New at this - Subnets, CIDR and Segmenting My Network

I have a 24 port L2 managed switch and 5 interface sg-4860 at my disposal.

There are two ways that might be most common to go with.
1. Connect a small dump switch on the LAN Ports of the SG-4860 and use plain routing
Pros: Small dump and cheap switches could be in usage
Cons: Nothing
2. Create VLANs and terminate them at the pfSense firewall
Pros: Better cutting of the entire network and using the firewall rules
Cons: All traffic is going then through the pfSense firewall I mean also the bigger
files from and to the servers and the NAS if one is in the game so power is needed
Alternatively you could also walk another way and get a Layer3 Switch that routes
the entire LAN and VLAN traffic by its own.
Pros: The entire LAN traffic is led and route by the switch and hits not the pfSense
until the DMZ must be reached or is targeted.
Cons: A second switch should be used to by the LAN or DMZ switch

First of all I want to chop my network up into a few subnets, probably something like the following:

Ok, what should be the method to use or the way you will walk!

The general LAN for the rest of the family and most computers.

VLAN1 192.168.2.0/24 (255.255.255.0) VLAN ID or name "management"
default VLAN on many switches and all devices are inside (management VLAN for the admin)
VLAN10 192.168.3.0/24 (255.255.255.0) VLAN ID or name "family NAS"
Only family members are storing files here PC is inside
VLAN20 192.168.4.0/24 (255.255.255.0) VLAN ID or name "sons PC"
Only your sons PC is inside
VLAN30 192.168.5.0/24 (255.255.255.0) VLAN ID or name "daughters PC"
VLAN40 192.168.6.0/24 (255.255.255.0) VLAN ID or name "your wife's PC"
Only your wife´s PC is inside
VLAN50 192.168.7.0/24 (255.255.255.0) VLAN ID or name "WiFi Guests"
Internet access only and secured over the Captive Portal
VLAN60 192.168.8.0/24 (255.255.255.0) VLAN ID or name "family WiFi"
Internet, NAS and/or perhaps the server will be accessible secured over the radius server with certificates

A separate subnetwork for my computers and servers.

Would it perhaps better to set up the Server inside of its own VLAN and you may have full access
and the rest of the family members will have only the security abilities from there!? Perhaps if this
is MS Windows server you could install the LDAP and Radius Server role for wired and wireless WiFi
clients if you wish this.

And a DMZ for internet facing devices and servers.

Really good, I have also all such things placed there not to disturb the entire LAN!
A Layer2 Switch with or for all devices such so your actual switch will find its way into the new network!

Gaming console
Internet TV
DLNA media streaming devices (Internet radio)

I'm mostly looking to experiment with things and not really concerned with whether or not this is an ideal setup.

You may think that this would be a really hard trail, but it isn`t in my eyes. If you are able to buy
a smaller Cisco SG300 10 Port or 24 Port Switch you may have the best option to get all you want.
And the actual layer2 Switch might be set up as the DMZ Switch! That's is in short. And if you are
this time and step by step high up the security for the entire LAN and WLAN (if in usage) you do it
once and get rid of the most problems or better you get a structured network with more security.

Atreides

So after doing some reading I think I was confusing the distinction between a network of multiple /24 subnets and an individual subnet block of a /24 network. I was also getting confused between information I was reading about class-based networks, and I was thinking my only option was to move from a class C network to a class B network where what I should've been thinking of was a rfc1918 network.

I have thought about what you have said and, with what I think would be the best option for me at this point, maybe you can tell me what you think.

I'm going to go with a 172.16 network, something in the range 172.16.x.x.

I had a few more questions though. I understand that it's a benefit to get out of the range that you would be in using VPN, but why exactly would you bother going with an address of 172.26.96, is that for firewall rules?

Also, are you basically saying that since I have all of the /16 address space that I can decide to break it off in /24 blocks if I like, and so I'm free to break the segments up on convenient numbers such as:

LAN VLAN: 172.16.10.0/24
SERVERS VLAN: 172.16.20.0/24
DMZ on its own interface: 172.16.30.0/24

The reason you don't have to increment by one /24 subnet precisely is because you have such a large address space to work with right?

