New at this - Subnets, CIDR and Segmenting My Network



  • I'm fairly new at this and have just recently gotten interested in networking. I'm having some trouble working out how to segment my network and what subnet mask I should be using. I have a 24 port L2 managed switch and 5 interface sg-4860 at my disposal.

    First of all I want to chop my network up into a few subnets, probably something like the following:

    The general LAN for the rest of the family and most computers.

    A separate subnetwork for my computers and servers.

    And a DMZ for internet facing devices and servers.

    I'm mostly looking to experiment with things and not really concerned with whether or not this is an ideal setup.

    I’m a little confused by CIDR notation. Right now I have a setup of everything on 192.168.0.2/24, if I want something like 3 to 4 VLAN subnets of 255 addresses each of 192.168.10.x, 192.168.20.x, 192.168.30.x, 192.168.40.x, and then the DMZ on 192.168.50.x, do I need to switch to a CIDR of /16?

    I seem to have confused myself with all the info on A/B/C class addresses and how they differ from CIDR addresses so I’m a little overwhelmed.


  • Netgate

    I would pick something random, like:

    172.26.115.0
    192.168.165.0

    Then I would decide how many subnets you want and what size. a /24 (253 hosts plus the router interface) is almost certainly enough for the home.

    Say you think 32 is enough that would be a super net of, for example, 172.26.96.0/19 (172.26.96.0 - 172.26.127.255). That will NOT be assigned to any interfaces.

    Then do something like:

    LAN: 172.26.96.0/24
    SERVERS: 172.26.97.0/24
    DMZ: 172.26.98.0/24

    Then maybe start at the top and work down for virtual networks

    OpenVPN Tunnel Network: 172.26.127.0/24

    Etc.

    Should you ever want to connect to another network over a VPN, etc, you would need just one route for 172.26.96.0/19 and could limit what is transferred with firewall rules.

    There are a thousand different ways to do this and you can subnet any way you want. That is just one way to skin that cat.

    I like doing everything on subnet boundaries. Some people (including the pfSense defaults) put DHCP pools on something like 192.168.1.100 - 192.168.1.199. I prefer something like 192.168.1.129 - 192.168.1.254. That way the single CIDR of 192.168.1.128/25 covers that pool should it ever be desirable to do so.



  • @Derelict:

    I would pick something random, like:

    172.26.115.0
    192.168.165.0

    Then I would decide how many subnets you want and what size. a /24 (253 hosts plus the router interface) is almost certainly enough for the home.

    Yeah you're probably right, I was just thinking that I will then have to worry about which subnets I will keep small and I will need to be very exact about the sizes of certain subnets. Is there any reason why I shouldn't use a CIDR of /16? Does it end up using more resources on the router if you use a large address space like that? Or is it just convention?

    @Derelict:

    Say you think 32 is enough that would be a super net of, for example, 172.26.96.0/19 (172.26.96.0 - 172.26.127.255). That will NOT be assigned to any interfaces.

    Excuse my ignorance, what exactly is 32?

    @Derelict:

    Then do something like:

    LAN: 172.26.96.0/24
    SERVERS: 172.26.97.0/24
    DMZ: 172.26.98.0/24

    What exactly does moving to the 172 address do? Why do most people choose to use 192?

    @Derelict:

    I like doing everything on subnet boundaries. Some people (including the pfSense defaults) put DHCP pools on something like 192.168.1.100 - 192.168.1.199. I prefer something like 192.168.1.129 - 192.168.1.254. That way the single CIDR of 192.168.1.128/25 covers that pool should it ever be desirable to do so.

    Why exactly would that be desirable? Do you mean if you were to switch to a smaller Network?



  • http://www.subnet-calculator.com/subnet.php?net_class=B
    play with 'mask bits' and look at the return values :)


  • Rebel Alliance Global Moderator

    Is there any reason why I shouldn't use a CIDR of /16?

