Jump to content
RESET Forums (homeservershow.com)
schoondoggy

Home Network IP Address Scheme Best Practice

Recommended Posts

jmwills

Good discussion.  We are all being subnetted from our ISP and I can see new construction in very large neighborhoods being allocated IPV6 addresses but you're still only getting one address, be it 4 or 6 which resolve back to the same address.  We will never run out of v6 addresses, something about there are more v6 addresses than stars in the sky, so as long as it works, it doesn't really matter to me on the exterior, but for simplification I would only ever use v4 on the inside.

Share this post


Link to post
Share on other sites
GotNoTime

you're still only getting one address, be it 4 or 6 which resolve back to the same address.

No. You don't get a single IPv6 address. You usually get a /64 IPv6 prefix assigned for your LAN devices. It is specifically a /64 at a minimum because it allows you to generate a static IPv6 address based on the MAC address of your interfaces. If you wish to statically assign addresses using manual configuration then you've got 2^64 address available to use.

Share this post


Link to post
Share on other sites
Andne

My ISP provides 6RD (wish they had dual stack, was a pain to set up the tunnel) so I have both IPv6 and IPv4 running inside my network.  I suspect that running IPv4-only on one side of a router and IPv6-only on the other side wouldn't work well at all, since then every client would need to know how to tunnel one protocol into the other.  Long term I hope that IPv4 goes offline entirely and networks become IPv6-only, but given how long it's taking to get dual-stack setups from some ISP's, I don't know that I see that happening anytime remotely soon.

 

After some digging, it looks like the ISPs are expected by ARIN and RIPE to provide a /48 to most home and business subscribers when using IPv6 (found the RIPE guidelines here: http://meetings.ripe.net/ripe-49/presentations/ripe49-ipv6-guidelines.pdf). Inthat case, there should be no reason for the router to perform NAT, instead it can just assign IP's within the provided prefix.  Just because these are publicly routable IP's doesn't mean that they are accessible, I only allow traffic through to the specific addresses that are supposed to be accessible and have the router blocking any other traffic that tries to enter the network.  It does mean that there have to be specific rules for this, but those should be easy for even a consumer-level router to include.  I use pfSense for my router, so I had to actually add the rules but it was easy to do.

 

At work we don't have IPv6 active on the internal network, so maybe it still is something that's more for people to play with for now.  I would be hard pressed to believe that there aren't parts of the internal network that do run IPv6 (dual stack at least if not only) as a test environment so that when things do start to switch they know how to deploy it correctly.  So far it's not active on the client computer network (I'm not in the IT department, work in product design).

Share this post


Link to post
Share on other sites
ShadowPeo

Shadowpeo:  One good thing to do with a guest network like that is to set a traffic rule on your firewall (if you have one advanced enough) to limit bandwidth on the guest wireless.  That way, even if guests connect to your network (or find your SSID), they can't chew your bandwidth up attempting HD Youtube or Netflix streams.

 

I would love to, but compared to the rest of the gear in the network, the firewall is a little old and decrepit.

Share this post


Link to post
Share on other sites
itGeeks

An old thread but a topic of my own interest, I am building out my daughters network and wanted to share my updated IP scheme.

 

My IP addressing scheme using a private /24 mask:
 
10-19 - Smart Switches
20-29 - Access Points
30-39 - Servers and VM host
40-49 - RACK/iLO/IPMI/KVM/UPS Management Card
50-59 - Printers
60-79 - Phones/Tablets
80-99 - Computer/Laptops
100-109 - Digital Picture Frames
110-119 - Smart TV's
120-129 - Fixed Media Streamers. Example Roku, NVIDIA Shield, Fire Stick.
130-139 - Blu-ray/DVD Players
140-149 - Gaming Consoles
150-169 - IP Cameras (This will be put on a VLAN at some point)
170-189 - Reserved for the unknown
190-229 - Reserved for Home Automation Stuff.
 
230-254 - DHCP range for guests and newly added devices not yet added with static IP 
 
Service providers (CPE) Cable boxes (STB) and router are on its own network, I like to keep it separate on its own Subnet to keep from prying eyes. I hang my router off a DMZ on the service providers router, (This may soon change as I want to make my router first inline and hang the service providers router off a DMZ) Further testing is needed to make sure the TV service does not brake.
 
Schoon tag your it, You ask the question now would you mind telling us what you do?

Share this post


Link to post
Share on other sites
Jason

Thanks for sharing this. Incidentally I have no convention to my LAN. Not ideal. Just a range of 192.168.0.10-192.168.0.100. With random consecutive devices in between.

 

Is there any way to create a reservation in Windows DHCP for a specific LAN IP? Without having to right click on a lease and create a reservation (with that device's currently assigned IP address)?

 

 

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites
schoondoggy

Still a work in progress. Home address range 192.168.1.1-255 Lab address range 192.168.2.1-255

Home:

1-20 Networking/Firewall

30-43 PC/Laptop

49-68 Home Automation

100-149 DHCP range

180-185 Printers/Scanners

190-225 Audio/Video/Media/Gaming

235-254 Servers/VM's

Share this post


Link to post
Share on other sites
Jason

Wondering whether I should just be using the DHCP server built into my router instead of Windows DHCP server? What do others here do?

 

Instead I create a reservation on Windows DHCP, mirror that IP definition in Sophos UTM, then add to a Sophos UTM https exception list. More steps than I probably need?

 

 

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites
jmwills

Too many points of failure.  I'd just use the DHCP function of the router.

Share this post


Link to post
Share on other sites
Jason

Good point. When I move away from Sophos UTM, I'll revert back to router DHCP only. Possibly DNS also.

 

 

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...