Derelict

Why would you do that when 172.16.16.0/24, 172.16.17.0/24 and 172.16.18.0/24 are all covered by 172.16.16.0/22 ??

Atreides

@Derelict:

Why would you do that when 172.16.16.0/24, 172.16.17.0/24 and 172.16.18.0/24 are all covered by 172.16.16.0/22 ??

Whoops you're right. That wasn't a final decision or anything, just thinking out loud.

Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?

@BlueKobold:

The general LAN for the rest of the family and most computers.

VLAN1 192.168.2.0/24 (255.255.255.0) VLAN ID or name "management"
default VLAN on many switches and all devices are inside (management VLAN for the admin)
VLAN10 192.168.3.0/24 (255.255.255.0) VLAN ID or name "family NAS"
Only family members are storing files here PC is inside
VLAN20 192.168.4.0/24 (255.255.255.0) VLAN ID or name "sons PC"
Only your sons PC is inside
VLAN30 192.168.5.0/24 (255.255.255.0) VLAN ID or name "daughters PC"
VLAN40 192.168.6.0/24 (255.255.255.0) VLAN ID or name "your wife's PC"
Only your wife´s PC is inside
VLAN50 192.168.7.0/24 (255.255.255.0) VLAN ID or name "WiFi Guests"
Internet access only and secured over the Captive Portal
VLAN60 192.168.8.0/24 (255.255.255.0) VLAN ID or name "family WiFi"
Internet, NAS and/or perhaps the server will be accessible secured over the radius server with certificates

I hadn't considered using so many VLANs, is such a heavy use of VLANs commonly used and of any benefit? I guess it lets you apply different rules to every person's computer but why give them an entire /24 to themselves?

@BlueKobold:

A separate subnetwork for my computers and servers.

Would it perhaps better to set up the Server inside of its own VLAN and you may have full access
and the rest of the family members will have only the security abilities from there!? Perhaps if this
is MS Windows server you could install the LDAP and Radius Server role for wired and wireless WiFi
clients if you wish this.

It's a FreeBSD server, but yes I might do that because it would be nice to have a bit better control over server access and it would be nice to be up to do this with firewall rules.

@BlueKobold:

You may think that this would be a really hard trail, but it isn`t in my eyes. If you are able to buy
a smaller Cisco SG300 10 Port or 24 Port Switch you may have the best option to get all you want.
And the actual layer2 Switch might be set up as the DMZ Switch! That's is in short. And if you are
this time and step by step high up the security for the entire LAN and WLAN (if in usage) you do it
once and get rid of the most problems or better you get a structured network with more security.

I'm not quite sure what you're saying here, could you elaborate? Why would I want to put the managed switch in the DMZ? It's a TP link TL-SG3424 by the way. And why do I need another switch?

Derelict

Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?

It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.

I hadn't considered using so many VLANs, is such a heavy use of VLANs commonly used and of any benefit? I guess it lets you apply different rules to every person's computer but why give them an entire /24 to themselves?

More security
better able to find and determinate network problems
each has his own small VLAN without disturbing anybody else in the family

johnpoz

but why give them an entire /24 to themselves?

You wouldn't, not normally… Not sure what he is attempting to do.. Normally if you wanted to isolated a bunch of machines from talking to each other then you would put them on a private vlan. But this would be handled at the switch.

Normally if lets say you wanted to put a few machines on their own subnet then you would use a smaller network.. But then again if this is home network, and he want's to use a /24 for each of his devices.. Ok.. You does have 250 some /24s to work with so if he is not ever going to have that many devices all in their own /24 he is fine.. But no I wouldn't call it normal ;)

Atreides

@Derelict:

Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?

It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.

I'm not sure if I'm understanding this right, are you saying that the 172.26 is picked as a random example? So that you don't happen to pick the same address as someone else? Or did you mean to say 172.16, which would compare to 192.168?

Derelict

Dude. There are entire books and courses written on IP addressing and subnetting. I don't know how else to explain it.

kpa

@Atreides:

@Derelict:

Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?

It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.

I'm not sure if I'm understanding this right, are you saying that the 172.26 is picked as a random example? So that you don't happen to pick the same address as someone else? Or did you mean to say 172.16, which would compare to 192.168?

