LARGE IP SUBNETS.

Mitch_Sullo

I've inherited a fairly homespun and idiosyncratic Office LAN that is in need of a revamp. I need some advice or feedback: :D. A single pfSense appliance is onsite as the office Firewall.

The office LAN is a single broadcast domain with a lot of un-managed switches. I want to segment the network into VLANS, but the office LAN has been setup on a HUGE subnet. (10.10.0.0 /16)!

My question IS....!

Hosts and servers have been 'assigned' within this Subnet, (that is - Servers have been added to DNS under 10.10.0.0, DHCP Pool is starts at 10.10.1.0, ) - without a full understanding of how subnets work and the importance of routing.

Should I push hard to move to more "logical' subnet layout 10.0.0.1/24 or /23.

There are currently about 60 full time staff, about 20 servers maximum. 65,534 hosts is not really required.

Your feedback is greatly appreciated.

Cheers
Mitch

johnpoz

Almost always you will see vlans broken at the /24 mark when you have plenty of space to work with, even if only a handful of machines in that vlan.. The /24 being the 3rd octet allows for humans to easy see when the IP is a different vlan. Having all of rfc1918 space to play with means you have no restrictions.. So yeah /24 is logical vlan break.

Why would you use /23 if you only have maybe 200 devices total... That is with all 60 of your people having a phone and a tablet along with their normal pc/laptop..

When would you ever need that many devices on the same vlan?

Sounds like a fun project - cleaning up networks is always fun!! Need any advice just ask..

Not sure why you put this is routing and multiwan section? Going to move it to general area.

Mitch_Sullo

@johnpoz said in LARGE IP SUBNETS.:

Almost always you will see vlans broken at the /24 mark when you have plenty of space to work with, even if only a handful of machines in that vlan.. The /24 being the 3rd octet allows for humans to easy see when the IP is a different vlan. Having all of rfc1918 space to play with means you have no restrictions.. So yeah /24 is logical vlan break.
Why would you use /23 if you only have maybe 200 devices total... That is with all 60 of your people having a phone and a tablet along with their normal pc/laptop..
When would you ever need that many devices on the same vlan?
Sounds like a fun project - cleaning up networks is always fun!! Need any advice just ask..
Not sure why you put this is routing and multiwan section? Going to move it to general area.

Thankyou Sir. I will have PLENTY of questions forthcoming.

NogBadTheBad

@johnpoz said in LARGE IP SUBNETS.:

Almost always you will see vlans broken at the /24 mark when you have plenty of space to work with, even if only a handful of machines in that vlan.. The /24 being the 3rd octet allows for humans to easy see when the IP is a different vlan. Having all of rfc1918 space to play with means you have no restrictions.. So yeah /24 is logical vlan break.

Do you have Wi-Fi on the 10.10.0.0 /16 ?

If you do maybe consider moving the Wi-Fi to another subnet or maybe create a guest vlan and firewall it off and if your looking at switches maybe pick a POE one.

johnpoz

Oh btw.. your use of 10.0.0.1/24 is not a network address.. That is a host address. When you express an address or network if the expressed value is not the actual network, then its a host address.

So for example 10.0.0.0/24 is the first /24 subnet in the 10 space, while 10.0.0.1/24 would be the first host address in that space.

10.0.0.128/25 would be 2nd subnet with /25, while 10.0.0.129/25 would be the first host address in that subnet.

Maybe you meant 10.0.1.0/24?

Also you might want to stay away from the typical common address ranges, 192.168.0/24 or 192.168.1/24 or 10.0.0/24 etc.. since these are very common used everywhere else.. So say you have someone vpn in you could run into problems if they are on the that network say at their house or starbucks, etc.

So for example my normal lan at home is 192.168.9/24, then I use 192.168.2, .3, .4 etc .. no 192.168.0 or 192.168.1 on my home network less likely to overlap when I am remote..

@NogBadTheBad pretty sure he is going to be segmenting up the place? But yeah wifi should be isolated to their own vlans - guest, normal users, etc.. should be different than your normal user network and servers network, etc. etc.

Mitch_Sullo

@johnpoz said in LARGE IP SUBNETS.:

dress.
So for example 10.0.0.0/24 is the first /24 subnet in the 10 space, while 10.0.0.1/24 would be the first host address in that space.
10.0.0.128/25 would be 2nd subnet with /25, while 10.0.0.129/25 would be the first host address in that subnet.
Maybe you meant 10.0.1.0/24?
Also you might want to stay away from the typical common address ranges, 192.168.0/24 or 192.168.1/24 or 10.0.0/24 etc.. since these are very common used everywhere else.. So say you have someone vpn in you could run into problems if they are on the that network say at their house or starbucks, etc.

Thanks guys!. I should have written a network address :D (I Understand).

OpenVPN services are already provisioned on the PFSense. It has its own separate tunnel network (10.11.0.0/16) and that network can access the existing Office LAN.

