Is a large network address pool bad?
-
The quick and dirty:
I m planning my new upgraded home network, and I am going to use PFsence for the router. I am planning on using 192.168.3.1/17 for the IP address of the router so I have a large pool of IP addresses to choose from on my local home network.Additional information that may help to provide a correct/helpful answer:
So lets start with the fact this is the first time I am really venturing outside /24 netmask. I should also state that the main reason I am considering such a large pool (is it called a large subnet?) is for organization. I have more devices then your average joe (Maybe 100 total) but want to organize them. 192.168.4.x for computers, 192.168.5.x for home automation stuff (Perhaps even narrowed down to 192.168.6.x for switches, and 192.168.7.x for plugs, and 192.168.8.x for lights, etc) There is nothing I am looking to air gap, and I am okay with every device talking to every other device on the network.
I am planning on getting it to assign any DHCP IP addresses in the range 192.168.3.10-192.168.3.255, and everything else will be set either reserved in PFsence, or static on the device. I am skipping over 192.168.1.x and 192.168.2.x because the 2.x is used on the network I am replacing, and the 1.x is used my work (Small retail shop, maybe 30 devices tops) and I sometimes bridge the networks, and will likely look into a way to bridge them permanently (but that will come later) so I am not using those ip addresses to avoid conflicts.
Can you think of any reason I shouldn't do this? Or a better way to do this? -
The number of hosts in a broadcast domain is a good reason to segment. Broadcasts can start using a noticeable amount of bandwidth.
IMO I think a better way is to segment, in my case, cameras are on .2, Alexa is on .66, primary is .42 and so on. This allows me to isolate VLAN666 (.66) to make sure Alexa does no evil to everything else. My cameras, a popular hacker target, cannot get to anything else.
On a single subnet all of these things would be able to freely interact.
-
But with 100 total hosts is broadcast still a problem?
@shadowwizard
You could also consider a different range like 10.x.x.x because you can't just not use .1.x and .2.x and have it not be a problem...the /17 mask includes those on the local network. With a /17 you'd have to start at 191.168.128.1 to avoid overlap with .1.x. -
Thank you so much for the info, however I only understand about 1/4 of it.
I can guess that segmenting is creating smaller internal "sub networks" that do not communicate with each other. But I would like them to communicate if possible. I don't want to have to connect my main computer to a different "segment" just to modify a setting on a light switch.
The line that started with IMO, I didn't understand a thing past the first sentence (New, remember?) .2 what? 192.168.2.x? 192.168.x.2? 2.2.2.2? VLAN666? HUH? In addition, if everything is set up on one subnet, but well organized, it should be easy to segment later I would guess?If the number of hosts are the number of devices I have connected, it is not expected to get to large levels. And as I said, I can segment later I would guess if ti does become an issue?
Thank you so much for trying to help, but I really understand so little of your post...
In a nut shell, would it be correct to say "No reason not to, but there may be better ways?" I never though of segmenting, but may want to do that to some stuff in the future.. -
@shadowwizard the only issue you can have with segmentation and talking to each other, is if some device is too stupid and can only find stuff via discovery that works only on the same layer 2 network.
When you segment, you can set firewall rules to allow all, or you can filter if you want.. But creating some network with 32k possible IPs seems a bit over the top if you have 100 devices total.
Segment it out, gives you better control, gives you easy to manage IP ranges for devices, etc. etc..
-
@SteveITS said in Is a large network address pool bad?:
But with 100 total hosts is broadcast still a problem?
@shadowwizard
You could also consider a different range like 10.x.x.x because you can't just not use .1.x and .2.x and have it not be a problem...the /17 mask includes those on the local network. With a /17 you'd have to start at 191.168.128.1 to avoid overlap with .1.x.I had thought about 10.x.x.x, however I want the networks to overlap. That way if I forget something on my home network with a statis IP set on it, it will still work. And if I connect the network with my work, it will be on the same subdomain. Again, this is coming from someone that is new to the more advanced (I guess this isn't really that advanced, but is for me) networking. And #1 I need to be "If I forget something, It still needs to work untill I get around to fixing it"
-
@johnpoz said in Is a large network address pool bad?:
@shadowwizard the only issue you can have with segmentation and talking to each other, is if some device is too stupid and can only find stuff via discovery that works only on the same layer 2 network.
