Is a pfSense router w/ a LAN gateway using a /20 bits subnet mask common?

Question

Obviously I'm lacking some networking knowledge, and I wish somebody could help me understand something fishy I found on a pfSense router in an organization yesterday. The pfSense router forces subnet mask of 255.255.240.0 on a LAN gateway like 9.9.192.1. Is this common? It's on ipv4 but it also has a turned off option for ipv6 currently, if that matters.

It's valid, because it works, but the minute you add a new computer or printer to the network and forget about this /20 bits subnet mask quirk, that newly added device acts super wonky and ends up freezing, crashing and/or dropping out of the network. For instance, a printer that had 255.255.255.0 as its subnet mask was receiving only a third of a page to print and would freeze until it's rebooted. I suspect it was receiving more bits and overflowed its RAM or something, hence the freezing. It's not the case of a single cheap printer, it did that to 4 printers out of 5 at this office. Different brands, different models, some 350$ printers, some 80$ printers.

Optional meditation on that gateway:

If a computer AND a printer are both on the 255.255.255.0 subnet mask, they can access the internet, but cannot communicate with each other on the LAN. Computers on 255.255.255.0 can communicate no problem with another computer on the LAN still. Just not computer <--> printer.

If a computer OR a printer has a 255.255.255.0 subnet mask while the other one has a 255.255.240.0 subnet mask, they can communicate to extremely wonky fashion and the printer almost immediately freezes when sent packets, never prints anything more than a third of a page and it crashes/freezes to a point it has to be rebooted (unusable really). Tough, both devices still can access the internet fine.

If both the computer AND a printer have the 255.255.240.0 subnet mask, they communicate super efficiently (instantaneously) without any problem at all, super stable and fast.

Question:

Can anybody explain why a pfSense router's subnet mask wouldn't be all 24 bits (255.255.255.0) like any regular router is? What is the advantage or any reason that could justify this /20 bits subnet mask enforcement? Is it common? Thanks.

@jonathanjo Sorry, I missed your comment earlier. 19 devices. — that-ben, Jan 04 '18 at 20:55
... how many are DHCP and how many are static? Do any have addresses which don't fit 9.9.192.X ? — jonathanjo, Jan 04 '18 at 21:05
Yesterday, since I came into that place and replaced the other guy who set this up before that no longer works there, I have begun to put all the printers, the backup hard drive, the server and the multimedia "TV" device on static IP's. At the moment only 5 printers are on static IP under a different network branch (but still using this DHCP gateway). On that same network branch, there are 0 static and around 12 dynamic, this varies because it includes cellphones. — that-ben, Jan 04 '18 at 21:13
The critical thing is whether any have addresses outside 9.9.192.X ... I suspect from your description that some do/did. — jonathanjo, Jan 04 '18 at 21:18
Yes, there are/were* on 9.9.193.0 and printers are/were on 9.9.194.0 (*BTW, following @Zac67 advice, I moved the gateway to 10.10.192.1 so there's no more 9.9.0.0 prefix) — that-ben, Jan 04 '18 at 21:23
24/24/20/24 makes no sense , "DHCP gateway" is difficult to interpret - is it the DHCP server OR the Gateway handed out by the DHCP server? Wrong gateways subnet masks should not cause crashes - freezes if they are network timeouts are possible - but you need to investigate to be clear that is what is happening typing /24/24/... is invalid so maybe that causes the crash If you have different network branches - which I interpret as subnets then are they meant to talk to each other and if so is there a router? If not then you could add a vlan to segregate them - but its not needed — Ross, Jan 04 '18 at 21:33
Yes sorry about my initial misinterpretating of bit masking, it's really /20 or 255.255.240.0 if you prefer, sorry about that bad notation I initially wrote. Also, it's the DHCP and the gateway, they're the same machine on the same interface, it's a pfSense router. — that-ben, Jan 04 '18 at 21:35

score 4 · Answer 1 · answered Jan 04 '18 at 19:59

4

Can anybody explain why a pfSense router's subnet mask wouldn't be all 24 bits (255.255.255.0) like any regular router is? What is the advantage or any reason that could justify this /24/24/20/24 bits subnet mask enforcement?

