My LAN iface address is 192.168.10.1/16
My DHCP was 192.168.10.100-192.168.10.120
I moved it to 192.168.11.1-192.168.11.254, and DHCP clients lost access through the LAN iface.
There is the default rule that allows all LAN access to the outside, through the LAN iface: LAN net * * * etc, but it is not clear how the LAN net is defined. There are no blocking rules on the LAN that could possibly have applied to the new range, only a few IP-specific /32 rules that block a tiny handful of different devices.
I tried to create a new rule to allow 192.168.11.0/24 and put it at the top of the list, but they still had no access. Only when I moved the DHCP back to its original range did they begin to work again.
What do I have to do to move the DHCP range as per above?
a. Do not use the same range for dynamic and static IP adresses, i.e. 192.168.11.1-x is a bad choice, because 192.168.11.1 is OpnSense itself.
b. Did you actually set the LAN interface address to 192.168.11.1 or did you only change the DHCP range?
c. Did you restart your clients, such that they can pick up the new addresses? They will only request an IP after half the default lease time has expired, which can be quite long. In order to facilitate such a change, one usually limits the DHCP lease time on the old range first to a few minutes, then waits for the old lease time to pass and then change the IP range.
Quote from: meyergru on April 30, 2025, 02:10:25 PMb. Did you actually set the LAN interface address to 192.168.11.1 or did you only change the DHCP range?
Like I wrote, I changed the DHCP address range. The LAN iface address remains the same as it has always been, and it has to stay this way. Why should have I changed the LAN iface from .10.1 to .11.1? The whole point is for the DHCP subnet to be different from the fixed IP subnet.
Quote from: meyergru on April 30, 2025, 02:10:25 PMc. Did you restart your clients, such that they can pick up the new addresses? They will only request an IP after half the default lease time has expired, which can be quite long. In order to facilitate such a change, one usually limits the DHCP lease time on the old range first to a few minutes, then waits for the old lease time to pass and then change the IP range.
I did even though they picked the new address on their own. The problem arose after they had gotten the new address, i.e. I saw one having 192.168.11.2 and it could not ping the LAN iface of the router but pinged the rest of the LAN no problemo.
Thinking of this, there should not have been any problems even had they not picked up the new range because there are no firewall rules that could block them. Even if they were still stuck on the old DHCP range it was still valid to pass through the firewall.
Of course. 192.168.11.2/24 can only reach other systems in the 192.168.11.0/24 network. That's what netmasks aka prefix lengths are about. Your OPNsense needs an alias IP address in the 192.168.11.0/24 network on the LAN interface and that address needs to be configured as the default gateway in the DHCP settings.
That's how IP addressing and routing works. You cannot assign 192.168.11.x/24 to your hosts and expect them to use the 192.168.10.1 gateway.
Quote from: verfluchten on April 30, 2025, 02:22:18 PMQuote from: meyergru on April 30, 2025, 02:10:25 PMb. Did you actually set the LAN interface address to 192.168.11.1 or did you only change the DHCP range?
Like I wrote, I changed the DHCP address range. The LAN iface address remains the same as it has always been, and it has to stay this way. Why should have I changed the LAN iface from .10.1 to .11.1? The whole point is for the DHCP subnet to be different from the fixed IP subnet.
The point is that if your interface has 192.168.10.1/24, it will not communicate with IPs from another subnet that is not within its subnet - probably it will not even respond to DHCP requests. It simply does not work that way, basic networking 101. You could get away with such a construct if you change the IP of the interface to 192.168.10.1/23 to cover both ranges or by using a virtual IP. You would have to use the same subnet for DHCP as well and then you could limit the range to 192.168.11.1-x (this is O.K. as long as OpnSense does not use 192.168.11.1).
Quote from: verfluchten on April 30, 2025, 02:22:18 PMQuote from: meyergru on April 30, 2025, 02:10:25 PMc. Did you restart your clients, such that they can pick up the new addresses? They will only request an IP after half the default lease time has expired, which can be quite long. In order to facilitate such a change, one usually limits the DHCP lease time on the old range first to a few minutes, then waits for the old lease time to pass and then change the IP range.
I did even though they picked the new address on their own. The problem arose after they had gotten the new address, i.e. I saw one having 192.168.11.2 and it could not ping the LAN iface of the router but pinged the rest of the LAN no problemo.
Yes, as explained above. Before firewall rules can apply, you have to get basic IP connectivity correct.
