Home Network Help



  • So I am working on my home network, and need help setting up an IP/Subnetting Scheme.

    I did some research on classes and sample subnets, but don’t fully understand it.

    Here’s a diagram of the setup in my home, which is fairly simple

    What I want is:

    1. Set a static LAN IP for my Freenas Box (fairly easy)
    2. Separate my network into 3 sub-networks
      a. Wireless Network
      b. Wired Network 1 – Workstations (will add more later)
      c. Wired Network 2 – Servers (will add more later)
    3. Setup DDNS via DynDNS or the DNS Service provided by Optimum for free (to access my network via WAN)
    4. An IP scheme that works best for the environment I’ll be creating and also leaves room for expansion, when I move.

    I’m sure I’ll have to do some port forwarding, teaming/link aggregation for my Freenas Box, and other things.

    Perhaps you guys can help me more. If I left anything out, I’m open for questions.

    PS. I was reading a few forums on Subnetting and found a sample subnet configuration

    Routers & Switches - 10.1.1.3 - 10.1.1.250
    Servers - 10.1.2.3 - 10.1.2.250
    Wireless - 10.1.3.3 - 10.1.3.250
    Printers - 10.1.4.3 - 10.1.4.250
    Workstations - 10.1.5.3 - 10.1.5.250
    MISC - 10.1.6.3 - 10.1.6.250

    Not sure what Subnet mask to use, and DG for the entire network.



  • LAYER 8 Global Moderator

    More power to you if you want to learn about network segments and vlans.  But other than doing it for the sake of doing it, why do you want to do this.  Do you want to firewall between these segments?

    One thing I want to bring up because of your listing of chromecast – those will stop working if you segment from devices that are not on the same segment.  You might be able to get it to work with IGMP proxy in pfsense - but the few minutes I have played with it, wasn't working.  Its on my things to look into when I find some play time.

    This is going to really complicate your network, you might want to just breakout 1 device say your server or 1 pc onto its own segment for play until you have a better grasp of it.

    As to the mask to use.  You are showing more than 3 segments with your address space if you use 255.255.255.0 or /24

    Routers & Switches - 10.1.1.3 - 10.1.1.250
    Servers - 10.1.2.3 - 10.1.2.250
    Wireless - 10.1.3.3 - 10.1.3.250
    Printers - 10.1.4.3 - 10.1.4.250
    Workstations - 10.1.5.3 - 10.1.5.250
    MISC - 10.1.6.3 - 10.1.6.250

    If you use /24 those are all different network.  if you used anything lower than /21 they would all be same network /21 or 255.255.248.0 would be 10.1.0.1 to 10.1.7.254 for hosts.

    If you wanted to break it up into 3 you could say use /23 this would give you

    10.1.0.1 - 10.1.1.254 
    10.1.2.1 - 10.1.3.254
    10.1.4.1 - 10.1.5.254

    but for ease of understanding and since you really only have a handful of devices I would suggest you start with a /24 mask that makes it easy to see different networks from the IP address.

    10.1.X.?

    With /24 the 3rd octet is your network, if that number or the 2 numbers before it are different with a /24 mask then its a different network.

    Then you could use
    10.1.1
    10.1.2
    10.1.3

    you could put all your wired devices on 10.1.1.0/24, all your wireless on 10.1.2.0/24 and 10.1.3.0/24 could be your servers.

    As to the Default Gateway of each segment - that would be the IP address you put on pfsense in that vlan.. So for example

    in the first network 10.1.1.0/24 pfsense might be 10.1.1.1
    2nd network 10.1.2.0/24 pfsense vlan IP might be 10.1.2.1
    3rd network 10.1.3.0/24 pfsense vlan IP might be 10.1.3.1

    Whatever pfsense IP you put in that vlan/network segment would be the Default gateway for that segment.  It is common to use 1st or last host in the network as the gateway device, etc..

    Hope that helps.  But keep in mind once you segment anything that uses broadcast or multicast to find other devices like chromecast is going to have problems working.. Printers for example if you use airprint - that will stop working from devices on other segments.



  • Okay, duly noted.

    Thank for the feedback. But if the segmentations will break devices on my network. What would be your recommendations for possibly making it work. Would just creating one network work for the configurations

    Setting the pfSense IP to 10.1.1.0 and the DG to 10.1.1.1 for all devices on the network.
    Subnet mask being 255.255.255.0 for all devices on the network.

    and having DHCP set IPS for all connected devices. I know this may simplify the configurations.



  • pfSense LAN IP and the client default gateway will be the same, like 10.1.1.1/24. (pfSense LAN IP cannot be the bottom or top address of the subnet.
    Typically you would put devices with different security needs/trust levels onto separate subnets. Lots of people would have a separate guest WiFi subnet so their friends can visit and get internet access without being able to access their home server, NAS… You might like to do that, and it will let you play with blocking and allowing various things between the subnets.
    So you could have:
    10.1.1.0/24 - home devices
    10.1.2.0/24 - guest devices

    and let pfSense give out DHCP to everything, and static-map the IP address for servers, NAS... that you would prefer to always have the same IP address.