    Why would you use such large network, will you have 65K some devices on the same layer 2?? How do you create other networks when you use up the whole 192.168 space for just 1 network??  Guess you could use 172.16/12 next and then 10/8 next.. So you could have 3 networks total ;)

    Such a CIDR is for route summary, firewall rules - not for local network segments.

    If you used such a mask on your network, and you wanted to vpn in.. Now you have a problem don't you since its more than likely the place your trying to vpn in from is also using a 192.168 network that would overlap with your network..

    Its best to use a network size that is appropriate and easy to use.  /24 gives you lots of networks to work with.. So in the 192.168 space along you could have 256 networks of /24 size each.. That is plenty of room from growth for any sort home or smb network.  And if you did need more you have the 2 other rfc1918 address spaces to leverage with the 10 being a huge /8.. Even so there is never a reason to use a larger network than you could ever possibly use.. Look what happen with the IPv4 space ;)  They used it up by giving /8's away..  WTF were they thinking – oh sure University X here you go have a /8.. Oh you only have 1 computer currently.. Yeah you will grow into it we have plenty to work with... hehehehe

    And /24 is easy to understand for humans..

    192.168.0/24 network 1
    192.168.1/24 network 2
    192.168.212/24 network, etc..

    If your using a mask of say /29 what network is 192.168.1.31 in?  Is that a broadcast address, is that a wire or a host... etc..

    So while you might use that smaller network if need be, ie lets say your company gave you only 1 /24 to use for your site, and you wanted to segment your devices into different networks.  Your fine since you don't have anywhere near the 254 devices that the /24 has so you can break that up in to smaller pieces..  But since you have a full /16 to work with in the 192.168 space why not make it easy on yourself and pick a easy boundary mask.. 24 is very common to use..

    Lets say you needed a transit network between 2 routers.. Would you use a /24?  Well you could, but a transit network normally has need of only 2 IPs, since its a transit between 2 routers.. So why should you use up 254 address when there is only ever going to be 2 IPs needed?  So you might pick 1 /24 out of that /16 of 192.168 network and use that for transit networks you might use between your sites..

    So your first transit might could be
    192.168.0/30
    Your next one you might use 192.168.16/30 - this leaves you room between so if you need to add say another router on that first one you could bump it to say a /29.. or even a /28 or have more /30's to work with in between.  Also a /30 is a very common transit network mask, so seeing that mask pretty much tells you oh that is a transit network, not a network hosts are actually on, etc.

    This sort of thing falls right inline with Derelicts great advice of using boundaries for his dhcp pools, yes this allows him to split the network up without having to reip devices that might of been in that network.. So while he has a /24 as his network, he picked a smaller subnet out of that for his pool to cover the actual amount of address he has so that if he wants to break that network up into smaller chunks its very easy to do so.. And also allows him ease of writing firewall rules.  Lets say he just wants his dhcp devices to be affected by a specific rule.. He can just use the /cidr of his pool in his firewall rule.  While his static IPs fall outside that pool he could use a different /cidr to account for those machines in his rules, etc..

    Good IP management comes with experience, and going over different scenarios what might happen in the future for a site..

    I would "ditto" what Derelict started with.  Pick a space in the rfc1918 that you want to work with, 192.168, 172.16/12, 10/8 and then use the appropriate network out of that range for what your doing.  How many network segments do you want to start with?  If your wanting to use your 192.168.0/24 and 192.168.10/24 for another segment/vlan sure go right ahead you have lots of space to work with.

    do I need to switch to a CIDR of /16?

    But no you would not do that..  And so we are clear.. If your wanting to use more than 1 network segment.  These would be vlans, or actual physical separation of the layer 2 networks your layer 3 ride on.. Network segmentation is not just changing the mask on your devices connected to some dumb switch and calling it more than 1 network.  If your going to segment and firewall into multiple networks - you do need to create the different layer 2 networks these layer 3 networks will be on.  So do you have a smart switch that does vlans?  Or AP that supports vlans?  Or you going to use multiple switches and interfaces in pfsense with mutliple AP to isolate these networks?

