Jump to content
RESET Forums (homeservershow.com)
schoondoggy

Home Network IP Address Scheme Best Practice

Recommended Posts

ShadowPeo

I use multiple ranges over several VLAN's with a layer 3 switch at the core so I have multiple DHCP addresses.

 

Guest SSID is unauthenticated (although hidden due to businesses being in range of the wireless, I do not want to support their customers) and is on its own VLAN for obvious reasons with only ports 80 and 443 allowed through. Longer term I may end up putting in a (logging?) proxy/blacklist on this part of the network for obvious reasons. Guest network only has a 2 hour lease on addresses, although this is not really an issue anyway.

 

The security VLAN houses the cameras and both recording devices.

 

Main network "Network Devices" consists of the Router, Switches, WAP's and printer.

Main Network "Servers" consists of 2x Synology NAS devices, 3x Dell switches using LCAP (so 1 address per server, plus one for the IDRAC) leaving 5 for Server VM's I am working on/running. Temporary VM's are left using DHCP addresses. I only spin up the Dell servers when I need the horsepower as, although they do not use huge amounts of power, I have no need to spend money keeping them running for them only to do nothing

 

Reserved Hosts are things like the IP links to the Game consoles, TV's etc. These devices ARE staticly assigned, but done through so DHCP resevations, not directly on the device where possible

 

Dynamic hosts are the rest of the network devices that are transient on the network, DHCP has scavenging once a week and an 8 hour lease

Static and System Addresses            
Network Address:       172.16.1.0        
Broadcast Address:    172.16.1.127        
Subnet Mask:              255.255.255.128        
CIDR Mask:                 25        
Router:                        172.16.1.1        
    
Address Ranges - Main VLAN (1)

Name                          Start               End                   Available Addresses
Network Devices        172.16.1.1      172.16.1.10      10
Servers                       172.16.1.11    172.16.1.20      10
Reserved Hosts          172.16.1.21    172.16.1.48      28
Dynamic Hosts           172.16.1.49    172.16.1.127    79 (only 32 available on DHCP server at this point)

VLAN Schemes

VLAN 01 - Main Network          172.16.1.0/25
VLAN 02 - Guest Network        172.16.2.0/27
VLAN 03 - Security Network     172.16.3.0/27
VLAN 04 - Voice Network         172.16.4.0/27

 

 

I also set up sites (both residential and business) that I manage for other family members in a simular fashion, makes it easier for me to remember. Multiple sites are also linked to provide backup (CrashPlan) and syncronisation services (BTSync) between them. Small media files are transfered, large ones such as videos are not, well not without prior arrangement anyway, as this chews bandwidth and transfer allowance. Working on encrypting the Sync with BTSync 2. 1.4 was capable of it, not looked too far into it with 2 yet, but I need to get it done

Share this post


Link to post
Share on other sites
GotNoTime

Guest SSID is unauthenticated (although hidden due to businesses being in range of the wireless, I do not want to support their customers) and is on its own VLAN for obvious reasons with only ports 80 and 443 allowed through.

Using a normal broadcasted SSID but with just a simple to type password set and WPA2-AES only enabled is a better idea. Guest devices have to actively broadcast your hidden SSID to connect to your guest WiFi. They'll continue to do this even when away from your premises. It is trivial for somebody to grab the hidden SSID details from those probe broadcasts or by monitoring traffic from a connected guest device.

 

Hiding the SSID just makes the WiFi AP not fill in the SSID field inside the beacon frames. Your AP still sends out the beacons and your guests will be broadcasting the SSID as part of the WiFi management traffic.

Edited by GotNoTime

Share this post


Link to post
Share on other sites
ShadowPeo

Oh I understand that plenty, I went backwards and forwards on this decision but ended up deciding with un-authed hidden network would be better for what I wanted. I am not concerned to much with outside people accessing it, as that is essentially what it is there fore, hence the seperate VLAN with access being ACL'd down to the barest essentials (as I said above ports 80 and 443, what I didn't say was that DNS, ICMP echo and alike are allowed as well for basic services and troubleshooting). All data from the guest network, bar the DNS to my internal DNS servers, is blocked, the gateway router will loopback to the reverse proxy for any internal web access required from the guest network.

