add to the network at all. No other WAPs in that network yet, so no conflicts there.

thanks for any help/advice.

Hello Guys,

I'am wondering what technology you guys are using to segment traffic **within** a given VLAN.

Here is the ultimate goal we want to achieve : for users subnet, we would like to redirect ALL the trafic to the gateway (which in our case is a firewall), even trafic towards other computers in the sale VLAN.

With Cisco WiFi, it's easy: you just have to check "Forward trafic to upstream" and it's done.

However, when it comes to switches (wired), it's another world.

Currently, we are kind of using a hack to handle this : we send by DHCP a netmask option with the value 255.255.255.255 (/32).

This was tested after observing how some cloud providers are doing. We first tried it in a test subnet, and now a few years laters, we have 10k devices configured like that.

With this configuration, all the devices think that they are alone in their subnet and thus send all trafic to the gateway, even if behind the scene the destination is in the same VLAN.

This actually works like a charm (at least with all majors "users" OS - Windows/MAC/Linux/BSD/Android/IOS).

I'am well aware that it only works for Unicast; Multicast and broadcast are still received but still, there isn't any major risks with multicast/broadcast.

However, I literally never seen anyone doing this and there I found close to 0 information about this.

So here is my questions :

- What do you think about this? Do you see anything that could go wrong?

- What would be the "cleanest" way to achieve the same thing? Any other protocol/technology in mind?

We are using full C9k Cisco devices in Legacy mode (so no SDA Fabric).

Is there a reason to prefer one over the other from the below, on an ordinary home network?

• 192.168.0.1/24
• 192.168.0.1/16
• 10.0.0.1/16
• 10.0.0.1/8

Just as a few examples.

I have PiHole running on a Linux box. Once I got it working, it works without a hitch. But I did encounter an issue during config and have to manually work around it every time I change something around DHCP.

Namely, the default DHCP configuration page in the web interface doesn't have a "netmask" field. This is not carried over (or filled in or anything) into the corresponding configuration file (/etc/dnsmasq.d/02-pihole-dhcp.conf). The default relevant line would therefore look like:

dhcp-range=192.168.1.5,192.168.1.251,infinite

The result is that none of the devices asking DHCP for an IP address assignment gets one.

The workaround I found was to manually specify the netmask in the same configuration line and reload pihole-FTL, which makes it work absolutely fine:

dhcp-range=192.168.1.5,192.168.1.251,255.255.255.0,infinite

Downside is that any change in the DHCP settings (e.g. changing lease time) in the web window overwrites this manual setting and it has to be redone manually.

Am I missing something here? Did I misconfigure something else somewhere?

Hello, I am having issues with my Aircube ISP. I have had this set up before with a different router for testing and had this working as I wanted but I am not having the same success with my Aircube. I am basically double NATing on my home network to create a second semi-isolated network. I know this isn't necessarily the best way to do things, but it will accomplish my needs fine. After doing some research, I found how to prevent the second router from accessing other clients on the primary network using the WAN Subnet - in this case set to 255.255.255.252. This is supposed to only allow the Aircube to communicate with 192.168.1.1 (or whatever range I set with the subnet), however no matter what I set in the Netmask option, I am still able to access IPs out of that range on my primary network from the Aircube's secondary network. Again, I had this working with an ASUS router, so I don't know if there is a bug or I am missing something. Thanks for any help you can provide!

I just build my first pwnagotchi and after a few problems I got it to boot and work. But now I want to connect to it and give it a static ip, netmask gateway and dns. But everytime I configure it and close the window (win 10 pro btw.) and open it again to see if it saved the changes everything I just put in is gone and there are just empty fields. Anyone got a solution to this?

I kinda but not really get the super technical explanation of what it is

I'm creating a series of network gateway/tunnels with vnet and jails (FreeBSD 12.1p8). The topology looks something like this:

NICjail: Contains the physical NIC (igb0), bridge0, and epair members for connection to other tunnel jails (VPNs, Tor, I2P). VPN1jail: Connects to NICjail via epair. Contains a bridge and epairs to connect to WORKjails for daily activities. VPN2jail: Same as VPN1, but for different identities purposes. ... And so on ...

No problems creating the jails or interfaces. However, I'm a bit unsure about properly configuring the IP/netmask, whether I need to use NAT, or if I can just use my existing subnet address space. For example, I set up the following:

NICjail: igb0 has IP 192.168.1.11, and bridge0 has IP 192.168.1.12, with epair1a attached. VPN1jail: epair1b has 192.168.1.13 and bridge1 has IP 192.168.14, with epair2a attached. WORKjail: epair2b has 192.168.1.15. traceroute 1.1.1.1 shows me hopping to 192.168.1.13 --> 192.168.1.11 --> 192.168.1.1(my physical router) --> internet --> 1.1.1.1

Tentatively, it appears that I have accomplished gateway isolation for WORKjail, forcing traffic through VPN1 --> NICjail. Am I on the right track here? Is this a reasonable way to configure the jail network topology and proceed with configuring packet filtering and setting up the VPN? I'm not sure ... is it more secure to use NAT at each hop? Or maybe further subnet the address space by doing something like: NICjail: igb0 has IP 192.168.11/24, and bridge0 has IP 192.168.1.129/25.