    If you just want to use different IP ranges to account for your different types of machines.. Then sure you could use a block of address inside a mask for say printers, laptops, desktops, etc.  But this is not a network segment.

    If you want to use 192.168.20-30 for your printers, and 192.168.31-50 for your desktops, etc.  That is not creating new networks.. That is just assigning specific IPs inside 1 network.. And there is no specific boundaries you need to use..

    This seems to come up quite a bit where users think just start using another IP range on the same dumb networking gear and call it a new network segment.. If your going to want to isolate your machines via firewall rules, etc.  Then you need to create multiple layer 2 networks (vlans) that you put your different layer 3 networks on top of.  You don't just start using different masks…    You do mention you have a L2 managed switch and a firewall with multiple nics, so pretty sure you get it.. Just want to be clear ;)  If your going to be using any wifi, do your AP support vlans?


  • Netgate

    The reason to keep your home network as narrow as possible (while still providing plenty of room for what you need) is to avoid collisions with other local networks.

    If you use 192.168.0.0/16 locally and decide to set up an OpenVPN server to connect into your network from remote (one of the most valuable features of pfSense for many) if you connect from another location that also chose something in 192.168.0.0/16 you are going to have issues. And that is a LOT of places.

    By choosing something random and uncommon (172.16.0.0/12 is being used in more places but still address space collisions are fairly uncommon) you reduce that risk. The longest subnet you can use while still providing enough addresses for what you need to do helps too.

    You have zero control over what local network others have chosen. All you can control is how likely a collision is by choosing randomly and as small as is feasible.

    Excuse my ignorance, what exactly is 32?

    There are 32 available /24 subnets in a /19. 5 bits. 0-31, 32-63, 64-95, etc.

    Why exactly would that be desirable? Do you mean if you were to switch to a smaller Network?

    If for some reason I wanted to make a firewall rule that just covered the dynamic addresses I could do so naturally with one CIDR.

    For instance my IP phones' static DHCP assignments start at 65. I can QoS them with a source network of 172.29.223.64/29



  • Thanks, you gave me a lot to think about. I've been doing some research and study on subnets and it's clear I misunderstood how exactly they worked. I'm going to do a bit more reading and then i'll be back.



  • I have a 24 port L2 managed switch and 5 interface sg-4860 at my disposal.

    There are two ways that might be most common to go with.
    1. Connect a small dump switch on the LAN Ports of the SG-4860 and use plain routing
    Pros: Small dump and cheap switches could be in usage
    Cons: Nothing

    2. Create VLANs and terminate them at the pfSense firewall
    Pros: Better cutting of the entire network and using the firewall rules
    Cons: All traffic is going then through the pfSense firewall I mean also the bigger
    files from and to the servers and the NAS if one is in the game so power is needed

    Alternatively you could also walk another way and get a Layer3 Switch that routes
    the entire LAN and VLAN traffic by its own.
    Pros: The entire LAN traffic is led and route by the switch and hits not the pfSense
    until the DMZ must be reached or is targeted.
    Cons: A second switch should be used to by the LAN or DMZ switch

    First of all I want to chop my network up into a few subnets, probably something like the following:

    Ok, what should be the method to use or the way you will walk!

    The general LAN for the rest of the family and most computers.

