Changes to my firewall

I have a watchguard XTM 525. How difficult is it to Change the subnet mask from /24 to /21 or /22 to give my company more IP address. Can it be done on a live network?
Technical InformationAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NerdsOfTechTechnology ScientistCommented:
Easy of course the main problem is that the dchp server(s) needs to be able to handle class B, e.g. subnetmasking of /16 thru /23 and recognition of all of the clients of the subnet. This often requires dedicated hardware such as standalone servers and/or commercial routers for dchp/etc--- at the very least on the final bottleneck to the firewall/internet since normally networks assume /24 without config or can only handle class C. How many IP address do you think they'll need?
Technical InformationAuthor Commented:
DHCP is coming from the firewall.. Probably need around 500 ips. Is there a step by step you can supply.

NerdsOfTechTechnology ScientistCommented:
First this may be a huge undertaking if there are static IPs set on the 192.168.x.x network now.

So there isn't a step-by-step per se. You'll need to make sure this migration to 172.16.x.x is done extremely carefully.

The end result will be:

Class B gives you up to 65534 IPs, masking to /23 gives you
510 IPs
Subnet Mask:
Host Range: -
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

Jon SnydermanCommented:
It is very easy.  I don't agree with the previous poster though.  These days, only the residential routers have any issues with classless subnets.  The firewall will handle it fine, windows and windows servers handle it fine.  The change on the firewall is simple.  Changing the network is a little more difficult if you have servers and printers, or any devices with static IPs.  These all need to be adjusted to insure network  communications.  As for steps, change the subnet on the interface in network configuration and increase your dhcp range in exactly the same place.  Don't change your internal IP range or the internal IP of the firewall.  That will introduce many more pitfalls.  Then touch any device with a static IP and change its subnet.   As long as you are pushing out the range but not actually changing ips, it should not be too hard.   As for doing it on a live network, technically you could.  There should be no interruption.  However, if you are not comfortable with the change, I would not do it on a live network.... Just in case.

Good luck
Technical InformationAuthor Commented:
Thank you both for the information

My current network address is

Would that make a difference?
Technical InformationAuthor Commented:
Its also a VLAN if that make s a difference..
Jon SnydermanCommented:
Actually, no, that makes it a hair better.  It won't change your work at all, but technically that is a class B and the right subnet for that network is /16, not /24.

VLAN should not matter either, but now you may have internetwork routing issues.  If the firewall is responsible for all the routing, it won't be an issue.  But if there are other routers in the mix, the need to be looked at also.
NerdsOfTechTechnology ScientistCommented:
Good news is that you are already in a Class B range! Excellent!

go to /23 and you'll have the new range of: -

1. Identify Static IP Settings & Port Forwarding/Triggering, if any, in current network

You'll want to duplicate these settings under your new Class B environment

2. Make sure all hardware supports Class B (commercial devices are required)

Sometimes businesses run off of non-commercial, off-the-shelf network equipment. In this case, commercial network equipment would be required. Many businesses facilitate this by commercial  servers, routers, firewalls, etc.

3. Make the IP address migration, if needed, and apply the new subnet mask

If you are already in a public Class A range 10.x.x.x or a Class B range 72.16.x.x already this is great! This means only subnet masking is needed.

Otherwise, prepare your network for migration to the new "legal" public range.

The private address space specified in RFC 1918 is defined by the following three address blocks:

The private network is a class A network ID that allows the following range of valid IP addresses: to The private network has 24 host bits that can be used for any subnetting scheme within the private organization.
The private network can be interpreted either as a block of 16 class B network IDs or as a 20-bit assignable address space (20 host bits) that can be used for any subnetting scheme within the private organization. The private network allows the following range of valid IP addresses: to
The private network can be interpreted either as a block of 256 class C network IDs or as a 16-bit assignable address space (16 host bits) that can be used for any subnetting scheme within the private organization. The private network allows the following range of valid IP addresses: to

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NerdsOfTechTechnology ScientistCommented:
In other words, you have the best case scenario:

Your current network is left in tact, and your range expands forwardly from:

/24: -
254 hosts


/23: -
510 hosts


/22 -
1022 hosts

As you can see it expands upwards which is nice because you can have flexibility to make the range bigger without having to change anything else but the subnet mask.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.