Quote from: meyergru on April 30, 2025, 02:29:36 PMThe point is that if your interface has 192.168.10.1/24, it will not communicate with IPs from another subnet that is not within its subnet
What in your opinion makes my interface /24? It is /16, like I wrote.
Quote from: Patrick M. Hausen on April 30, 2025, 02:27:18 PMOf course. 192.168.11.2/24 can only reach other systems in the 192.168.11.0/24 network.
What in your opinion makes my interface /24? It is /16, like I wrote.
In that case what is the default gateway in your DHCP configuration set to?
Quote from: Patrick M. Hausen on April 30, 2025, 03:04:55 PMIn that case what is the default gateway in your DHCP configuration set to?
Do you mean, on the device that is leasing DHCP? If you do, then that would still be the same gateway of 192.168.10.1 that is's always been. I only changed the range, nothing else, so the gateway would not have changed.
I re-read your question and realized that you ask about the OS DHCP service screen. Yes, the answer is the same, still the same old router LAN NIC address of 192.168.10.1.
...and what is the netmask in the DHCP configuration? If it is also /16 and the gateway is 192.168.10.1, then it should work.
Then again, this should be auto-calculated from the interface netmask.
Quote from: verfluchten on April 30, 2025, 03:13:35 PMDo you mean, on the device that is leasing DHCP?
Yes, the settings in Services > ISC DHCPv4 > LAN ... best post a complete screen shot.
Quote from: meyergru on April 30, 2025, 03:16:38 PM...and what is the netmask in the DHCP configuration? If it is also /16 and the gateway is 192.168.10.1, then it should work.
I do not control that netmask. It is just text inherited from the LAN iface mask, not a data entry field: 255.255.0.0.
I totally get it that it should work, but it does not.
My other devices that live in .12.0 subnet have no prolblem accessing the network outside the router LAN iface. Why can't the devices that live in the .11.0? From the ethernet/IP perspective they are not different!
192.168.10.0/16 and 192.168.12.0/x do overlap in case that other subnet is on another interface... check the routing on your OpnSense.
BTW: That is why usually, you have /24 netmasks on 192.168.x.y networks. You might also try limiting your LAN to /23 in order to not have it overlap the 192.168.12.0/24 network.
Quote from: meyergru on April 30, 2025, 03:36:04 PM192.168.10.0/16 and 192.168.12.0/x do overlap... check the routing on your OpnSense.
Why do you believe that this is relevant to the original question? Even if this is an issue, it seems to be different topic to me. Under this topic, I only want to address one single issue: loss of connectivity on the DHCP subnet. Everything else should wait until I raise it in a different thread, unless it is the same issue. Is this?
Yes, if the 192.168.12.0/x subnet overlaps your LAN network, its route may take precedence. You cannot have two overlapping networks on the same router, because it it unclear where packets should be headed in that case.
That is just as bad as having 192.168.10.0/24 assigned to two different ports (that are not bridged) and expecting traffic to pass between those.
Quote from: verfluchten on April 30, 2025, 03:26:55 PMMy other devices that live in .12.0 subnet have no prolblem accessing the network outside the router LAN iface. Why can't the devices that live in the .11.0? From the ethernet/IP perspective they are not different!
Post the output of "netstat -rn" on your OPNsense, please. You can obfuscate your WAN address but we need all the internal RFC 1918 networks. They are not privacy relevant/critical.
Quote from: meyergru on April 30, 2025, 03:49:00 PMes, if the 192.168.12.0/x subnet overlaps your LAN network, its route may take precedence. You cannot have two overlapping networks on the same router, because it it unclear where packets should be headed in that case.
I do not follow your logic. My LAN iface network is 192.168.0.0/16 which allows for any address in the range of 192.168.0.1-192.168.254.254, so I am free to use any subnets be they .10.0, .11.0, .12.0 or .254.0. All of the subnets with static IPs work fine but not the DHCP subnet. What am I missing?
Quote from: meyergru on April 30, 2025, 03:49:00 PMYou cannot have two overlapping networks on the same router,
Unfortunately, I do not understand your terminology. What are you referring to as "two overlapping networks"? There is only one network assigned to the LAN iface 192.168.10.1/16. Which is the other one?
Quote from: Patrick M. Hausen on April 30, 2025, 03:56:28 PMPost the output of "netstat -rn" on your OPNsense, please. You can obfuscate your WAN address but we need all the internal RFC 1918 networks. They are not privacy relevant/critical.
I think you nailed it! There is a duplicate 192.168.11.0 network that overlaps with my DHCP range. I totally forgot about the now-unused OpenVPN which uses it. Thank you so much for this simple diagnostics that I forgot to run!