New at this - Subnets, CIDR and Segmenting My Network
-
Why would you do that when 172.16.16.0/24, 172.16.17.0/24 and 172.16.18.0/24 are all covered by 172.16.16.0/22 ??
-
Why would you do that when 172.16.16.0/24, 172.16.17.0/24 and 172.16.18.0/24 are all covered by 172.16.16.0/22 ??
Whoops you're right. That wasn't a final decision or anything, just thinking out loud.
Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?
@BlueKobold:
The general LAN for the rest of the family and most computers.
VLAN1 192.168.2.0/24 (255.255.255.0) VLAN ID or name "management"
default VLAN on many switches and all devices are inside (management VLAN for the admin)
VLAN10 192.168.3.0/24 (255.255.255.0) VLAN ID or name "family NAS"
Only family members are storing files here PC is inside
VLAN20 192.168.4.0/24 (255.255.255.0) VLAN ID or name "sons PC"
Only your sons PC is inside
VLAN30 192.168.5.0/24 (255.255.255.0) VLAN ID or name "daughters PC"
VLAN40 192.168.6.0/24 (255.255.255.0) VLAN ID or name "your wife's PC"
Only your wife´s PC is inside
VLAN50 192.168.7.0/24 (255.255.255.0) VLAN ID or name "WiFi Guests"
Internet access only and secured over the Captive Portal
VLAN60 192.168.8.0/24 (255.255.255.0) VLAN ID or name "family WiFi"
Internet, NAS and/or perhaps the server will be accessible secured over the radius server with certificatesI hadn't considered using so many VLANs, is such a heavy use of VLANs commonly used and of any benefit? I guess it lets you apply different rules to every person's computer but why give them an entire /24 to themselves?
@BlueKobold:
A separate subnetwork for my computers and servers.
Would it perhaps better to set up the Server inside of its own VLAN and you may have full access
and the rest of the family members will have only the security abilities from there!? Perhaps if this
is MS Windows server you could install the LDAP and Radius Server role for wired and wireless WiFi
clients if you wish this.It's a FreeBSD server, but yes I might do that because it would be nice to have a bit better control over server access and it would be nice to be up to do this with firewall rules.
@BlueKobold:
You may think that this would be a really hard trail, but it isn`t in my eyes. If you are able to buy
a smaller Cisco SG300 10 Port or 24 Port Switch you may have the best option to get all you want.
And the actual layer2 Switch might be set up as the DMZ Switch! That's is in short. And if you are
this time and step by step high up the security for the entire LAN and WLAN (if in usage) you do it
once and get rid of the most problems or better you get a structured network with more security.I'm not quite sure what you're saying here, could you elaborate? Why would I want to put the managed switch in the DMZ? It's a TP link TL-SG3424 by the way. And why do I need another switch?
-
Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?
It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.
-
I hadn't considered using so many VLANs, is such a heavy use of VLANs commonly used and of any benefit? I guess it lets you apply different rules to every person's computer but why give them an entire /24 to themselves?
- More security
- better able to find and determinate network problems
- each has his own small VLAN without disturbing anybody else in the family
-
but why give them an entire /24 to themselves?
You wouldn't, not normally… Not sure what he is attempting to do.. Normally if you wanted to isolated a bunch of machines from talking to each other then you would put them on a private vlan. But this would be handled at the switch.
Normally if lets say you wanted to put a few machines on their own subnet then you would use a smaller network.. But then again if this is home network, and he want's to use a /24 for each of his devices.. Ok.. You does have 250 some /24s to work with so if he is not ever going to have that many devices all in their own /24 he is fine.. But no I wouldn't call it normal ;)
-
Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?
It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.
I'm not sure if I'm understanding this right, are you saying that the 172.26 is picked as a random example? So that you don't happen to pick the same address as someone else? Or did you mean to say 172.16, which would compare to 192.168?
-
Dude. There are entire books and courses written on IP addressing and subnetting. I don't know how else to explain it.
-
Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?
It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.