Two points:

There is nothing special about a 24 bit mask (255.255.255.0). The size of the mask depends on the sizeof the subnet, which in turn is based on the networking requirements. There is no "regular" subnet mask.
A subnet mask can be written as dotted decimal (255.255.255.0) or using "slash" notation (/24). They are equivalent. There is no such thing as "/24/24/20/24." That is just jibberish. If you're trying to type that in your router, that may be your problem.

answered Jan 04 '18 at 19:59

Ron Trunk

67,450
5
65
126

No I am not typing that in the router at all. The router has a GRAYED OUT subnet mask of 255.255.240.0 and no device works on the network outside of this subnet mask, which is expected, but my question is: Is this common a gateway setup for a small office? Any advantage of having a smaller bit sized subnet mask compared to 255.255.255.0 ? – that-ben Jan 04 '18 at 20:42
@that-ben, if it is greyed-out, then you are probably not logged in with the correct user. If you are the supervisor, then you should be able to make any changes to the configuration. Users with less privileges may not be able to change some things. – Ron Maupin Jan 04 '18 at 20:56
@Ron Maupin, as I told you before, I am the only user on that router: an admin that has access to the whole machine. If you knew what a pfSense router is, you'd know that you cannot see/do anything at all without logging in first. All you see is a login screen, nothing else, until you're logged in. There are no other usernames on this router. – that-ben Jan 04 '18 at 21:00
@that-ben, it may be that the super user has been deleted (maybe when the last guy left), but it could change anything on the router. You may need to reset it completely and create another supervisor for the router and rebuild it from scratch. You could then configure it any way you like. – Ron Maupin Jan 04 '18 at 21:04
Here's a screenshot (note that I changed it from 9.9.192.1 to 10.10.192.1 as per the suggestion from @Zac67 altough it's unrelated) but you SEE what I mean by the subnet mask being NON EDITABLE? http://oi68.tinypic.com/rwjw5f.jpg – that-ben Jan 04 '18 at 21:05
@RonMaupin Also about your other concern, here's a screenshot showing the only user (my username) is tied to the only user group on that machine and that group has total access to every single part of that machine, just like it told you before, there's no reason to reset i if I have full access to it: http://oi68.tinypic.com/5bsr5v.jpg – that-ben Jan 04 '18 at 21:10
You should try it from the command line. Most network engineers prefer to use the CLI, anyway. Yes, pfSense has a CLI interface. – Ron Maupin Jan 04 '18 at 21:12
I'm not an engineer but let me please doubt it will change ANYTHING in regards to changing the subnet mask. The web interface offers exactly the same options, except it's all easier since it's visual. Less prone to mistyping some command and screwing up the whole router, IMO. At the next downtime in a couple weeks (this place is open 7 days a week) I'll probably reset the whole router and do the initial setup wizard just to see if this is a PER SETUP setting that maybe cannot be changed dynamically, which would mean pfSense is a P.O.S. – that-ben Jan 04 '18 at 21:18
255.255.240.0 is not /24/24/20/24 each 255 is 8 bits - /24 means 24 bits so 255.255.240.0 is 8 + 8 + 4 bits when can be written as /20 . /24/24/20/24 is jibberish. – Ross Jan 04 '18 at 21:38
I know, sorry about that initial misinterpretation. I edited it to /20 which is 255.255.240.0 masking. – that-ben Jan 04 '18 at 21:41
@that-benTo answer your question, no, there is no advantage to having a /24 over a /20 as a network mask. You should make sure that all devices on the same network have that same mask. – Ron Trunk Jan 04 '18 at 21:50
Yes, that was already the case and I realized this yesterday while adding a printer to the network and fiddling for an hour until I paid closer attention to the "unusual" (at least for me) router's /20 bits DHCP subnet mask. OK so I think we can wrap this up, all my questions have been answered in different comments throughout here, so how can I credit everybody who helped? I would find it irritating to give 100% of the credit to only 1 person. – that-ben Jan 04 '18 at 21:55
I believe you can vote up more than one answer, but please mark one as "accepted," so it doesn't keep popping up. – Ron Trunk Jan 04 '18 at 21:59
I cannot. I do not have enough rep. Upvote my question and then I will have enough to upvote you guys. Thanks for helping out. – that-ben Jan 04 '18 at 22:16

Zac67 · Accepted Answer · 2018-01-04T21:53:31.137

3

9.9.192.1 is an address owned by IBM - so unless they've given it to you, you can't use it on your LAN without causing problems.

