New at this - Subnets, CIDR and Segmenting My Network
-
The reason to keep your home network as narrow as possible (while still providing plenty of room for what you need) is to avoid collisions with other local networks.
If you use 192.168.0.0/16 locally and decide to set up an OpenVPN server to connect into your network from remote (one of the most valuable features of pfSense for many) if you connect from another location that also chose something in 192.168.0.0/16 you are going to have issues. And that is a LOT of places.
By choosing something random and uncommon (172.16.0.0/12 is being used in more places but still address space collisions are fairly uncommon) you reduce that risk. The longest subnet you can use while still providing enough addresses for what you need to do helps too.
You have zero control over what local network others have chosen. All you can control is how likely a collision is by choosing randomly and as small as is feasible.
Excuse my ignorance, what exactly is 32?
There are 32 available /24 subnets in a /19. 5 bits. 0-31, 32-63, 64-95, etc.
Why exactly would that be desirable? Do you mean if you were to switch to a smaller Network?
If for some reason I wanted to make a firewall rule that just covered the dynamic addresses I could do so naturally with one CIDR.
For instance my IP phones' static DHCP assignments start at 65. I can QoS them with a source network of 172.29.223.64/29
-
Thanks, you gave me a lot to think about. I've been doing some research and study on subnets and it's clear I misunderstood how exactly they worked. I'm going to do a bit more reading and then i'll be back.
-
I have a 24 port L2 managed switch and 5 interface sg-4860 at my disposal.
There are two ways that might be most common to go with.
1. Connect a small dump switch on the LAN Ports of the SG-4860 and use plain routing
Pros: Small dump and cheap switches could be in usage
Cons: Nothing
2. Create VLANs and terminate them at the pfSense firewall
Pros: Better cutting of the entire network and using the firewall rules
Cons: All traffic is going then through the pfSense firewall I mean also the bigger
files from and to the servers and the NAS if one is in the game so power is needed
Alternatively you could also walk another way and get a Layer3 Switch that routes
the entire LAN and VLAN traffic by its own.
Pros: The entire LAN traffic is led and route by the switch and hits not the pfSense
until the DMZ must be reached or is targeted.
Cons: A second switch should be used to by the LAN or DMZ switchFirst of all I want to chop my network up into a few subnets, probably something like the following:
Ok, what should be the method to use or the way you will walk!
The general LAN for the rest of the family and most computers.
VLAN1 192.168.2.0/24 (255.255.255.0) VLAN ID or name "management"
default VLAN on many switches and all devices are inside (management VLAN for the admin)
VLAN10 192.168.3.0/24 (255.255.255.0) VLAN ID or name "family NAS"
Only family members are storing files here PC is inside
VLAN20 192.168.4.0/24 (255.255.255.0) VLAN ID or name "sons PC"
Only your sons PC is inside
VLAN30 192.168.5.0/24 (255.255.255.0) VLAN ID or name "daughters PC"
VLAN40 192.168.6.0/24 (255.255.255.0) VLAN ID or name "your wife's PC"
Only your wife´s PC is inside
VLAN50 192.168.7.0/24 (255.255.255.0) VLAN ID or name "WiFi Guests"
Internet access only and secured over the Captive Portal
VLAN60 192.168.8.0/24 (255.255.255.0) VLAN ID or name "family WiFi"
Internet, NAS and/or perhaps the server will be accessible secured over the radius server with certificatesA separate subnetwork for my computers and servers.
Would it perhaps better to set up the Server inside of its own VLAN and you may have full access
and the rest of the family members will have only the security abilities from there!? Perhaps if this
is MS Windows server you could install the LDAP and Radius Server role for wired and wireless WiFi
clients if you wish this.And a DMZ for internet facing devices and servers.
Really good, I have also all such things placed there not to disturb the entire LAN!
A Layer2 Switch with or for all devices such so your actual switch will find its way into the new network!- Gaming console
- Internet TV
- DLNA media streaming devices (Internet radio)
I'm mostly looking to experiment with things and not really concerned with whether or not this is an ideal setup.
You may think that this would be a really hard trail, but it isn`t in my eyes. If you are able to buy
a smaller Cisco SG300 10 Port or 24 Port Switch you may have the best option to get all you want.