I'm not sure if I'm understanding this right, are you saying that the 172.26 is picked as a random example? So that you don't happen to pick the same address as someone else? Or did you mean to say 172.16, which would compare to 192.168?
All of the RFC1918 subnets are technically speaking equal, no preference over one or the other in performance, security or any other purely technical point of view. Where the selection does matter is when you're using VPN tunnels from RFC1918 subnets to other RFC1918 subnets. It's all too common that people use 192.168.0.0/24 without giving it a single thought if it's a good choice and it comes to bite them when they suddenly have to build a VPN tunnel over to another place that also uses the same 192.168.0.0/24 subnet because the other end didn't think anything of it either.
I tend to use the 10.0.0.0/8 range as 10.x.y.0/24s where x and y are some random numbers of my choice, they are obscure enough with high probability that they will never conflict with other subnets if they ever have to communicate over a VPN connection to a network I haven't set up myself.
-
Most soho devices default to 192.168.0/24 or some 192.168.1/24 so yeah those are quite common.. So your at a buddies house and on his wifi and you want to vpn to your house.. And your using 192.168.0 as well - then you have issues..
That is why Derelict suggest just using some random other network and not the first network in a range.. 10.0.0/24 is common as well. And its easy to type ;) 172.16.0 also again its the first network - its normally what people use.. So don't use those..
I use 192.168.9/24 as my lan for example..
-
I generally stay away from 10.0.0.0/anything because too many people out there use 10.0.0.0/8.
-
^ valid point.. And just blows my freaking mind.. ;) To me the only valid use of such a mask is a summary route or in a firewall rule, etc.. I really can not think of a reason when such a large network on an interface would make any sense.
Even in the recent thread where they were using a LARGE mask for their wifi network so allow movement between AP, etc. /8 would just be borked!!
-
@kpa:
All of the RFC1918 subnets are technically speaking equal, no preference over one or the other in performance, security or any other purely technical point of view. Where the selection does matter is when you're using VPN tunnels from RFC1918 subnets to other RFC1918 subnets. It's all too common that people use 192.168.0.0/24 without giving it a single thought if it's a good choice and it comes to bite them when they suddenly have to build a VPN tunnel over to another place that also uses the same 192.168.0.0/24 subnet because the other end didn't think anything of it either.
I tend to use the 10.0.0.0/8 range as 10.x.y.0/24s where x and y are some random numbers of my choice, they are obscure enough with high probability that they will never conflict with other subnets if they ever have to communicate over a VPN connection to a network I haven't set up myself.
I realize all that. In his first post Derelict mentioned using 172.26, I was wondering if you meant to refer to 172.16 or if there was actually a reason to start at 172.26 that is all.
I see now that that the reason he said to start at 172.26 instead of 172.16 was so that it was not in a regularly used space.
I have just recently gotten interested in networking and so it's a learning process and I'm trying to understand it all. At the beginning of the post I hadn't done enough research on how subnets work and I realize now that a /16 mask has no real use in my private Network as it is way too large.
-
$ perl randomlan.pl
10.106.197.0
172.17.245.0
192.168.179.0It's just what happened to come out of this at the time. Then I just used the /19 that covered it (172.17.224.0/19 in this run's example).
-
So I mapped out a trial network of /19. I've made the subnets a bit over-sized to allow for unanticipated hosts. Any thoughts?
-
Any thoughts?
Thoughts? If this is being done for an actual place of employment I hope you have a good resume.
-
-
Just make them all /24. The only reason to subnet like that is to stretch a small allocation across multiple interfaces. Unless you know you are going to need to make that /19 stretch across hundreds of interfaces.
But if you're doing some sort of simulation of an IP address shortage/scarcity it looks ok.
-
So you'd go with something like:
| Management | 172.20.0.0/24 |
| General | 172.20.1.0/24 |
| JLAN | 172.20.2.0/24 |
| Servers | 172.20.3.0/24 |
| Guest | 172.20.4.0/24 |
| DMZ | 172.20.5.0/24 |Just for simplicity and ease of use?
-
Yes.
-
Roger that.
