My network is overcomplicated mess, what shall I do to simplify it?
-
Long time ago when I build the all in one virtualized server that also runs pfSense, I had this bright idea of separating various devices into various subnets, but the more I think about it, the less sense it makes for such a simple environment as a household. Can I get any tips how to make it more simple/logical/whatever?
There's a L2 switch at 192.168.0.2.
The server is 192.168.2.1. pfSense is 192.168.0.1.
All the non-computer devices like printers etc. are in the 192.168.2.x subnet.
I also separated wifi stuff into 192.168.4.x.I have no idea why I did what I did back then, and it surely looks messed up. I still don't know crap about networking, and am virtually pulling my hair everytime I have to touch the server or network. I'm just a lousy Windows user, lol.
Anyway, there's probably very little reason to have different subnets, save perhaps for the wifi stuff, but I'm struggling. For starters, I can't figure out what's the best IP to give to the switch and pfSense. Perhaps I should use the usual 192.168.1.1 for either of those?
Help an idiot :D -
@Octopuss for network design some idea of what you are networking is required such as
-
Do you have any public facing servers (NAS, Medial server)?
-
About how many wired computers, printers or scanners?
-
About how many wifi connected computers, printers or scanners?
-
Do the above devices all need to communicate with each other or is some isolation required?
-
Do you have or need a "Guest" wifi network which has restricted access to the above devices?
-
Do you have IOT devices (TV, security cameras, wifi light switches etc), and if so do you want to restrict their access to the above devices
-
-
@Octopuss Iโd start with a list of your goals. What do you trust/not trust?
At home I have a network and a guest wireless network which my AP (eero) isolates for me (while in bridge mode).
I think itโs important you understand and are comfortable with it.
-
@Patch said in My network is overcomplicated mess, what shall I do to simplify it?:
@Octopuss for network design some idea of what you are networking is required such as
- Do you have any public facing servers (NAS, Medial server)?
- About how many wired computers, printers or scanners?
- About how many wifi connected computers, printers or scanners?
- Do the above devices all need to communicate with each other or is some isolation required?
- Do you have or need a "Guest" wifi network which has restricted access to the above devices?
- Do you have IOT devices (TV, security cameras, wifi light switches etc), and if so do you want to restrict their access to the above devices
- Nope.
- The number of devices is small.
Wired ones are my PC, wife's notebook, media player and the management card of the UPS.
Wireless is just the TV (mostly disconnected), phones and ceiling lights. - No need for communication, but no hard requirement for isolation either.
- Nope.
- I might actually like to restrict the lights! I mean, it's chinese stuff (Xiaomi I believe), and while I am not a paranoid person, we all know China cannot be trusted.
Part of the reason why I messed the network up in the first place was I tried to learn something new, heh.
-
The other problem that mostly has no solution is a situation when I either have to take the server down or it goes down or something, and I lose access to the local network.
I think the problem is the switch is on a different subnet than my pc, and under certain circumstances it all just stops working. I know how to set IP manually to at least get access to the switch, but that's not a solution anyway.
I think slightly different IP addresses would work better, but I'm not really sure what's the most failsafe approach.
For example, is it better to move all the non-computers in one subnet, likely the 192.168.1.x? Shall the switch be 1.1, pfSense 1.2, or would that even work? Those are the things that are a mystery to me. -
@Octopuss said in My network is overcomplicated mess, what shall I do to simplify it?:
Wireless is just ... and ceiling lights.
...
I might actually like to restrict the lights!What wireless AP do you use? In particular does it support VLAN to different SSID?
-
@Patch I think so. Ruckus R610.
-
@Octopuss
The hardware appears to support it https://ruckus.optrics.com/downloads/access-points/ds-ruckus-r610.pdfHowever the licensing structure looks complicated so no idea if you actually have access to those features. I have not used that hardware.
If you have access to VLAN's on your AP however creating a VLAN in pfsense and routing it to your AP would enable easily isolating your light switches
-
Honestly, the lights isolation is not really a prirotity. I'd like to redo the network first to have something to build upon.
-
@Octopuss Then just use 2 interfaces.
-
Wan only connecting you external Wan line to pfsense WAN port (via your hypervisor and/or pass through)
-
LAN net connecting pfsense LAN port to all other local devices (Switch, AP, wifi devices). All on the same DHCP address range.
The physical connections will depend on what physical NICs your hypervisor hardware has.