When you segment, you can set firewall rules to allow all, or you can filter if you want.. But creating some network with 32k possible IPs seems a bit over the top if you have 100 devices total.
Segment it out, gives you better control, gives you easy to manage IP ranges for devices, etc. etc..
"Over the top" yea, proababily. But if its not bad, I shoudl be able to segment later, should it? Just put all 192.168.4.x on one segment, and 192.168.5.x on another, etc. As this isn't JUST a home lab where is something breaks, its not the end of the world. One test computer can't talk to another. Its my house. If lights don't turn on, or I can't SSH into one of my other boxes, or can't pull up my Home Assistant dashboard, I can't go to bed until its fixed.
Oh, and whats "Layer 2 network." please remember, very new. Most advanced networking I have done was to use wireguard to be able to access my shared folders at work from home...And still don't understand why I can access them... I just know I can. -
@shadowwizard said in Is a large network address pool bad?:
if I connect the network with my work
If you do that the packets won't leave your local network because the /17 mask says 192.168.1.x is on your network.
Using 10.0.0.x/17 would be a large range but not overlap with your work. However that doesn't overlap with 192.168.2.x as you noted.
Maybe use 192.168.2.x/24 on pfSense, and use .20-39 for switches, .40-.59 for PCs, etc.
I can't go to bed until its fixed
Always maintain realistic expectations with clients. ;)
-
@SteveITS said in Is a large network address pool bad?:
@shadowwizard said in Is a large network address pool bad?:
if I connect the network with my work
Yet thats what I do now with wireguard. Connect the VPN, and I can access all the shares. No idea why, but I just can.
If you do that the packets won't leave your local network because the /17 mask says 192.168.1.x is on your network.
Using 10.0.0.x/17 would be a large range but not overlap with your work. However that doesn't overlap with 192.168.2.x as you noted.
Maybe use 192.168.2.x/24 on pfSense, and use .20-39 for switches, .40-.59 for PCs, etc.
Not enough to seperate it. I was doing that. But ran out of .5x ip addresses for the plugs when I added a 11th.. So now it has to be 14x for the next plugs.. Etc. Just not enough room for error and tidyness. If I wasn't expecting the network to grow and change.. But I am, a lot.
I can't go to bed until its fixed
Always maintain realistic expectations with clients. ;)
The client is me... And if my lights arn't working, or I can't be sure the heat will come on, or not come on when I don't want it to.. -
So, you have all been very helpful, thank you. But I think its better to get it working with the large IP address range, and work on the rest later, if possible.
#1 So if I just set it up, can I segment later? Or do things need to be planned a bit? Can I just put 192.168.4.x on one segment, and 192.168.45.x and 192.168.55.x on another after I am done. And if it does need to be planned, what would I read to learn how to plan it? (Don't know how to google "Can I just put 192.168.4.x on one segment, and 192.168.45.x and 192.168.55.x on another after I am done.")and #2
Would setting it up this way and just leaving 192.168.1.x with no devices allow me to "join" my home and work network "permanently" somehow? -
@shadowwizard said in Is a large network address pool bad?:
can I segment later
yes. Generally though segmenting involves having different physical NICs/interfaces in the router so they are isolated.
@shadowwizard said in Is a large network address pool bad?:
Would setting it up this way and just leaving 192.168.1.x with no devices allow me to "join" my home and work network "permanently" somehow
No, the mask would tell all the devices in your house that 192.168.1.x is on their network. You'd have to find something that doesn't overlap with it.
https://www.subnet-calculator.com/ -
Let me try again, My segments allow me to organize my hosts in a way that makes sense to me. Through the use of firewall rules communication is open between segments, but only the traffic I want to allow. Unknown traffic is blocked, this is the safety part.
