Noob Networking- How do I split up my home network? Hardware, Software?

[Zonte]

I'm attempting to separate my home network into 4 or 5 individual networks. I watched a series of Network Chuck videos on Subnetting so I think that I understand what is supposed to happen with the IP address and subnet, even though my requirements do NOT specifically warrant subnetting. I simply want to know how to split up my 192.168.1.x into 192.168.x.x or add a 10.x.x.x I do not need over 250 host addresses per network. In the end I want to have a homelab on one network that I can play around with and not worry about messing up anything critical before deploying it to the other main networks.

I currently have an ISP modem/router with a static route(192.168.1.2) to another router (192.168.50.x) for my TV, Consoles and WIFI and that seems to work... I could just keep doing this but I feel like there is a better way to do it. I believe I need specific hardware for VLANs and I didn't see any obvious settings on any of the routers that I have lying around so I wasn't planning on doing it that way... but maybe THIS IS THE WAY..?

I guess what I really need to know is... Where exactly am I supposed to be assigning IP address for those specific networks? Do I do it with routers or do I need some other hardware or software to achieve this? And where can go to RTFM on how to do it? Everything I search for gives me some BS that I am not looking for. References and other resources are greatly appreciated.

Thank you for your response in advance.

Cheers,

Justin

 

[pricklypunter]

I have no idea how network savvy you are, but if you are, then I apologise now if this seems like I'm trying to teach an old dog new tricks. However, purely based on your post, I'm going with you have some blanks that need filled in, as to how network segmentation works, so bear with me.

Imagine for a moment that you have 4 x 5 port dumb tp-link switches, you connect a bunch of devices into each switch and then you have 4 uplink ports left over. The devices connected to each switch have a manually assigned IP address in the range of 192.168.1.1, .2.1, .3.1, .4.1, /24. In effect, you have created 4 LAN's, albeit by using physical devices, i.e a dumb switch, to segment your network. Each port on a switch is a micro-segment. Continuing on, if you are then planning on allowing devices in one LAN, to be able to talk to devices in another LAN, then you need some way to cross that bridge, because at the moment, all devices connected to each switch reside in their own broadcast domain.

Enter the Router. Imagine yours has multiple ports for you to play with (no I don't mean the 4 port switch that is on the back of your ISP box). Each uplink port, from the above switches, would connect to a port on the Router. Each port on the router has it's own IP address allocated, in the same range as the devices on each switch that it's connected to, and each device on that switch will then use that IP address as their gateway IP. So anytime one of those devices needs to escape their LAN (broadcast domain) to talk to something outside, the switch will send the traffic to the gateway, which is on the Router. The Router, being the magical box of knowledge that it is, knows how to get to all of the other ports (and the wider world), one of which has the device on it that you want to connect to, and it will route that traffic to the appropriate port. Think of this as inter-LAN routing.

Now VLAN's are imaginary things, in that they are virtual devices. Hence the name, Virtual Local Area Network's, and not the purely physical devices I depicted above. If you are going to go down the VLAN road, all of your network infrastructure must be VLAN aware or capable. So your switches must be aware, your Router must be aware, and the devices you choose must have sufficient port density for all of your devices to plug into, plus some extra for adding stuff or making changes.

For a quick VLAN example, say a VLAN aware switch has 24 ports. Well you can carve up some of those ports and place them in one Virtual LAN (the same broadcast domain), same again for another bunch of ports etc. These are just your LAN's from the example above, but now created virtually inside the same switch, instead of using physical switches. Then using the uplink port, you pass all of those VLAN's upstream to a Router. Which by the magic of not explaining how, becomes a trunk port. This is a special port that allows multiple VLAN's to traverse it. This arrangement would then become what is known as a "Router on a stick".

Now being a Router, it is capable of also running other services. In addition to routing traffic from port to port, one common service is DHCP, another is DNS, whereby the Router can be configured to hand out IP addresses and Nameserver addresses to your various devices when asked for it by them, again by the magic of not explaining how this is achieved. This would generally be the mechanism by which you would automate handing out IP, Gateway and Nameserver address to all of the devices on your network.

I have kept this quick and about as jargon free as I can. I have skipped over the entirety of how all of this is actually accomplished in practise

But now that you can imagine how stuff can talk to other stuff on your network, you will see that the Router is where things get their IP address from, unless you manually assign them. There are a myriad of devices and software that can be used to accomplish your goals, but rarely does home-gamer level of equipment, or ISP supplied equipment, have the moxy required to successfully implement what you want.

Networking is a huge subject, but for the simpler stuff, the interweb is littered with good tutorials on how to build or segment a LAN. I would point you to somewhere like the SmallNetBuilder site, they have some decent worked examples of how to go about this, also search for "LAN segmentation using VLAN's" there's loads of good stuff that comes up. Once you get into it a bit more and grasp some of the concepts, I promise it gets easier

 

[Zonte]

Thanks for the detailed reply. I figured out that my router is not capable of assigning specific IP ranges to a specific port. Which is why I was so confused.

 

[sic0048]

Thanks for the detailed reply. I figured out that my router is not capable of assigning specific IP ranges to a specific port. Which is why I was so confused.

That is very common. Most "all in one" routers have a true switch in them which means you cannot assign the network ports out individually.

However you might want to look into building your own firewall/router and using pfSense or OPNsense as the firewall software. Usually the multiport network cards that you put into a computer CAN have their individual ports broken out separately and it is very easy then to assign a unique subnet to each port.

 

[louie1961]

Here's what I did, which may fit your needs. I have a cable modem that inputs into the WAN port on my pfSense device (pfSense loaded onto an inexpensive N100 based mini PC with 4 ethernet ports. Not an actual Netgate appliance). pfSense serves several functions: router, firewall, DNS, adblocker (same as pihole essentially), DHCP server, etc. Inside of pfSense I have defined 5 VLANs: one for trusted devices, one for guest devices (including my kids), one for televisions, one for all the Ring cameras, Alexa devices, the Ring alarm, etc., one for wordpress sites I host locally that are exposed to the internet, and one for the management interface of my Proxmox servers

My pfSense box then outputs to a relatively inexpensive 2.5 gbe managed network switch. Everything hangs off of that switch. I use trunked ports to pass all of the VLANs to my Proxmox servers as well as to a VLAN aware wireless access point. I use tagged ports to connect everything else and restrict those physical connections to one VLAN. The Proxmox servers, VMs, docker containers, etc. all have static IP address reservations in pfSense. I have firewall rules in pfSense that make it so only devices assigned to the trusted VLAN can access any device on any other VLAN. Otherwise, Devices assigned to the other VLANs can only talk to devices within the same VLAN, or go out to the internet. My WAP has dedicated SSIDs for each VLAN, with unique passwords. You could put together a pfSense box for around $250-300, the switch was $119, and the wireless access point was $89.