    VLAN1 192.168.2.0/24 (255.255.255.0) VLAN ID or name "management"
    default VLAN on many switches and all devices are inside (management VLAN for the admin)
    VLAN10 192.168.3.0/24 (255.255.255.0) VLAN ID or name "family NAS"
    Only family members are storing files here PC is inside
    VLAN20 192.168.4.0/24 (255.255.255.0) VLAN ID or name "sons PC"
    Only your sons PC is inside
    VLAN30 192.168.5.0/24 (255.255.255.0) VLAN ID or name "daughters PC"
    VLAN40 192.168.6.0/24 (255.255.255.0) VLAN ID or name "your wife's PC"
    Only your wife´s PC is inside
    VLAN50 192.168.7.0/24 (255.255.255.0) VLAN ID or name "WiFi Guests"
    Internet access only and secured over the Captive Portal 
    VLAN60 192.168.8.0/24 (255.255.255.0) VLAN ID or name "family WiFi"
    Internet, NAS and/or perhaps the server will be accessible secured over the radius server with certificates

    A separate subnetwork for my computers and servers.

    Would it perhaps better to set up the Server inside of its own VLAN and you may have full access
    and the rest of the family members will have only the security abilities from there!? Perhaps if this
    is MS Windows server you could install the LDAP and Radius Server role for wired and wireless WiFi
    clients if you wish this.

    And a DMZ for internet facing devices and servers.

    Really good, I have also all such things placed there not to disturb the entire LAN!
    A Layer2 Switch with or for all devices such so your actual switch will find its way into the new network!

    • Gaming console
    • Internet TV
    • DLNA media streaming devices (Internet radio)

    I'm mostly looking to experiment with things and not really concerned with whether or not this is an ideal setup.

    You may think that this would be a really hard trail, but it isn`t in my eyes. If you are able to buy
    a smaller Cisco SG300 10 Port or 24 Port Switch you may have the best option to get all you want.
    And the actual layer2 Switch might be set up as the DMZ Switch! That's is in short. And if you are
    this time and step by step high up the security for the entire LAN and WLAN (if in usage) you do it
    once and get rid of the most problems or better you get a structured network with more security.



  • So after doing some reading I think I was confusing the distinction between a network of multiple  /24 subnets and an individual subnet block of a /24 network. I was also getting confused between information I was reading about class-based networks, and I was thinking my only option was to move from a class C network to a class B network where what I should've been thinking of was a rfc1918 network.

    I have thought about what you have said and, with what I think would be the best option for me at this point, maybe you can tell me what you think.

    I'm going to go with a 172.16 network, something in the range 172.16.x.x.

    I had a few more questions though. I understand that it's a benefit to get out of the range that you would be in using VPN, but why exactly would you bother going with an address of 172.26.96, is that for firewall rules?

    Also, are you basically saying that since I have all of the /16 address space that I can decide to break it off in /24 blocks if I like, and so I'm free to break the segments up on convenient numbers such as:

    LAN VLAN:  172.16.10.0/24
    SERVERS VLAN: 172.16.20.0/24
    DMZ on its own interface: 172.16.30.0/24

    The reason you don't have to increment by one /24 subnet precisely is because you have such a large address space to work with right?


  • Netgate

    Why would you do that when 172.16.16.0/24, 172.16.17.0/24 and 172.16.18.0/24 are all covered by 172.16.16.0/22 ??



  • @Derelict:

    Why would you do that when 172.16.16.0/24, 172.16.17.0/24 and 172.16.18.0/24 are all covered by 172.16.16.0/22 ??

    Whoops you're right. That wasn't a final decision or anything, just thinking out loud.

    Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?

    @BlueKobold:

    The general LAN for the rest of the family and most computers.

    VLAN1 192.168.2.0/24 (255.255.255.0) VLAN ID or name "management"
    default VLAN on many switches and all devices are inside (management VLAN for the admin)
    VLAN10 192.168.3.0/24 (255.255.255.0) VLAN ID or name "family NAS"
    Only family members are storing files here PC is inside
    VLAN20 192.168.4.0/24 (255.255.255.0) VLAN ID or name "sons PC"
    Only your sons PC is inside
    VLAN30 192.168.5.0/24 (255.255.255.0) VLAN ID or name "daughters PC"
    VLAN40 192.168.6.0/24 (255.255.255.0) VLAN ID or name "your wife's PC"
    Only your wife´s PC is inside
    VLAN50 192.168.7.0/24 (255.255.255.0) VLAN ID or name "WiFi Guests"
    Internet access only and secured over the Captive Portal 
    VLAN60 192.168.8.0/24 (255.255.255.0) VLAN ID or name "family WiFi"
    Internet, NAS and/or perhaps the server will be accessible secured over the radius server with certificates

    I hadn't considered using so many VLANs, is such a heavy use of VLANs commonly used and of any benefit? I guess it lets you apply different rules to every person's computer but why give them an entire /24 to themselves?

