DHCP server with /22 subnetmask

Trying to use openwrt as DHCP server on my home network (behind another router). Want to use a /22 instead of /24. IP address range for homenetwork: 192.168.4.0/22. Looks like DHCP server is only suitable for /24 since you specify a starting address and number of addresses. If I specify 50 as starting address and 900 as number of address, would that work? I plan to logically device my network in ranges, 192.168.4.1 to 192.168.4.255 = infrastructure devices, 192.168.5.1 to 192.168.5.255 = wireless, 192.168.6.1 to 192.168.6.255 for IOT and last one for testing. Theoretically, I have 1024 IP address minus network and broadcast. Most of the address will be dhcp static anyways meaning I will use dhcp but they will always get the same address. Is that possible?

Definitely possible, and probably the way you're thinking of configuring it.

I'm curious though as to your goals. Many people who segment their networks will split them into subnets so that they can control the traffic flow between the various classes of devices or control zones. With them all on a single network, it seems like you just get "nice" IP addresses out of what you're proposing.

2 Likes

You can certainly do that, though like @jeff said, it's just "nice" numbers that no one will likely see. The point of DNS is that you can think in names instead of IP numbers.

Only the first and last addresses in the whole block are reserved, so for example 192.168.5.0 could be a valid device address in your scheme.

Dnsmasq has a global limit on the number of address leases including all interfaces. I think that defaults to 1500 but can be increased.

1 Like

You assessment that "DHCP server is only suitable for /24" is wrong, but your next sentence is almost correct: "you specify a starting address and number of addresses."

You do not actually specify the starting address (or "last digit"), but the starting offset and the number of addresses.

Yes, that would work.

That behaviour of having more than a /24 prefix is even documented in wiki (although the example is about assinging a small range from a large prefix):
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_pool_for_a_large_network

In DHCP pool limit setting, the start and limit values do not refer to the “last digit”, they're relative offsets to the network address.

the network address of 10.0.0.1 / 255.0.0.0 is 10.0.0.0
the 10.22.0.1 start address is 22 x /16 subnets away: (2^16) * 22 = 1441792
10.0.0.0 + 1441792 + 1 = 10.22.0.1 → start = 1441793
10.22.0.254 - 10.22.0.1 = 253 → limit = 253
2 Likes

Thanks Jeff,
Yes, it's logical only. Would have created different VLANs and route as needed but my Pace cable modem only allows to have one cascaded network. I do monitor my traffic to and from the internet via sFlow and the logical separation enables me to just look at the IP address and know what "logical" subnet it is from. If my IOT devices have a lot of ftp traffic to the internet, I might have a problem :-). Unfortunately I am one of those ATT customers that can't put their cable modem/router into bridge mode. I would have preferred that and do all the routing/NATing on my own.

You can still split your devices among different local networks which would have the advantage of being able to "tune" what they can and can't see or do independently. For example, my TP-Link IoT devices get completely different DNS than do my "trusted" hosts, or even my "guest" networks. The TP-Link devices are also blocked from any outside Internet access. By using VLANs, you can not only use a different DHCP block for each, supply different services and selection of services, but also manage VLAN-to-VLAN routing with firewall rules (for example blocking one VLAN from another).

If you have a managed switch (available for under US$100), you can easily extend this to wired hosts past the four ports a typical home, all-in-one router provides. Even without a switch, you could, for example, set up a management VLAN which would make it a more difficult for a "random" device to try to get into your infrastructure devices with SSH or through LuCI.