I have read through most of Michael Lucas Networking for SysAdmins book (and his Jails/FreeBSD books). Still trying to get a handle on networking. Any help is greatly appreciated.

Am I correct that the default netmask is /22? I don’t see it anywhere but my gateway is on 192.268.4.1 so I am guessing that’s true.

Hi.

I am trying to configure an OpenVPN client on FreshTomato 2020.2 on a Netgear R7000.

I am using fairly vanilla settings. However, when I try to save the config, I get a popup that says, "Invalid Netmask". The dialog offers no indication which entry is causing the problem. None of the settings include a netmask. There is nothing in the logs.

I can't seem to find any forum entries discussing this error. The FreshTomato website appear to be unavailable as it moves to a new domain.

Any idea why this error is being generated?

Any suggestions how to fix it?

I'm stumped.

Thanks,

ManofMystry

I'm just getting started with my lab, and I'd like to have an address space dedicated to VMs and containers. Am I wrong to use netmask 255.255.0.0 to be able to access a container at 192.168.1.40 from my laptop at 192.168.0.101?

Is there a better way to do this?

Is it possible to set the netmask of the network here? It is sending out 255.0.0.0 which isn't correct for my network (10.11.13.0/24).

I know dnsmasq is an option, but was curious

https://tools.ietf.org/html/rfc1332

To exchange a WAN subnet (with 8, 16, 32… ip adresses) to my router, my ISP (KPN Zakelijk Internet) requests my router to do a "ipcp netmask request" (RFC 1332 PPP Internet Protocol Control Protocol) according to the Cisco implementation.

Can OPNSense do such an ipcp netmask request?

Hello,

I thought about posting this twice because it sounds like a newbie question, however I couldn't find any documentation, so here it is...

I'm working in a OSPF over dynamic IPSEC VPN lab and it isn't working even when I copy/pasted this recipe: https://cookbook.fortinet.com/ospf-dynamic-ipsec-vpn/ (for the curious: OSPF in the HQ side doesn't even try to send HELLO packets).

When checking the interface (config system interface) configuration I had this question again: why a subnet mask in the remote-ip option tunnel interface?

AFAIK, an IPSEC tunnel only has two ends and exactly one "neighboor", it's not a broadcast network like ethernet.

Thanks,
Max

I've just set up DHCPv6, and had some trouble with it because the leased address got a /128 netmask, so my clients could basically not reach anyone but themselves. After hours of digging I found this forum post that explained that this is the expected behavior, and that packets going to my leased prefix will have to go through the router. After advertising a route for <prefix>/128 via RA I got connectivity, so apparently the forum post was correct, which is great because now my setup works.

I'm still a bit confused though. The forum post didn't really explain why this is the expected behavior, and it's not specified in the DHCPv6 rfc from what I can tell. So I'm simply wondering why this is the expected behavior? Is it specified somewhere other than the RFC?

Thanks in advance

Hello,

I just got the FTLDNS running as dhcp on my local network. However I wanted to statically assign IP's in different ranges according to their type. Preferrably (for visibility) I'd like to use something like 192.168.0.x for regular devices, 192.168.1.x for smarthome devices, etc.

But it doesn't seem to be possible to change the netmask in the web ui. It's just set to 255.255.255.0.

Is this just not possible with dnsmasq? Because I also couldn't find any reference to it in the configs or on google.

Also name resolution for static addresses doesn't seem to work properly, as i can't resolve some of the statically assigned devices

    REoctet = "([0-9]{1,3})"
    REip = r"\.".join([REoctet] * 4)
    REcidr = "[0-9]{1,2}"
    RegExIP4wNM = re.compile(
        # Beginning of string
        "^"+
            # IP Address (mandatory)
            "(?P<ip>{0})".format(REip) +
            # Netmask or CIDR (optional)
            "(/" +
                # OR Block
                "(" +
                    # Netmask 
                    "(?P<mask>{0})".format(REip) +
                    "|" +
                    # CIDR 
                    "(?P<cidr>{0})".format(REcidr) +
                ")" +
            ")?" +
            # End of optional Netmask Block
        "$"
        # End of string
    )

    >>> ip=RegExIP4wNM.match("255.255.255.255")
    >>> ip.groupdict()
    {'ip': '255.255.255.255', 'mask': None, 'cidr': None}
    >>> ip=RegExIP4wNM.match("255.255.255.255/24")
    >>> ip.groupdict()
    {'ip': '255.255.255.255', 'mask': None, 'cidr': '24'}
    >>> ip=RegExIP4wNM.match("255.255.255.255/255.255.255.255")
    >>> ip.groupdict()
    {'ip': '255.255.255.255', 'mask': '255.255.255.255', 'cidr': None}

And then I found out that Python had built-in IP Address handling, but I thought I'd share anyway.