And the actual layer2 Switch might be set up as the DMZ Switch! That's is in short. And if you are
this time and step by step high up the security for the entire LAN and WLAN (if in usage) you do it
once and get rid of the most problems or better you get a structured network with more security. -
So after doing some reading I think I was confusing the distinction between a network of multiple /24 subnets and an individual subnet block of a /24 network. I was also getting confused between information I was reading about class-based networks, and I was thinking my only option was to move from a class C network to a class B network where what I should've been thinking of was a rfc1918 network.
I have thought about what you have said and, with what I think would be the best option for me at this point, maybe you can tell me what you think.
I'm going to go with a 172.16 network, something in the range 172.16.x.x.
I had a few more questions though. I understand that it's a benefit to get out of the range that you would be in using VPN, but why exactly would you bother going with an address of 172.26.96, is that for firewall rules?
Also, are you basically saying that since I have all of the /16 address space that I can decide to break it off in /24 blocks if I like, and so I'm free to break the segments up on convenient numbers such as:
LAN VLAN: 172.16.10.0/24
SERVERS VLAN: 172.16.20.0/24
DMZ on its own interface: 172.16.30.0/24The reason you don't have to increment by one /24 subnet precisely is because you have such a large address space to work with right?
-
Why would you do that when 172.16.16.0/24, 172.16.17.0/24 and 172.16.18.0/24 are all covered by 172.16.16.0/22 ??
-
Why would you do that when 172.16.16.0/24, 172.16.17.0/24 and 172.16.18.0/24 are all covered by 172.16.16.0/22 ??
Whoops you're right. That wasn't a final decision or anything, just thinking out loud.
Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?
@BlueKobold:
The general LAN for the rest of the family and most computers.
VLAN1 192.168.2.0/24 (255.255.255.0) VLAN ID or name "management"
default VLAN on many switches and all devices are inside (management VLAN for the admin)
VLAN10 192.168.3.0/24 (255.255.255.0) VLAN ID or name "family NAS"
Only family members are storing files here PC is inside
VLAN20 192.168.4.0/24 (255.255.255.0) VLAN ID or name "sons PC"
Only your sons PC is inside
VLAN30 192.168.5.0/24 (255.255.255.0) VLAN ID or name "daughters PC"
VLAN40 192.168.6.0/24 (255.255.255.0) VLAN ID or name "your wife's PC"
Only your wife´s PC is inside
VLAN50 192.168.7.0/24 (255.255.255.0) VLAN ID or name "WiFi Guests"
Internet access only and secured over the Captive Portal
VLAN60 192.168.8.0/24 (255.255.255.0) VLAN ID or name "family WiFi"
Internet, NAS and/or perhaps the server will be accessible secured over the radius server with certificatesI hadn't considered using so many VLANs, is such a heavy use of VLANs commonly used and of any benefit? I guess it lets you apply different rules to every person's computer but why give them an entire /24 to themselves?
@BlueKobold:
A separate subnetwork for my computers and servers.
Would it perhaps better to set up the Server inside of its own VLAN and you may have full access
and the rest of the family members will have only the security abilities from there!? Perhaps if this
is MS Windows server you could install the LDAP and Radius Server role for wired and wireless WiFi
clients if you wish this.It's a FreeBSD server, but yes I might do that because it would be nice to have a bit better control over server access and it would be nice to be up to do this with firewall rules.
@BlueKobold:
You may think that this would be a really hard trail, but it isn`t in my eyes. If you are able to buy
a smaller Cisco SG300 10 Port or 24 Port Switch you may have the best option to get all you want.
And the actual layer2 Switch might be set up as the DMZ Switch! That's is in short. And if you are
this time and step by step high up the security for the entire LAN and WLAN (if in usage) you do it
once and get rid of the most problems or better you get a structured network with more security.I'm not quite sure what you're saying here, could you elaborate? Why would I want to put the managed switch in the DMZ? It's a TP link TL-SG3424 by the way. And why do I need another switch?
-
Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?
It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.
-
I hadn't considered using so many VLANs, is such a heavy use of VLANs commonly used and of any benefit? I guess it lets you apply different rules to every person's computer but why give them an entire /24 to themselves?
- More security
- better able to find and determinate network problems
- each has his own small VLAN without disturbing anybody else in the family
-
but why give them an entire /24 to themselves?