You can add a separate interface to pfsense later if you want some isolation for of some of your local devices. -
-
@Patch I think that's what I have already. It's just the IP addresses that are a mess. If it doesn't matter what IP does the switch and pfSense have, I'll just move everything wired to a single subnet and call it a day I guess.
-
@Octopuss without knowing what interfaces you have set up it is hard to say.
Please post a screenshot of- Interface -> Interface assignments
- Firewall -> Rules -> What will be your LAN interface for everything
-
Heh, I have a different problem now.
I simply changed the IP of pfSense, the switch, and changed the IPs of the static DHCP mappings, and now I can't access anything by hostnames anymore.
Does anyone know what might be the problem?
I rebooted both the server and the switch, but it didn't help. -
@Octopuss said in My network is overcomplicated mess, what shall I do to simplify it?:
what's the best IP to give to the switch and pfSense. Perhaps I should use the usual 192.168.1.1 for either of those?
Two devices with the same IP in the same network ?
Easy : don't.Prepare yourself.
Soon, you'll have to chose among (example) :
2001:0db8:0000:0000:0000:0000:0000:0000 and 2001:0db8:0000:0000:ffff:ffff:ffff:ffffSo, you might as well you go straight to the solution everybody will adopt eventually : K.I.S.
-
@Octopuss said in My network is overcomplicated mess, what shall I do to simplify it?:
Heh, I have a different problem now.
I simply changed the IP of pfSense, the switch, and changed the IPs of the static DHCP mappings, and now I can't access anything by hostnames anymore.
Does anyone know what might be the problem?
I rebooted both the server and the switch, but it didn't help.switch 192.168.0.2 -> 192.168.1.1
server 192.168.2.1 -> 192.168.1.3
pfSense VM 192.168.0.1 -> 192.168.1.2 (it's still /22)Now for example, the seedbox I have I changed the mapping from 192.168.2.6 to 192.168.1.8, and can only access it by its IP now, and when I log in, it shows the old IP next to the hostname.
I just don't understand anything anymore. -
@Octopuss Ok this is even more bizarre.
The seedbox started working, but TrueNAS doesn't work. It responds to pings to skladiste.local, but the domain I have long ago set in pfSense is lan. What's going on there? -
If you are going to change IPs, I would suggest nothing lower than 192.168.4.0/24. Too many things default to 0,1,and 2. I always use even numbers in the 3rd octet in case I decide to change to a /23. (it has never happened at my place)
Start simple, everything on 1 network. Once that is working look at moving something like IoT to a new network. If it goes bad you can simply return to a known working state.In my case:
.42 is the primary network (the meaning of life, the universe and everything)
.2 is the camera network
.100 is the network with no ad-blocking (PiHole group with only porn lists for this subnet)
.66 is the evil network, Alexa is here (My wife made me do it)
.250 is my rescue network and is LAN on pfSense, it is a physical port on the Netgate device, it is not used except when I screw up.The various networks have rules allowing traffic as I see fit, such as .42 can get to all except .66. .66 can only get to the internet. .2 has very restricted access to .42, but no others. The list goes on.
This evolved over years and at some point I may have been as complex as you, but I scratched the whole thing and moved to .42 and grew the rest.
While not a direct answer to your questions, I hope it helps.
-
I declared defeat and restored everything from a backup. I guess there are some setting dug deep in pfSense that I cannot find or whatever.
I really don't know what I'm doing and I might be better off doing a clean server reinstall. Or pfSense itself at the very least.
And maybe a switch cannot be in the same subnet as the router. Or I don't know.
Either way, I'm super pissed. This is way outside of my skills. What seemed like a trivial changing of a few IP adressed turned out to be an entire day completely wasted for nothing. -
Out of curiosity though, what should I set default gateway to on the ESXi host and in the IPMI interface? Does it even matter?
-
@Octopuss said in My network is overcomplicated mess, what shall I do to simplify it?:
I really don't know what I'm doing and I might be better off doing a clean server reinstall.
Help is likely to be available but you need to provide information to get meaningful help, in particular
@Patch said in My network is overcomplicated mess, what shall I do to simplify it?:
Please post a screenshot of
Interface -> Interface assignments Firewall -> Rules -> What will be your LAN interface for everything
The reason is you talk about multiple IP ranges which implies multiple interfaces. To move devices from one interface / address range to another requires knowledge of what network structure you actually have and what specifically you are actually trying to achieve. Vague descriptions are not helpful.