    @BlueKobold:

    A separate subnetwork for my computers and servers.

    Would it perhaps better to set up the Server inside of its own VLAN and you may have full access
    and the rest of the family members will have only the security abilities from there!? Perhaps if this
    is MS Windows server you could install the LDAP and Radius Server role for wired and wireless WiFi
    clients if you wish this.

    It's a FreeBSD server, but yes I might do that because it would be nice to have a bit better control over server access and it would be nice to be up to do this with firewall rules.

    @BlueKobold:

    You may think that this would be a really hard trail, but it isn`t in my eyes. If you are able to buy
    a smaller Cisco SG300 10 Port or 24 Port Switch you may have the best option to get all you want.
    And the actual layer2 Switch might be set up as the DMZ Switch! That's is in short. And if you are
    this time and step by step high up the security for the entire LAN and WLAN (if in usage) you do it
    once and get rid of the most problems or better you get a structured network with more security.

    I'm not quite sure what you're saying here, could you elaborate? Why would I want to put the managed switch in the DMZ? It's a TP link TL-SG3424 by the way. And why do I need another switch?


  • Netgate

    Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?

    It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.



  • I hadn't considered using so many VLANs, is such a heavy use of VLANs commonly used and of any benefit? I guess it lets you apply different rules to every person's computer but why give them an entire /24 to themselves?

    • More security
    • better able to find and determinate network problems
    • each has his own small VLAN without disturbing anybody else in the family

  • Rebel Alliance Global Moderator

    but why give them an entire /24 to themselves?

    You wouldn't, not normally…  Not sure what he is attempting to do..  Normally if you wanted to isolated a bunch of machines from talking to each other then you would put them on a private vlan.  But this would be handled at the switch.

    Normally if lets say you wanted to put a few machines on their own subnet then you would use a smaller network..  But then again if this is home network, and he want's to use a /24 for each of his devices.. Ok.. You does have 250 some /24s to work with so if he is not ever going to have that many devices all in their own /24 he is fine..  But no I wouldn't call it normal ;)



  • @Derelict:

    Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?

    It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.

    I'm not sure if I'm understanding this right, are you saying that the 172.26 is picked as a random example? So that you don't happen to pick the same address as someone else? Or did you mean to say 172.16, which would compare to 192.168?


  • Netgate

    Dude. There are entire books and courses written on IP addressing and subnetting. I don't know how else to explain it.



  • @Atreides:

    @Derelict:

    Earlier you mentioned using 172.26.96.0/24. Why exactly does 172.26 help with firewall rules?

    It doesn't. It's just the first 16 bits of an RFC1918 private network. What it does do is help prevent you from having the same network as someone else should you try to connect in on a VPN. It's no different than 192.168 except it's in far less common usage.

    I'm not sure if I'm understanding this right, are you saying that the 172.26 is picked as a random example? So that you don't happen to pick the same address as someone else? Or did you mean to say 172.16, which would compare to 192.168?

    All of the RFC1918 subnets are technically speaking equal, no preference over one or the other in performance, security or any other purely technical point of view.  Where the selection does matter is when you're using VPN tunnels from RFC1918 subnets to other RFC1918 subnets. It's all too common that people use 192.168.0.0/24 without giving it a single thought if it's a good choice and it comes to bite them when they suddenly have to build a VPN tunnel over to another place that also uses the same 192.168.0.0/24 subnet because the other end didn't think anything of it either.