You wouldn't, not normally… Not sure what he is attempting to do.. Normally if you wanted to isolated a bunch of machines from talking to each other then you would put them on a private vlan. But this would be handled at the switch.
Normally if lets say you wanted to put a few machines on their own subnet then you would use a smaller network.. But then again if this is home network, and he want's to use a /24 for each of his devices.. Ok.. You does have 250 some /24s to work with so if he is not ever going to have that many devices all in their own /24 he is fine.. But no I wouldn't call it normal ;)
-
Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?
It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.
I'm not sure if I'm understanding this right, are you saying that the 172.26 is picked as a random example? So that you don't happen to pick the same address as someone else? Or did you mean to say 172.16, which would compare to 192.168?
-
Dude. There are entire books and courses written on IP addressing and subnetting. I don't know how else to explain it.
-
Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?
It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.
I'm not sure if I'm understanding this right, are you saying that the 172.26 is picked as a random example? So that you don't happen to pick the same address as someone else? Or did you mean to say 172.16, which would compare to 192.168?
All of the RFC1918 subnets are technically speaking equal, no preference over one or the other in performance, security or any other purely technical point of view. Where the selection does matter is when you're using VPN tunnels from RFC1918 subnets to other RFC1918 subnets. It's all too common that people use 192.168.0.0/24 without giving it a single thought if it's a good choice and it comes to bite them when they suddenly have to build a VPN tunnel over to another place that also uses the same 192.168.0.0/24 subnet because the other end didn't think anything of it either.
I tend to use the 10.0.0.0/8 range as 10.x.y.0/24s where x and y are some random numbers of my choice, they are obscure enough with high probability that they will never conflict with other subnets if they ever have to communicate over a VPN connection to a network I haven't set up myself.
-
Most soho devices default to 192.168.0/24 or some 192.168.1/24 so yeah those are quite common.. So your at a buddies house and on his wifi and you want to vpn to your house.. And your using 192.168.0 as well - then you have issues..
That is why Derelict suggest just using some random other network and not the first network in a range.. 10.0.0/24 is common as well. And its easy to type ;) 172.16.0 also again its the first network - its normally what people use.. So don't use those..
I use 192.168.9/24 as my lan for example..
-
I generally stay away from 10.0.0.0/anything because too many people out there use 10.0.0.0/8.
-
^ valid point.. And just blows my freaking mind.. ;) To me the only valid use of such a mask is a summary route or in a firewall rule, etc.. I really can not think of a reason when such a large network on an interface would make any sense.
Even in the recent thread where they were using a LARGE mask for their wifi network so allow movement between AP, etc. /8 would just be borked!!
-
@kpa:
All of the RFC1918 subnets are technically speaking equal, no preference over one or the other in performance, security or any other purely technical point of view. Where the selection does matter is when you're using VPN tunnels from RFC1918 subnets to other RFC1918 subnets. It's all too common that people use 192.168.0.0/24 without giving it a single thought if it's a good choice and it comes to bite them when they suddenly have to build a VPN tunnel over to another place that also uses the same 192.168.0.0/24 subnet because the other end didn't think anything of it either.
I tend to use the 10.0.0.0/8 range as 10.x.y.0/24s where x and y are some random numbers of my choice, they are obscure enough with high probability that they will never conflict with other subnets if they ever have to communicate over a VPN connection to a network I haven't set up myself.
I realize all that. In his first post Derelict mentioned using 172.26, I was wondering if you meant to refer to 172.16 or if there was actually a reason to start at 172.26 that is all.
I see now that that the reason he said to start at 172.26 instead of 172.16 was so that it was not in a regularly used space.
I have just recently gotten interested in networking and so it's a learning process and I'm trying to understand it all. At the beginning of the post I hadn't done enough research on how subnets work and I realize now that a /16 mask has no real use in my private Network as it is way too large.
-
$ perl randomlan.pl
10.106.197.0
172.17.245.0
192.168.179.0It's just what happened to come out of this at the time. Then I just used the /19 that covered it (172.17.224.0/19 in this run's example).
-
So I mapped out a trial network of /19. I've made the subnets a bit over-sized to allow for unanticipated hosts. Any thoughts?
-
Any thoughts?
Thoughts? If this is being done for an actual place of employment I hope you have a good resume.
-