We have Wifi provisioned via UniFi. The unifi AP's talk to a container running within the LAN. That will need to be optimised / hardened as well.

NogBadTheBad

@mitch_sullo

Re the Unifi, get switches that handle VLANS and your sorted.

I'd also allocate a VLAN for device management.

Mitch_Sullo

I've got 2 a bunch of Juniper EX Switches, and an extra PF-Sense appliance.

I want to setup CARP/VRRP Redundancy. Should all the routing take place at the PF-Sense or should there be IRBs configured at the switch level???

NogBadTheBad

@mitch_sullo

Depends on how chatty the network would be between the servers and clients.

pfSense is easier to manage in regards to firewall rules.

johnpoz

The need for downstream routers will for sure complex up your setup. And unless there is going to be large amount of intervlan traffic. Say maybe between the users PCs and the Servers that the router can not handle.. There is little reason to route it downstream from pfsense.

Filtering traffic at the switch is going to be way more complex than the easy to use gui and interface for firewall rules than what is available on pfsense.

You would really need to evaluate the amount of traffic between users and servers if your going to split those into their own segments to determine which is the better option.. And how best to skin that cat.

What sort of traffic flows between the users and the servers? Are you more worried about firewall or bandwidth between the users and the servers, etc. etc.. You could for sure create a bottleneck if not done correctly..

Also what kind of uplink(s) can you do from your switch environment.. For example if your uplinks to the firewall are 10ge, and your clients are at 1ge.. And you use physical interfaces for both vlans uplinks, and firewall is actually capable of routing at 10ge you would really need to be pushing some data between users and servers to cause a problem.

But for example say if you have 60 different users spread across your 20 servers all moving large files, and you only have 1ge uplinks from your switch to router, and you now need to shove all that traffic through 1ge yeah you could run into some complaints from users that file transfers are slower, etc.

Easy solution if lots of traffic between users and servers is to just put them all on the same vlan - depends on if your more concerned with firewalling than performance, etc. etc..

Mitch_Sullo

@johnpoz said in LARGE IP SUBNETS.:

You would really need to evaluate the amount of traffic between users and servers if your going to split those into their own segments to determine which is the better option.. And how best to skin that cat.

It is mostly SSH and NFS. Even then, this traffic is only required by 50-65% company at best. NFS is to 2 x NAS Devices, file transfers and data streams.

johnpoz

Well comes down to how much data your moving... I highly doubt ssh would ever be an issue.. But if your wanting to move a lot of files back and forth from user to nas..

Then sure forcing all the traffic that used to be switched through a router, be it at the edge or downstream that has a single 1ge uplink could be a problem.

Comes down to the size of the files your moving, the speed of the NAS, the number of users moving stuff concurrently, etc.. You might want to look into the NAS and see how much data its moving.. And then see if routing that through a 1 gig uplink is going to cause you any sort of concerns for your users performance..

I would GUESS that your NAS are attached to the network at 1 gig, so prob not a problem? But think about it if you have 2 nases each at 1gig, and then you force both of them through 1gig uplink to your router when you move them to their own vlan. Then yeah you could create a possible bottleneck that users might notice.

NogBadTheBad

Maybe LAGG your LAN ports if you have spare ones.

johnpoz

Yeah lagg is an option to get more total bandwidth available between users and servers.. But when 1 side of that is limited to a couple of boxes and a handful of users might not solve the problem.. There is nothing saying that the sessions are going to be split even between the uplinks, etc.

Sure in general a lagg brings a bigger pipe to the uplink.. 1+1 does not =2, just mean you have 1 and 1.. How data gets split between those 1's depends on multiple other factors.

Optimal design of the lan is quiet often overlooked ;)

See it all the time.. But everything is connected at gig why I am I not getting gig.. The NAS is X*SSD in a raid 0, etc.

Well - lets see you have 100 users talking to all kinds of stuff intervlan with your 10 different vlans all on the same physical 1 gig interface... Yeah your router is a freaking BEAST and can see its not breaking a sweat... Your road between is just overused... Suppose to be able to go 55 on the highway as well, but when its crowded and over used.. Can you go 55 ;)

Mitch_Sullo

@johnpoz said in LARGE IP SUBNETS.:

Optimal design of the lan is quiet often overlooked ;)
See it all the time.. But everything is connected at gig why I am I not getting gig.. The NAS is X*SSD in a raid 0, etc.
Well - lets see you have 100 users talking to all kinds of stuff intervlan with your 10 different vlans all on the same physical 1 gig interface... Yeah your router is a freaking BEAST and can see its not breaking a sweat... Your road between is just overused... Suppose to be able to go 55 on the highway as well, but when its crowded and over used.. Can you go 55 ;)

I have 10gb Uplink Modules for each of the switches, so no problem in that regard. I'm also having fiber run between 2 floors of the building. I might set up LAG teams for NAS however.