For instance, I distrust my cameras, but I want them, so only the security server has limited access to the internet and no access to any other network. My PC on the primary network has full access to the camera's and security server. It is a one-way ruleset. Should a camera or the security system get comprised the damage is limited.Because you are new, the question on the method is very valid. Most of the people here deal with larger networks and a paranoia diagnoses, so the solutions presented back to you will be more secure than the one you started with. Learning networking and IP addressing is a big task. My best advice is try to start in a way that allows you to improve. I started with 1 subnet, now I have 5. As suggested, if you really want such a large address space to start, it might be best to not use 192.168.0.0, but instead start with something inside 10.0.0.0 or the underused 172.16.0.0 space. Later I am confident you will break up the large IP space into smaller pieces. That will be a whole new conversation.
Also there are other ways to calm the OCD:
addresses ending in:
.1 - .10 / network devices
.120 - .128 / DNS
.200 - .225 / Rokus and TVs
.11 - .50 / servers or services
.51 - 199 / DHCP leases
.151 - 160 / cameras -
@shadowwizard other option would be to use say a /21 vs 17.. this would give you 8 different 3rd octet networks to work with for your separation of devices by IP, this wouldn't be actual segmentation..
so say 192.168.8.0/21 this gives you 192.168.8.1 to 192.168.15.254 to work with.. And would not overlap with the 192.168.0 or .1 networks.
-
@SteveITS said in Is a large network address pool bad?:
@shadowwizard said in Is a large network address pool bad?:
can I segment later
yes. Generally though segmenting involves having different physical NICs/interfaces in the router so they are isolated.
Okay, so segmenting will not happen. The little computer I am using has 2 NICs, and is one of those mini computer type things, so I can't add additional. I thought I could do it with just the one NIC.
@shadowwizard said in Is a large network address pool bad?:
Would setting it up this way and just leaving 192.168.1.x with no devices allow me to "join" my home and work network "permanently" somehow
No, the mask would tell all the devices in your house that 192.168.1.x is on their network. You'd have to find something that doesn't overlap with it.
https://www.subnet-calculator.com/But that part that is confusing me is, don't I want it to think its on my network? Isn't that what permits me to access the shares (I should have said, they are windows shares)
That was kinda the whole Idea I was thinking. "Join" the networks, so its one big network, just using the internet to connect them. Is that not ideal? (Sorry, should have made that clearer)
But that asside, doing it the other way.. then I was thinking of 192.168.127.1/18 That will give me a big pool to choose from.But then I guess we need to get into how to "Connect" the two networks? I will have PFsence at home. I have wireguard set up in a docker container at work, and can of course run any other docker container to do it. The main router for the store runs DDWRT.
Hopefully that should be the information needed to find the "best" way to do it. -
@shadowwizard said in Is a large network address pool bad?:
The little computer I am using has 2 NICs
You could still segment with vlans.. Just need a switch that can do them, an 8 port gig that can do vlans is like 40$, and then if you have wifi a AP that can do them.. This could be as cheap as any old AP that you can run say openwrt or dd-wrt on.. Or you could get a AP that does them.. there some cheap options here as well.. I think the TP-Link EAP225 is like 60$ does AC..
So for like a $100 you could be cooking with gas, have the ability to fully segment your network.
-
@johnpoz said in Is a large network address pool bad?:
@shadowwizard said in Is a large network address pool bad?:
The little computer I am using has 2 NICs
You could still segment with vlans.. Just need a switch that can do them, an 8 port gig that can do vlans is like 40$, and then if you have wifi a AP that can do them.. This could be as cheap as any old AP that you can run say openwrt or dd-wrt on.. Or you could get a AP that does them.. there some cheap options here as well.. I think the TP-Link EAP225 is like 60$ does AC..
So for like a $100 you could be cooking with gas, have the ability to fully segment your network.