    I tend to use the 10.0.0.0/8 range as 10.x.y.0/24s where x and y are some random numbers of my choice, they are obscure enough with high probability that they will never conflict with other subnets if they ever have to communicate over a VPN connection to a network I haven't set up myself.


  • Rebel Alliance Global Moderator

    Most soho devices default to 192.168.0/24 or some 192.168.1/24 so yeah those are quite common.. So your at a buddies house and on his wifi and you want to vpn to your house.. And your using 192.168.0 as well - then you have issues..

    That is why Derelict suggest just using some random other network and not the first network in a range.. 10.0.0/24 is common as well.  And its easy to type ;)  172.16.0 also again its the first network - its normally what people use..  So don't use those..

    I use 192.168.9/24 as my lan for example..


  • Netgate

    I generally stay away from 10.0.0.0/anything because too many people out there use 10.0.0.0/8.


  • Rebel Alliance Global Moderator

    ^ valid point.. And just blows my freaking mind.. ;)  To me the only valid use of such a mask is a summary route or in a firewall rule, etc.. I really can not think of a reason when such a large network on an interface would make any sense.

    Even in the recent thread where they were using a LARGE mask for their wifi network so allow movement between AP, etc.  /8 would just be borked!!



  • @kpa:

    All of the RFC1918 subnets are technically speaking equal, no preference over one or the other in performance, security or any other purely technical point of view.  Where the selection does matter is when you're using VPN tunnels from RFC1918 subnets to other RFC1918 subnets. It's all too common that people use 192.168.0.0/24 without giving it a single thought if it's a good choice and it comes to bite them when they suddenly have to build a VPN tunnel over to another place that also uses the same 192.168.0.0/24 subnet because the other end didn't think anything of it either.

    I tend to use the 10.0.0.0/8 range as 10.x.y.0/24s where x and y are some random numbers of my choice, they are obscure enough with high probability that they will never conflict with other subnets if they ever have to communicate over a VPN connection to a network I haven't set up myself.

    I realize all that. In his first post Derelict mentioned using 172.26, I was wondering if you meant to refer to 172.16 or if there was actually a reason to start at 172.26 that is all.

    I see now that that the reason he said to start at 172.26 instead of 172.16 was so that it was not in a regularly used space.

    I have just recently gotten interested in networking and so it's a learning process and I'm trying to understand it all. At the beginning of the post I hadn't done enough research on how subnets work and I realize now that a /16 mask has no real use in my private Network as it is way too large.


  • Netgate

    $ perl randomlan.pl
    10.106.197.0
    172.17.245.0
    192.168.179.0

    It's just what happened to come out of this at the time. Then I just used the /19 that covered it (172.17.224.0/19 in this run's example).



  • So I mapped out a trial network of /19. I've made the subnets a bit over-sized to allow for unanticipated hosts. Any thoughts?



  • @Atreides:

    Any thoughts?

    Thoughts? If this is being done for an actual place of employment I hope you have a good resume.



  • @Jailer:

    @Atreides:

    Any thoughts?

    Thoughts? If this is being done for an actual place of employment I hope you have a good resume.

    Nope, just experimenting at home.

    So what would you alter? I've attempted to follow advice given in this thread.


  • Netgate

    Just make them all /24. The only reason to subnet like that is to stretch a small allocation across multiple interfaces. Unless you know you are going to need to make that /19 stretch across hundreds of interfaces.

    But if you're doing some sort of simulation of an IP address shortage/scarcity it looks ok.



  • So you'd go with something like:

    | Management | 172.20.0.0/24 |
    | General | 172.20.1.0/24 |
    | JLAN | 172.20.2.0/24 |
    | Servers | 172.20.3.0/24 |
    | Guest | 172.20.4.0/24 |
    | DMZ | 172.20.5.0/24 |

    Just for simplicity and ease of use?



  • Yes.



  • Roger that.