  • LAYER 8 Global Moderator

    well you list a nat in your drawing before pfsense?  But you also list a cable modem, which normally don't nat - did you mean a cable gateway?  What IP does pfsense get on its WAN interface?

    If the device that connects you to internet does nat, then you will want to use a network behind pfsense that is different..  Or turn nat off on this device so pfsense wan gets a public IP from your ISP.  But for home use normally you only see 1 network segment, having multiple has many security enhancements.  For example isolation of your wireless network from your wired network, this way if your wireless is compromised they don't have access to say your workstation or "server" based upon your firewall rules.

    But it can bring its own set of issues like broadcast and multicast not working across segments.

    if your wan on pfsense is not 10.1.1.0/24 or a network that includes that like 10.0.0.0/8 for example then sure that is a good choice to use on your lan behind pfsense.  You can setup specific devices with dhcp reservations so they always get the same IP, and even use ranges so that say your wireless are alway 10.1.1.20 - 39, and wired are always .10 to .19, etc.. so you know from an IP what device it is.

    I have my wireless on its own segment, and also have a dmz segment that is only for vms.  But then again I have been in IT for 25+ years.  And do networking for a living ;)

    Don't get me wrong – I would encourage exploration and experimentation and learning to be sure.. Just be forewarned that with security and isolation can come pain ;)  Unless you have a good security reason to isolate devices with the few devices you have it really serves little purpose in segmenting your network.

    The default pfsense lan network of 192.168.1.0/24 should also work for you - unless your wan is getting an address in that network?

    And remember -- Have fun!!



  • IDK Usually working with computers are fun, but this branch of computing is much more annoying than fun.

    The diagram that I have has the NAT not being a separate device, but being the location where NAT occurs. I am receiving a public IP through the modem and on my pfSense box, which is controlling NAT.

    I will go ahead and use your recommendations, as my home network isn't really going to be accessed by many people. The reason for segmenting it would be that I want to host my media server, so I can access it while its at work, also my file server (freenas box). Would a DMZ be a more feasible option? If so how is this setup, I only have 2 Ethernet ports on my pfsense box. I've seen people use a pfsense w/ 3, 1 - WAN, 2 LAN, and 3rd being the DMZ, where they place their webservers.

    WAN gets an IP like 67.86.xxx.xxx from OOL, which changes every time I reload my pfSense (more or less).

    So let me get this straight:

    When setting up pfSense, I will set the IP to 10.1.1.1 with a SM of 255.255.255.0 (/24)
    What will it's range be?

    I haven't installed a WIFI card, but when I do, I want those devices to have its own range. And with that range I will split it home and guest as phil.davis described.
    What should the IP address be and SM?
    How is this range setup?



  • When setting up pfSense, I will set the IP to 10.1.1.1 with a SM of 255.255.255.0 (/24)
    What will it's range be?

    Every "/24" spans 0-255 in the bottom number - so 10.1.1.0 to 10.1.1.255 - but you cannot use the first (0) and last (255) number for real devices.

    I haven't installed a WIFI card, but when I do, I want those devices to have its own range. And with that range I will split it home and guest as phil.davis described.
    What should the IP address be and SM?
    How is this range setup?

    Pick another piece of address space starting with "10." - e.g. 10.1.2.0/24 - Then make the pfSense interface IP for that 10.1.2.1/24
    I don't know what hardware you have, but it is generally much easier to have a 2nd ethernet NIC in your pfSense box, then connect an ordinary WiFi access point to that with a cable. Not all WiFi cards work with FreeBSD, so it can be pain installing a WiFi card directly in your pfSense box. Use "Interfaces-assign" to add the extra NIC on the webGUI, then Interfaces->OPT1 and enable it, give it static IP address…
    If you use an external WiFi AP, make sure to turn off its DHCP. Set its IP address to something in the pfSense "WiFi LAN" - e.g. 10.1.2.2/24 - so you can reach it to manage it.


  • LAYER 8 Global Moderator

    ^ exactly, I also would suggest using a external AP vs a wifi card inside pfsense.. Its just easier, faster (pfsense is not going to support N or AC, etc) and allows you for better placement of the AP vs where pfsense sits.



  • @johnpoz:

    ^ exactly, I also would suggest using a external AP vs a wifi card inside pfsense.. Its just easier, faster (pfsense is not going to support N or AC, etc) and allows you for better placement of the AP vs where pfsense sits.

    Suppose I decided to use an external AP, I have a netgear wireless N router, would it be possible to bridge those two connections?


  • LAYER 8 Global Moderator

    Bridge what connections? What do you think you need to bridge?


Log in to reply