Is a large network address pool bad?
-
@shadowwizard said in Is a large network address pool bad?:
can I segment later
yes. Generally though segmenting involves having different physical NICs/interfaces in the router so they are isolated.
@shadowwizard said in Is a large network address pool bad?:
Would setting it up this way and just leaving 192.168.1.x with no devices allow me to "join" my home and work network "permanently" somehow
No, the mask would tell all the devices in your house that 192.168.1.x is on their network. You'd have to find something that doesn't overlap with it.
https://www.subnet-calculator.com/ -
Let me try again, My segments allow me to organize my hosts in a way that makes sense to me. Through the use of firewall rules communication is open between segments, but only the traffic I want to allow. Unknown traffic is blocked, this is the safety part.
For instance, I distrust my cameras, but I want them, so only the security server has limited access to the internet and no access to any other network. My PC on the primary network has full access to the camera's and security server. It is a one-way ruleset. Should a camera or the security system get comprised the damage is limited.Because you are new, the question on the method is very valid. Most of the people here deal with larger networks and a paranoia diagnoses, so the solutions presented back to you will be more secure than the one you started with. Learning networking and IP addressing is a big task. My best advice is try to start in a way that allows you to improve. I started with 1 subnet, now I have 5. As suggested, if you really want such a large address space to start, it might be best to not use 192.168.0.0, but instead start with something inside 10.0.0.0 or the underused 172.16.0.0 space. Later I am confident you will break up the large IP space into smaller pieces. That will be a whole new conversation.
Also there are other ways to calm the OCD:
addresses ending in:
.1 - .10 / network devices
.120 - .128 / DNS
.200 - .225 / Rokus and TVs
.11 - .50 / servers or services
.51 - 199 / DHCP leases
.151 - 160 / cameras -
@shadowwizard other option would be to use say a /21 vs 17.. this would give you 8 different 3rd octet networks to work with for your separation of devices by IP, this wouldn't be actual segmentation..
so say 192.168.8.0/21 this gives you 192.168.8.1 to 192.168.15.254 to work with.. And would not overlap with the 192.168.0 or .1 networks.
-
@SteveITS said in Is a large network address pool bad?:
@shadowwizard said in Is a large network address pool bad?:
can I segment later
yes. Generally though segmenting involves having different physical NICs/interfaces in the router so they are isolated.
Okay, so segmenting will not happen. The little computer I am using has 2 NICs, and is one of those mini computer type things, so I can't add additional. I thought I could do it with just the one NIC.
@shadowwizard said in Is a large network address pool bad?:
Would setting it up this way and just leaving 192.168.1.x with no devices allow me to "join" my home and work network "permanently" somehow
No, the mask would tell all the devices in your house that 192.168.1.x is on their network. You'd have to find something that doesn't overlap with it.
https://www.subnet-calculator.com/But that part that is confusing me is, don't I want it to think its on my network? Isn't that what permits me to access the shares (I should have said, they are windows shares)
That was kinda the whole Idea I was thinking. "Join" the networks, so its one big network, just using the internet to connect them. Is that not ideal? (Sorry, should have made that clearer)
But that asside, doing it the other way.. then I was thinking of 192.168.127.1/18 That will give me a big pool to choose from.But then I guess we need to get into how to "Connect" the two networks? I will have PFsence at home. I have wireguard set up in a docker container at work, and can of course run any other docker container to do it. The main router for the store runs DDWRT.
Hopefully that should be the information needed to find the "best" way to do it. -
@shadowwizard said in Is a large network address pool bad?:
The little computer I am using has 2 NICs
You could still segment with vlans.. Just need a switch that can do them, an 8 port gig that can do vlans is like 40$, and then if you have wifi a AP that can do them.. This could be as cheap as any old AP that you can run say openwrt or dd-wrt on.. Or you could get a AP that does them.. there some cheap options here as well.. I think the TP-Link EAP225 is like 60$ does AC..
So for like a $100 you could be cooking with gas, have the ability to fully segment your network.
-
@johnpoz said in Is a large network address pool bad?:
@shadowwizard said in Is a large network address pool bad?:
The little computer I am using has 2 NICs
You could still segment with vlans.. Just need a switch that can do them, an 8 port gig that can do vlans is like 40$, and then if you have wifi a AP that can do them.. This could be as cheap as any old AP that you can run say openwrt or dd-wrt on.. Or you could get a AP that does them.. there some cheap options here as well.. I think the TP-Link EAP225 is like 60$ does AC..
