Home Network IP Address Scheme Best Practice

[jmwills 284]

Good discussion.  We are all being subnetted from our ISP and I can see new construction in very large neighborhoods being allocated IPV6 addresses but you're still only getting one address, be it 4 or 6 which resolve back to the same address.  We will never run out of v6 addresses, something about there are more v6 addresses than stars in the sky, so as long as it works, it doesn't really matter to me on the exterior, but for simplification I would only ever use v4 on the inside.

[GotNoTime 219]

you're still only getting one address, be it 4 or 6 which resolve back to the same address.

No. You don't get a single IPv6 address. You usually get a /64 IPv6 prefix assigned for your LAN devices. It is specifically a /64 at a minimum because it allows you to generate a static IPv6 address based on the MAC address of your interfaces. If you wish to statically assign addresses using manual configuration then you've got 2^64 address available to use.

[Andne 13]

My ISP provides 6RD (wish they had dual stack, was a pain to set up the tunnel) so I have both IPv6 and IPv4 running inside my network.  I suspect that running IPv4-only on one side of a router and IPv6-only on the other side wouldn't work well at all, since then every client would need to know how to tunnel one protocol into the other.  Long term I hope that IPv4 goes offline entirely and networks become IPv6-only, but given how long it's taking to get dual-stack setups from some ISP's, I don't know that I see that happening anytime remotely soon.

 

After some digging, it looks like the ISPs are expected by ARIN and RIPE to provide a /48 to most home and business subscribers when using IPv6 (found the RIPE guidelines here: http://meetings.ripe.net/ripe-49/presentations/ripe49-ipv6-guidelines.pdf). Inthat case, there should be no reason for the router to perform NAT, instead it can just assign IP's within the provided prefix.  Just because these are publicly routable IP's doesn't mean that they are accessible, I only allow traffic through to the specific addresses that are supposed to be accessible and have the router blocking any other traffic that tries to enter the network.  It does mean that there have to be specific rules for this, but those should be easy for even a consumer-level router to include.  I use pfSense for my router, so I had to actually add the rules but it was easy to do.

 

At work we don't have IPv6 active on the internal network, so maybe it still is something that's more for people to play with for now.  I would be hard pressed to believe that there aren't parts of the internal network that do run IPv6 (dual stack at least if not only) as a test environment so that when things do start to switch they know how to deploy it correctly.  So far it's not active on the client computer network (I'm not in the IT department, work in product design).

[ShadowPeo 66]

Shadowpeo:  One good thing to do with a guest network like that is to set a traffic rule on your firewall (if you have one advanced enough) to limit bandwidth on the guest wireless.  That way, even if guests connect to your network (or find your SSID), they can't chew your bandwidth up attempting HD Youtube or Netflix streams.

 

I would love to, but compared to the rest of the gear in the network, the firewall is a little old and decrepit.

[itGeeks 181]

An old thread but a topic of my own interest, I am building out my daughters network and wanted to share my updated IP scheme.

 

My IP addressing scheme using a private /24 mask:

 

10-19 - Smart Switches

20-29 - Access Points

30-39 - Servers and VM host

40-49 - RACK/iLO/IPMI/KVM/UPS Management Card

50-59 - Printers

60-79 - Phones/Tablets

80-99 - Computer/Laptops

100-109 - Digital Picture Frames

110-119 - Smart TV's

120-129 - Fixed Media Streamers. Example Roku, NVIDIA Shield, Fire Stick.

130-139 - Blu-ray/DVD Players

140-149 - Gaming Consoles

150-169 - IP Cameras (This will be put on a VLAN at some point)

170-189 - Reserved for the unknown

190-229 - Reserved for Home Automation Stuff.

 

230-254 - DHCP range for guests and newly added devices not yet added with static IP 

 

Service providers (CPE) Cable boxes (STB) and router are on its own network, I like to keep it separate on its own Subnet to keep from prying eyes. I hang my router off a DMZ on the service providers router, (This may soon change as I want to make my router first inline and hang the service providers router off a DMZ) Further testing is needed to make sure the TV service does not brake.

 

Schoon tag your it, You ask the question now would you mind telling us what you do?

[Jason 73]

Thanks for sharing this. Incidentally I have no convention to my LAN. Not ideal. Just a range of 192.168.0.10-192.168.0.100. With random consecutive devices in between.

 

Is there any way to create a reservation in Windows DHCP for a specific LAN IP? Without having to right click on a lease and create a reservation (with that device's currently assigned IP address)?

 

 

Sent from my iPhone using Tapatalk

[schoondoggy 745]

Still a work in progress. Home address range 192.168.1.1-255 Lab address range 192.168.2.1-255

Home:

1-20 Networking/Firewall

30-43 PC/Laptop

49-68 Home Automation

100-149 DHCP range

180-185 Printers/Scanners

190-225 Audio/Video/Media/Gaming

235-254 Servers/VM's

[Jason 73]

Wondering whether I should just be using the DHCP server built into my router instead of Windows DHCP server? What do others here do?

 

Instead I create a reservation on Windows DHCP, mirror that IP definition in Sophos UTM, then add to a Sophos UTM https exception list. More steps than I probably need?

 

 

Sent from my iPhone using Tapatalk

[jmwills 284]

Too many points of failure.  I'd just use the DHCP function of the router.

[Jason 73]

Good point. When I move away from Sophos UTM, I'll revert back to router DHCP only. Possibly DNS also.

 

 

Sent from my iPhone using Tapatalk