The switch I am using I think is managed. I will need to look into if it supports vlans, but can't get access to it now (I am on vacation, planning for when I get home.) But, that isn't until much later. I wanna get set up and running first., and as long as I can set up vlans that encompas whatever I want (both 192.168.155.x and 192.168.160.x but NOT 192.168.156.x) then we should be good to do that later.
The one thing I am just working out the details on is how to "Connect" the networks. Details of my equipment, etc in my previous post.
-
@shadowwizard yeah anything that mentions smart or managed on the switch would/should support vlans for sure.
-
@shadowwizard
I agree with AndyRH, just the broadcast bandwidth alone is reason enough not to use a large subnet. And it's a total waste of addresses but that's not a big deal.As far as connecting the networks, that's what routing is. Allows you to connect different networks to communicate between them.
So no, you don't want it to think it's on your network but it will still talk.You really should do yourself a favor now and not do what you're thinking. It'll save you trouble down the road but if you're set on doing it, go for it. You'll fix it later.
As for the subnet range, I always use the home/business owners birthday as a 10.x subnet. This allows me to use 192.x networks for vpn tunnels and stops most chances of overlaps.
Meaning if today is your birthday, I would make your LAN network 10.1.10.0 = 10.birth-month.birth-day.0.
You can then use 10.1.11 for IoT, 10.1.12 for cameras etc.
I then break down vpn tunnels into smaller subnets as needed, ie 192.168.100.0/30 for a point to point, and 192.168.100.128/29 for multisite etc.As said, you can then allow 10.1.10 to talk to any of the other networks in pfSense, and better yet, NOT allow them to talk. With a single large subnet you have no control (unless you get equipment that can isolate layer 2) over who talks to what.
Again, it's obviously up to you but you will end up with what has been suggested eventually. Going the way you're thinking will be a learning experience so it wouldn't be completely useless.
-
@shadowwizard as mentioned before the only problem you could run into is discovery protocols don't work across vlans/networks..
Example airprint is one of these discovery protocols.. If your phone is on 192.168.x/24 and your printer is on 192.168.y/24 your phone wouldn't be able to find your airprint printer.. If you are actually segmented and not just on some big network like a /17 or /21 etc..
not an issue if you can put in fqdn or IP with the software your printing with. But pure discovery will not work.. Now since airprint uses mdns - you could prob use the package avahi to let your phone discover it. You could also maybe do some dns stuff to allow it to find, etc.
For me to work around that specific sort of issue, I just put my printer on the wifi vlan I would be printing from so devices could discover it via airprint.. My pc that prints to it, that is on another vlan I can just point to the printers IP, etc. This was the simple solution without having to do any sort of tricks to circumvent the L2 barrier, etc.
People with stuff like sonos speakers that use discovery also come to mind that could be problematic with segmentation..
But if you just want to assign some specific IPs and keep everything on one network, you sure don't need a /17 to accomplish that.. 100 devices for sure would work on just /24 and just use the last octet or for your origination of different types of things.
The better option for sure is true segmentation.. This gives you way more flexibility, the ability to actual firewall between different sort of devices. For example I have all my roku, TVs, firesticks, shield TV devices all on their own vlan, I call my roku vlan.. These devices can only talk to my plex server on port 32400.. They can not talk to any other vlan or device on any of my other local networks.
I just put up a camera - I created a new vlan for this.. This is the only thing on it at the moment.. It can not talk to anything else on my network at all.. Camera's are horrible from a security point of view.
-
@shadowwizard said in Is a large network address pool bad?:
I was thinking. "Join" the networks, so its one big network, just using the internet to connect them. Is that not ideal?
When your PC tries to connect to 192.168.1.5 it will look at that address and say, oh, that's part of 192.168.0.0/17, I don't need to send that anywhere else I can just ask the local network.
So if your network was 192.168.128.0/17, and your VPN to work used 192.168.1.0/24, that would work since it wouldn't overlap.