So for like a $100 you could be cooking with gas, have the ability to fully segment your network.
The switch I am using I think is managed. I will need to look into if it supports vlans, but can't get access to it now (I am on vacation, planning for when I get home.) But, that isn't until much later. I wanna get set up and running first., and as long as I can set up vlans that encompas whatever I want (both 192.168.155.x and 192.168.160.x but NOT 192.168.156.x) then we should be good to do that later.
The one thing I am just working out the details on is how to "Connect" the networks. Details of my equipment, etc in my previous post.
-
@shadowwizard yeah anything that mentions smart or managed on the switch would/should support vlans for sure.
-
@shadowwizard
I agree with AndyRH, just the broadcast bandwidth alone is reason enough not to use a large subnet. And it's a total waste of addresses but that's not a big deal.As far as connecting the networks, that's what routing is. Allows you to connect different networks to communicate between them.
So no, you don't want it to think it's on your network but it will still talk.You really should do yourself a favor now and not do what you're thinking. It'll save you trouble down the road but if you're set on doing it, go for it. You'll fix it later.
As for the subnet range, I always use the home/business owners birthday as a 10.x subnet. This allows me to use 192.x networks for vpn tunnels and stops most chances of overlaps.
Meaning if today is your birthday, I would make your LAN network 10.1.10.0 = 10.birth-month.birth-day.0.
You can then use 10.1.11 for IoT, 10.1.12 for cameras etc.
I then break down vpn tunnels into smaller subnets as needed, ie 192.168.100.0/30 for a point to point, and 192.168.100.128/29 for multisite etc.As said, you can then allow 10.1.10 to talk to any of the other networks in pfSense, and better yet, NOT allow them to talk. With a single large subnet you have no control (unless you get equipment that can isolate layer 2) over who talks to what.
Again, it's obviously up to you but you will end up with what has been suggested eventually. Going the way you're thinking will be a learning experience so it wouldn't be completely useless.
-
@shadowwizard as mentioned before the only problem you could run into is discovery protocols don't work across vlans/networks..
Example airprint is one of these discovery protocols.. If your phone is on 192.168.x/24 and your printer is on 192.168.y/24 your phone wouldn't be able to find your airprint printer.. If you are actually segmented and not just on some big network like a /17 or /21 etc..
not an issue if you can put in fqdn or IP with the software your printing with. But pure discovery will not work.. Now since airprint uses mdns - you could prob use the package avahi to let your phone discover it. You could also maybe do some dns stuff to allow it to find, etc.
For me to work around that specific sort of issue, I just put my printer on the wifi vlan I would be printing from so devices could discover it via airprint.. My pc that prints to it, that is on another vlan I can just point to the printers IP, etc. This was the simple solution without having to do any sort of tricks to circumvent the L2 barrier, etc.
People with stuff like sonos speakers that use discovery also come to mind that could be problematic with segmentation..
But if you just want to assign some specific IPs and keep everything on one network, you sure don't need a /17 to accomplish that.. 100 devices for sure would work on just /24 and just use the last octet or for your origination of different types of things.
The better option for sure is true segmentation.. This gives you way more flexibility, the ability to actual firewall between different sort of devices. For example I have all my roku, TVs, firesticks, shield TV devices all on their own vlan, I call my roku vlan.. These devices can only talk to my plex server on port 32400.. They can not talk to any other vlan or device on any of my other local networks.
I just put up a camera - I created a new vlan for this.. This is the only thing on it at the moment.. It can not talk to anything else on my network at all.. Camera's are horrible from a security point of view.
-
@shadowwizard said in Is a large network address pool bad?:
I was thinking. "Join" the networks, so its one big network, just using the internet to connect them. Is that not ideal?
When your PC tries to connect to 192.168.1.5 it will look at that address and say, oh, that's part of 192.168.0.0/17, I don't need to send that anywhere else I can just ask the local network.
So if your network was 192.168.128.0/17, and your VPN to work used 192.168.1.0/24, that would work since it wouldn't overlap.
-
Unless you use a TAP connection to make an even bigger layer 2 segment spanning it all. Which would be bad!
