IP Subnetting Concepts

When configuring TCP/IP settings on a device, a subnet mask (Or prefix length for IPv6) must be specified. This mask enables the device to determine which IP addresses are on the local network, and which must be reached by a gateway in the routing table. The default LAN IP address of 192.168.1.1 with a mask of 255.255.255.0, or /24 in CIDR notation has a network address of 192.168.1.0/24. CIDR is discussed in Understanding CIDR Subnet Mask Notation.

IP Address, Subnet and Gateway Configuration

The TCP/IP configuration of a host consists of the address, subnet mask (or prefix length for IPv6) and gateway. A host identifies which IP addresses are on its local network by using the IP address combined with the subnet mask. A host sends packets for addresses outside the local network to the host’s configured default gateway which it assumes will pass the traffic on to the desired destination. An exception to this rule is a static route which instructs a device to contact specific non-local subnets reachable via locally connected routers. This list of gateways and static routes is kept on the routing table of each host. To see the routing table used by pfSense® software, see Route Table Contents.

See also

More information about routing can be found in Routing.

In a typical deployment of pfSense software hosts on the LAN are assigned an IP address, subnet mask and gateway within the LAN range of the firewall running pfSense software. The LAN IP address on the firewall becomes the default gateway for hosts on the LAN. For hosts connecting by an interface other than LAN, use the appropriate configuration for the interface to which the device is connected.

Hosts within a single network communicate directly with each other without involvement from the gateway. This means that no firewall, including one running pfSense software, can control host-to-host communication within a network segment. If this functionality is a requirement, hosts must be segmented via the use of multiple switches, VLANs, or employ equivalent switch functionality like PVLAN.

See also

VLANs are covered in Virtual LANs (VLANs).