A subnet mask of 255.255.240.0 or /20 is completely fine as long as the address range you're using is large enough and either private (192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8) or granted to you. Mixing devices with differing network addresses or masks doesn't usually work as you've already noticed.

Usually, your network devices are configured by DHCP, so possibly you just need to correct the scope there. If you're not using DHCP now is a good time to start.

edit 1: You might want to read up on how subnetting works in this good question/answer: How do you calculate the prefix, network, subnet, and host numbers?

edit 2: The subnet mask defines the size of the subnet. Your mask 255.255.240.0 allows for 12 bits = 4,094 host addresses which might be a bit oversized. It doesn't hurt though, except that /24 might be slightly easier to handle.

edit 3: If your can't change the LAN subnet mask on the router just don't do it. Change the mask in the DHCP options and simply don't use the extra 4 bits of host addresses.

edit 4: your screenshot in the other comment - you should add additional details to your question instead - shows the DHCP options. These are most probably inherited from the NIC's network settings which may be the reason why you can't change them. Check the NIC's IP settings and correct the mask there if possible; the DHCP scope is likely to follow.

edited Jan 04 '18 at 21:53

answered Jan 04 '18 at 19:30

Zac67

84,333
4
69
133

That pfSense router has been running with this LAN gateway IP for nearly 5 years, I just arrived at the place and unfortunately I cannot talk about it with the guy who set that network up because he no longer works there. BUT like I said, it's working FINE, I'm just not understanding what's the POINT of this subnet mask and want to know if it's common or not. – that-ben Jan 04 '18 at 19:32
@that-ben, I have tried to explain the purpose of a mask that size to you. You set the mask size to accommodate the number of hosts and expected growth. – Ron Maupin Jan 04 '18 at 19:34
You're asking for help and I'm trying to provide help. Of course, networks can work even if you violate best practices but that requires that you exactly know what's going on. Make your life easier and configure it a more 'common' way. – Zac67 Jan 04 '18 at 19:38
@Zac67 Yes, I appreciate it, thanks! That's precisely what I intend to do by broadening the subnet mask to a standard 255.255.255.0 range. I still don't understand the point of reducing any subnet mask of a small organization down to 20 bits instead of 24. What harm would making it full 255.255.255.0 do? As I asked in my OP, what's the point or advantages of having it set up with 20 bits, except being super inconvenient when adding new devices? – that-ben Jan 04 '18 at 19:40
1

You can even use a mask of 255.0.0.0 (with 10.0.0.0/8) and have everything work AOK (it just doesn't make too much sense though). The mask isn't the problem, the discontinuity is. – Zac67 Jan 04 '18 at 19:44
I'd +1 on this last comment if I could, but I don't have the rep, I'll come back here in a couple weeks when I have enough rep. Thanks for this, which partially answers my questions. But still what's the advantage of a reduced subnet mask? Nobody could answer this OP question yet... performance? (I wouldn't think so) – that-ben Jan 04 '18 at 19:51
@that-ben, you have had that answered. IP addresses are resources that a professional network engineer will manage, just like any other resources. Using a mask to large wastes addresses, and using a mask too small will cause network problems. – Ron Maupin Jan 04 '18 at 20:04
@Zac67 OH YEAH!! Thanks to your last edit, I checked and YES it was under NIC settings! --> http://oi64.tinypic.com/24l35tk.jpg – that-ben Jan 04 '18 at 22:15
Glad we could work this out. ;-) – Zac67 Jan 04 '18 at 22:35

score 2 · Answer 3 · answered Jan 04 '18 at 19:24

QUESTION: Can anybody explain why a pfSense router's subnet mask wouldn't be all 24 bits (255.255.255.0) like any regular router is? What is the advantage or any reason that could justify this /24/24/20/24 bits subnet mask enforcement? Is it common?

You seem to be very confused. There is no "standard" network size. A router interface has the network size that you configure on it. You should choose a size that matches the network requirements. In this case, it seems that you configured the router with a 20-bit network mask, which will let you have 4094 host addresses on the network.

The hosts on a network need to have their network masks set to be the same size as the network mask is configured, otherwise you can end up with problems.

