6 Replies

  • The best way is to add a completely new subnet and move devices in a controlled manner. It gives time to test and resolve problems for the challenging devices - even leaving some as they are if they cannot be changed.

    But you might also consider other criteria for example: fastest, cheapest, cost effective with some risk etc.
    Your idea of expanding the current to a /22 can work but the potential risks/complexities are:
    the use of 192.168.0. and 192.168.1 should generically be avoided to clash with other default installations on routers etc.
    make sure you new range is compatible with VPNs and external parties you connect with.
    Keep the default gateway device in the 192.168.1.x range so that the current devices can communicatee with it before their subnet mask is changed. This also allows a device to not change their mask if you cannot access it.
    You must use a router/firewall as your default gateway that allows hairpin (in and out same interface) - so that during migration devices with the /24 mask can communicate with devices on new /22 mask. This is the most challenging bit.

    Spice (4) flagReport
    1 found this helpful thumb_up thumb_down
  • Personally I would create a new subnet (or subnets) with DHCP where necessary for all the devices you can reconfigure and move what you can to that subnet.

    Leave the old subnet in place for the kit you can't reconfigure and over time as that kit is retired eventually the old subnet will become redundant.

    Definitely try to get as much as possible off of 192.168.0.x or 192.168.1.x as that is usually default addresses for any consumer routers that may make their way on to the network and can cause issues.

    Spice (2) flagReport
    2 found this helpful thumb_up thumb_down
  • I would second Kenny8416​ suggestion as it is so much easier and immediate to move machines on DHCP to another subnet just by changing the DHCP settings but I would move them to a much larger subnet and start using IP addresses from the other end as not to clash with existing & new ones.

    - 192.168.1.xxx /24 for current machines with static IPs
    - 192.168.2.xxx /22 for new machines
    - 192.168.4.xxx /22 for DHCP (250 addresses)

    Was this post helpful? thumb_up thumb_down
  • I suggest you move devices that you can off of the current subnet. Having all of those various critical and unsupported devices in the same network is a security nightmare.

    I am a bit surprised that the VPN works, given the fact that you are on You likely cannot just configure VPN in your side. You need to review the VPN configuration, as there are different ways to make VPN work. There could be NAT involved, IPsec proxy ID, who knows what else.

    Move things off the current subnet that don't need VPN access. Printers, Wi-Fi clients, IP phones, etc.

    Was this post helpful? thumb_up thumb_down
  • Hello Labsy.

    What does your VPN peers need access to on your LAN? It can't be everything, including access control devices and your facility HVAC equipment.

    Any devices you move to new subnets will no longer be reachable over the VPN, something that may be undesirable if that's a regulatory requirement so you will need to coordinate with all your VPN peers to make corresponding changes to both sides of the tunnel.

    I would advise that you separate medical equipment from your own facility equipment on different subnets. If the medical devices still exceed a /24 subnet then you can move them to a /23 subnet and coordinate with your VPN peers to update the VPN tunnel config.

    I concur with others here that you should move off the /24 subnet. It could present a problem in the future.

    You would configure your router with new subnets or VLAN interfaces depending on your network topology. Then configure DHCP pools for the computers and facility devices. You can then manage IP allocation using reservations where applicable and normal DHCP assignment for computers.

    Plan first, prepare and document then execute.

    Start by moving all devices that don't need VPN access off the main LAN and you will buy some time to get the different admins to make the required changes.

    All the best.

    Greetings from Nairobi.

    Was this post helpful? thumb_up thumb_down
  • Suppose you have a large group of similar devices (laptops, PCs, cameras, etc.). In that case, you may just move those to a new different subnet, freeing IP addresses in the existing one and connecting both subnets via routing. That might be another option between extending the existing one and creating a new one for everything.

    Was this post helpful? thumb_up thumb_down

Read these next...