 

The only reason its even hidden is due to the resturant next door, and my lack of bandwidth. If I had more bandwidth to play with/share I would not care to much

Share this post


Link to post
Share on other sites
LoneWolf

Shadowpeo:  One good thing to do with a guest network like that is to set a traffic rule on your firewall (if you have one advanced enough) to limit bandwidth on the guest wireless.  That way, even if guests connect to your network (or find your SSID), they can't chew your bandwidth up attempting HD Youtube or Netflix streams.

Share this post


Link to post
Share on other sites
mnbf9rca

anyone got any idea how to approach this with IPv6? Realistically you need DNS to access devices with IPv6 addresses.

Share this post


Link to post
Share on other sites
jmwills

Why would be using IPv6 on a home network?

Share this post


Link to post
Share on other sites
mnbf9rca

Why would be using IPv6 on a home network?

why not? i have both - my ISP has supported native IPv6 since 2002. Clearly the future is IPv6 :)

using publicly routable IPv6 IPs makes it easier to access things from outside the network, and of course there's no practical limit on the number of hosts.

 

but it has challenges - how to secure it, manage it etc.?

Share this post


Link to post
Share on other sites
jmwills

Using IPv6 makes no difference on accessing sites outside your network.  They are on two different subnets and the traffic is going back through your router for NAT.  But if you're up for headaches, full speed ahead,

Share this post


Link to post
Share on other sites
GotNoTime

anyone got any idea how to approach this with IPv6? Realistically you need DNS to access devices with IPv6 addresses.

I have DHCPv4 set to give fixed IPs using my numbering scheme to known devices on my LAN. All other devices just pickup an IP from the dynamic pool. The devices pick up their IPv4 gateway and IPv4/IPv6 DNS servers from DHCP.

 

I don't use DHCPv6 however and just use SLAAC so everything IPv6 capable generates their own IPv6 address based on their MAC address. Various devices will then generate their own IPv6 privacy addresses as well.

 

I run my own local DNS server which I've got setup to allow forward and reverse lookups for all devices. The IP addresses don't need to be particularly memorable this way since DNS will handle it all for me. I set it to validate DNSSEC signatures as well.

 

My routers are a pair of Mikrotik Routerboards which are setup to be dual stack IPv4/IPv6. The router firewall is set to refuse incoming connections from the internet unless it is to specific IPv4/IPv6 addresses and a specific service I want to allow.

 

In an overly complicated setup, I've set my DHCP servers to be in a failover pair and have a master + slave arrangement for my 2 DNS servers. I have two internet connections and run VRRP on my routers to ensure it doesn't become a single point of failure.

 

Using IPv6 makes no difference on accessing sites outside your network.  They are on two different subnets and the traffic is going back through your router for NAT.  But if you're up for headaches, full speed ahead,

What headaches? It is simple to setup a dual stack network if you have a good router and it is the way forward. RIPE (EU) ran out of IPv4 blocks ages ago and just recently ARIN (NA) ran out. Refusing to implement IPv6 is the real cause of headaches.

 

If you just want it to work then DHCPv4 + IPv6 SLAAC is enough and nearly all automatic. Minimal configuration is needed. My complicated setup isn't necessary at all.

Edited by GotNoTime

Share this post


Link to post
Share on other sites
mnbf9rca

Using IPv6 makes no difference on accessing sites outside your network.  They are on two different subnets and the traffic is going back through your router for NAT.  But if you're up for headaches, full speed ahead,

With IPv6 you can give each host on your network a publicly routable address, so no need to even touch NAT, no need to create port mappings, deal with conflicting requirements (e.g. two web servers on 443?). I think that's less hassle  :P

 

I have DHCPv4 set to give fixed IPs using my numbering scheme to known devices on my LAN. All other devices just pickup an IP from the dynamic pool. The devices pick up their IPv4 gateway and IPv4/IPv6 DNS servers from DHCP.

 

I don't use DHCPv6 however and just use SLAAC so everything IPv6 capable generates their own IPv6 address based on their MAC address. Various devices will then generate their own IPv6 privacy addresses as well.

 

I run my own local DNS server which I've got setup to allow forward and reverse lookups for all devices. The IP addresses don't need to be particularly memorable this way since DNS will handle it all for me. I set it to validate DNSSEC signatures as well.

 

pretty similar to mine - i use SLAAC and RADVD with a /64 prefix assigned by my ISP. I just havent got the DNS part figured out yet. I only have a single router (billion BiPAC 8800AXL running PPPoE for my FTTC connection) and am trying to reduce the amount of stuff i have, not add or i get in trouble 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...