Incorrect Subnet Mask from DHCP router

Posted on 2009-04-20
Last Modified: 2012-05-06
I have changed the layout of my network around, and am having trouble with the DHCP on my router.  I have the network set up so that the servers and employee computers have static IP's in the 192.168.1.x subnet and any guests or clients that come into the office and connect to the internet are assigned IP's in the 192.168.0.x subnet.  My router is currently with a subnet mask and all the employee computers and servers also have a subnet so they are able to access the internet.  Here is where my problem is though.  On my router, i have Enabled the DHCP to hand out addresses between and with a subnet.  When i was testing it i kept getting an IP in the right range, but a subnet of  I have no idea why it is giving out the wrong subnet mask.  I want it so that any dynamic connections to our network will be able to talk to the router, but not the servers and employee computers (hence the separate subnets).  Any idea's why this might be happening?
Question by:JMRSoftware
    LVL 59

    Expert Comment

    by:Darius Ghassem
    Do you have two routers? You must have two routers to use the scenario you are using unless you have a VLAN setup because the router's internal IP address can't run two different subnets.
    LVL 4

    Expert Comment

    Firstly you only THINK you have two subnets. is ONE subnet beginning at and ending with  
    However, your subnet spans two class C NETWORKS the and the networks, so to be precise, your subnet is actually a supernet - but lets not get caught up with terminolgy.  The fact that you have asked your router (I presume the router is the DHCP server) to hand out addresses with range x-y with mask z means that it will hand out addresses in that range, but if the range is part of one of that router's own directly connected subnets, it will outsmart you and hand out the mask that is assigned to its interface, which is what you would normally want to do.
    You say that what you really want to do is have guests and clients on one subnet that is isolated from your internal network, but still have access to the gateway that is on your internal network.  The scenario you described above would have achieved that, albeit somewhat non-conventional.
    So what can you do?  There are a number of possibilities depending on the type of router you are using and the other devices that you have at your disposal.
    1.  You could stick with regular /24 subnets ( and keep the clients and internals separated, and assign a secondary IP addresss to the router (if your router supports secondary IPs).  This would probably be the simplest.  If you want to get sophisticated you could run each subnet on a different vlan - again assuming your equipment supports all this, but don't even think about this if you don't know what you are doing.
    2. You could set up a different DHCP server on the network and turn DHCP off on your router and stick with the un-conventional design you described above.  Unconventional does necessarily mean BAD, but it does mean troubleshooting will be harder, especially for any 3rd party that needs to troubleshoot.
    3. You could get another router to put between the guests and the internet gateway - if you are using wireless you'll probably find your wirelss AP is a router anyway.  In this design the 2nd gateway gets a static IP address on its WAN interface of (eg) and you set up DHCP and NAT for your guest clients on the wireless side and LAN ports (if your wireless router has some LAN ethernet ports).  The DISADVANTAGE with this design is that your guests willhave to plug into specific ports, rather than any old port as is the case with the other designs.  You will also have to do some filtering to make sure that your guests can't get to 192.168.1.x addresses.

    To move forward, you'll need to let us know the following:
    1. What router are you using (brand model, number of ports)
    2. What DHCP server are you using (is it the router or another device - if another device you should be able to make it work)
    3. How many internal clients? How many servers? How many guests?
    4. If you are using any wireless - How many internal wireless? Any guests wireless? What wireless Access Point/router are you using

    Author Comment

    Hi Red Nectar, thank you very much for all that information.  I think we are going to go with your third option there as our router is being used for DHCP and it does not support a secondary IP.  As for your inquiries about our equipment, we are using a Peplink Balance 200 with 4 LAN ports and 2 WAN ports and DHCP enabled.  The network consists of 7 servers and roughly 70 clients.  The amount of guests varies, as we usually have them during board meetings, or if customers bring their laptops into the office.  There is no wireless for guests or employees, so theres no hardware to report there.  Thanks again for your help.
    LVL 4

    Expert Comment

    OK - with option 3 you have to be a little bit careful because a guest will have access to your internal network unless you a) do some specific filtering to prevent this or b) do something tricky with the IP address range to prevent this - just like you were aiming to before - in fact if you can get your intermediate device to hand out IP addresses with a mask of that would do it.  Your network might look a bit like this:

    LVL 4

    Accepted Solution

    There might be a problem with your new router in that it might not like having the ip address and with a (/23) mask (because these IP addresses overlap the same address space - through to  If this is the case, change the mask on the new router to /24 ( for the guests network interface, and to /30 ( on the interface.  In fact I think I like this solution better than the one above.  In this scenario, if the New Router receives a packet addressed to a server (say then it will see that IP as being NOT local, and send the pkt to Existing Router which will probably NOT fwd it back to because that would mean passing it back out the interface that it arrived on.  Most routers that claim any firewall features will behave this way. So a better diagrm might be:


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    Is your computer hacked? learn how to detect and delete malware in your PC
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now