Increasing size of subnet associated with a vlan kills internet access

Networking & Firewalls
1

Hey everyone…
I’ve had pfsense working well for years, but I’m starting to make a few changes. I want my vlans to use /23 subnets now vs /24. no, I don’t have thousands of devices, it’s purely for organizational reasons.

example, the vlan I have changed so far… my private vlan WAS 192.168.70.1/24 with a subset of those ip’s assigned to dhcp. Now I want, and have tried to make it 192.168.70.1/23 with 192.168.71.x assigned to dhcp and 192.168.70.x for devices assigned a static ip through pfsense. Thus anything at a glance that has a 192.168.71.x IP doesn’t have a static IP assigned.

Well, now anything that does get a dhcp assigned IP (and in the new larger IP range) can’t reach the internet. This was an unintended consequence that I am trying to fix. The moment I assign a static IP to the device in pfsense (in the original 192.168.70.x range), boom… it has no problem accessing the internet. My firewall rule for the vlan is “allow all traffic”. I’ve rebooted pfsense and endpoints but the problem persists.

Some screen shots:

image
image1170×1179 91.4 KB

image
image1161×810 63.7 KB

image
image1167×411 31.8 KB

2

There are a bunch of things that potentially use that subnet mask. Firewall rules, NAT, routing tables, DHCP (both on the server and on each individual client). I’m sure I’m missing one or two. Instead of trying to track them all down in the GUI, I wonder if it would be more thorough to download a backup of the config file, open a copy in a text editor, and then do a find/replace, changing all of the /24 with /23. Then you could restore from that new config file. If you borked something you could fall back to your backup.

3

i think i understand what you are saying, but fingers crossed someone else has an idea on how i can fix it in the GUI.

4

welp, something interesting has happened. a desktop I have that has a dhcp assigned ip in the expanded range can now access the internet. the only variable that seems to have changed… time. go figure. but it’s working, at least for now.