All of the RFC1918 subnets are technically speaking equal, no preference over one or the other in performance, security or any other purely technical point of view. Where the selection does matter is when you're using VPN tunnels from RFC1918 subnets to other RFC1918 subnets. It's all too common that people use 192.168.0.0/24 without giving it a single thought if it's a good choice and it comes to bite them when they suddenly have to build a VPN tunnel over to another place that also uses the same 192.168.0.0/24 subnet because the other end didn't think anything of it either.

I tend to use the 10.0.0.0/8 range as 10.x.y.0/24s where x and y are some random numbers of my choice, they are obscure enough with high probability that they will never conflict with other subnets if they ever have to communicate over a VPN connection to a network I haven't set up myself.

johnpoz

Most soho devices default to 192.168.0/24 or some 192.168.1/24 so yeah those are quite common.. So your at a buddies house and on his wifi and you want to vpn to your house.. And your using 192.168.0 as well - then you have issues..

That is why Derelict suggest just using some random other network and not the first network in a range.. 10.0.0/24 is common as well. And its easy to type ;) 172.16.0 also again its the first network - its normally what people use.. So don't use those..

I use 192.168.9/24 as my lan for example..

Derelict

I generally stay away from 10.0.0.0/anything because too many people out there use 10.0.0.0/8.

johnpoz

^ valid point.. And just blows my freaking mind.. ;) To me the only valid use of such a mask is a summary route or in a firewall rule, etc.. I really can not think of a reason when such a large network on an interface would make any sense.

Even in the recent thread where they were using a LARGE mask for their wifi network so allow movement between AP, etc. /8 would just be borked!!

Atreides

@kpa:

All of the RFC1918 subnets are technically speaking equal, no preference over one or the other in performance, security or any other purely technical point of view. Where the selection does matter is when you're using VPN tunnels from RFC1918 subnets to other RFC1918 subnets. It's all too common that people use 192.168.0.0/24 without giving it a single thought if it's a good choice and it comes to bite them when they suddenly have to build a VPN tunnel over to another place that also uses the same 192.168.0.0/24 subnet because the other end didn't think anything of it either.

I tend to use the 10.0.0.0/8 range as 10.x.y.0/24s where x and y are some random numbers of my choice, they are obscure enough with high probability that they will never conflict with other subnets if they ever have to communicate over a VPN connection to a network I haven't set up myself.

I realize all that. In his first post Derelict mentioned using 172.26, I was wondering if you meant to refer to 172.16 or if there was actually a reason to start at 172.26 that is all.

I see now that that the reason he said to start at 172.26 instead of 172.16 was so that it was not in a regularly used space.

I have just recently gotten interested in networking and so it's a learning process and I'm trying to understand it all. At the beginning of the post I hadn't done enough research on how subnets work and I realize now that a /16 mask has no real use in my private Network as it is way too large.

Derelict

$ perl randomlan.pl
10.106.197.0
172.17.245.0
192.168.179.0

It's just what happened to come out of this at the time. Then I just used the /19 that covered it (172.17.224.0/19 in this run's example).

Atreides

So I mapped out a trial network of /19. I've made the subnets a bit over-sized to allow for unanticipated hosts. Any thoughts?

Jailer

@Atreides:

Any thoughts?

Thoughts? If this is being done for an actual place of employment I hope you have a good resume.

Atreides

@Jailer:

@Atreides:

Any thoughts?

Thoughts? If this is being done for an actual place of employment I hope you have a good resume.

Nope, just experimenting at home.

So what would you alter? I've attempted to follow advice given in this thread.

Derelict

Just make them all /24. The only reason to subnet like that is to stretch a small allocation across multiple interfaces. Unless you know you are going to need to make that /19 stretch across hundreds of interfaces.

But if you're doing some sort of simulation of an IP address shortage/scarcity it looks ok.

Atreides

So you'd go with something like:

| Management | 172.20.0.0/24 |
| General | 172.20.1.0/24 |
| JLAN | 172.20.2.0/24 |
| Servers | 172.20.3.0/24 |
| Guest | 172.20.4.0/24 |
| DMZ | 172.20.5.0/24 |

Just for simplicity and ease of use?