Comments are not for extended discussion; this conversation has been moved to chat. — Ron Maupin, Jan 21 '19 at 00:46

score 2 · Answer 4 · answered Jan 04 '18 at 21:53

Personally I prefer to not change anything until I know what is meant to work You seem to have two subnets in the same system - I dont know why (as in what is the functional requirement for two subnets )

There is no restriction to enforce that devices on the same switched network are in the same subnet - they cannot talk to each other , they still need a router and yet they share a layer 2 collision domain - but it still works - just maybe not the way you want. 255.255.240.0 means there are more possible devices in the collision domain at the IP level so there is a possible performance hit if you get to that many devices actually being present in the subnet - it makes no difference if there are not

Being locked at 255.255.240.0 is not an issue but having read all this - I think you are adding a new device and NOT specifying your correct sub-net mask of 255.255.240.0 and thus the new device cannot reach the devices it needs to and so it freezes with network timeouts (This is understandable )or applications crash because of network connectivity issues- (not so understandable - but it could happen) 255.255.240.0 is correct - so typing in a incorrect mask is wrong - if you cant change the router - then accept that's what the mask is and make sure you use that mask - Changing the mask after first implementation means changing the mask on all devices at the same time. (sort of if you know what your doing and understand the sub-nets you can sometimes work around this )

I'd relax - leave the subnet mask the way it is - fix all devices to use the correct subnet mask - and see what is and is not working - document (ie find out) what is meant to talk to what and then decide what to do

Everything worked when I left yesterday evening and I told employees to call me this morning if anything was not to their taste, and nobody called, which means all the printers, network shares, internet access and their remote SQL driven app works flawlessly. So everything was good when I left, but yes, I had to put the same subnet mask in every single machine for it to work reliably, but that is expected, actually. I was just wondering if this is a common router subnet mask for a small office (about 20 devices) because personally, I always saw /24 bits masks on routers like this before. — that-ben, Jan 04 '18 at 22:00
I can tell you tough that if 2 devices were on a /24 bits subnet mask, they could not talk to each other at all. That's 100% confirmed as at first I tried to put the 255.255.255.0 subnet mask on both devices and it was not working at all. — that-ben, Jan 04 '18 at 22:02

score 1 · Answer 5 · edited Jun 17 '20 at 08:51

Your basic troubles were all here:

Can anybody explain why a router's subnet mask wouldn't be all 24 bits (255.255.255.0)

The answer is exactly in our exchange in comments:

The critical thing is whether any have addresses outside 9.9.192.X ... I > suspect from your description that some do/did. – jonathanjo

Yes, there are/were* on 9.9.193.0 and printers are/were on 9.9.194.0 – that-ben

Because you had some hosts with addresses 9.9.192.X, some with 9.9.193.X and some with 9.9.194.X, for them to be in the same local network, you must use a network mask of /22 or below. (Many find multiples-of-four netmasks easier to deal with, and so /20 isn't that uncommon on private networks. Your predecessor apparently was in this group.)

For 20 hosts, this is all pretty strange.

/20 is pretty huge (4096 addresses) when you only need 20. (It's surely not possible your predecessor thought /20 meant "space for 20 hosts"?)
9.9.X.X is a public address whose real hosts, out in the internet, will be inaccessible to you

Unless your predecessor had constraints you haven't mentioned (segment the hosts in some way to prevent something), it might be worth just renumbering to something more conventional. (To be concrete, you might consider 192.168.0.0/24, with router at .1, servers starting from .32, printers from .48 and laptops/workstations at .128, any switches or odd things at .8)

There are any number of posts here and all over the web on how network masks work, and it's really worth reading up on it. (Mostly they don't explain why it works this way: it's basically because th bitwise logic could be done in a microsecond or so, even on little microprocessors in 1980s.)

Kind regards and hope that's helpful.

PS: "I moved the gateway to 10.10.192.1 so there's no more 9.9.0.0 prefix" is likely to make things worse if there still are any hosts with address like 9.9.x.x. I confess I haven't followed what you've tried and what still is a problem..

Wow, valuable information about HAVING to use a lower than /22 bits subnet mask for multiple network branches (10.10.192.0, 10.10.193.0, 10.10.194.0) work. Very interesting and not raised yesterday in this whole post comments/answers. Yes, I think he tried to isolate printers and some computers outside of 10.10.192.0 because that 192 net branch is used for a "public" * Wifi hotspot. * it's not public per se, but many many people have the password for this hot spot. About your PS: No, all is fine, Windows just instantly reconnected to the network and are OK. Thanks for helping out! — that-ben, Jan 05 '18 at 17:27

Is a pfSense router w/ a LAN gateway using a /20 bits subnet mask common?

5 Answers5