this post was submitted on 20 Aug 2023
67 points (92.4% liked)

Selfhosted

40928 readers
381 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I’m setting up DHCP reservations on my home network and came up with a simple schema to identify devices: .100 is for desktops, .200 for mobiles, .010 for my devices, .020 for my wife’s, and so on. Does anyone else use schemas like this? I’ve also got .local DNS names for each device, but having a consistent schema feels nice to be able to quickly identify devices by their IPs.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 34 points 1 year ago (1 children)

TLDR; don’t reserve IP’s

We all did back in the 90’s. But this is kinda counter to the idea of dynamic leasing of IP addresses.
The only reason I see for reserving IP’s would be to do some based on cidr ranges (bad practice) or because you need some shitty software that only handle IP’s and not hostnames.

Just liberate yourself and get used to not having control over IP. It will prepare you for ipv6 where dynamic addresses are part of the spec.

Your local dns server should be set up to register devices on ip lease - something all dns servers I’ve worked with last 20 years can manage. With properly set ip search domains this means that you can reach your devices by hostname, or by fqdn if you’d want that.

Also note that .local is a special tld reserved for mdns/zeroconf. Do not set up your dns server to serve this. You’d be better off using something like .LAN - this means that mdns/zeroconf can co-exist nicely on your lan.

Regarding vlans: this is something completely different as this is level 2 in osi. Each vlan is like a separate network - there needs to be routing to reach one from the other. I would agree that vlans are nice when used properly - to section and separate devices. One vlan for IoT devices - to keep them out of your safe home network - is a fairly common thing. A separate vlan for servers, one for management perhaps, one for guest-network and one for your normal home devices.

I use 4 vlans at home each with a /16 network from the 10/8 range. And the only static (not reserved dhcp) that I use are for dns and gateway. At work I still set up some sites where infrastructure like switches/routers etc are on static - and take this into account when I set up the ip pool(s). I’m those cases I’ll exclude the top end of the network and put the rest in the pool. Some like to do the opposite end, and some don’t care and just use all as pool and count on arp/ping to avoid conflicting leases (bad practice).

[–] dream_weasel 8 points 1 year ago (3 children)

I like your funny words magic man.

As a total novice for networking (setting up 4 hat rules for my pihole was... tough), how bad are vlans to set up?

[–] [email protected] 4 points 1 year ago

Not bad. Hugely depends on what software, hardware, and firmware you use though.

I used a guide by HomeNetworkingGuy to fully set my network up in OPNSense, my software, running on a Protecli Vault, my hardware, using FreeBSD, my firmware/bios. It took me a full day start to finish. VLANs were maybe 30-60mins of that time tops.

[–] [email protected] 4 points 1 year ago

Look at them like this: VLANs are like running several cables between two spots that you can configure independently. In the very end it comes down to this: what virtual LAN number you have on the cable.

Your backbone devices (router and switches) can be configured to accept tagged traffic―your switch will send a packet prefixed with a VLAN index and your router will trust that the packet actually came from that VLAN on the switch port, or to tag traffic―like when you have some port on your switch where your PC is plugged in and the switch will tag those packets with some VLAN when it forwards them (to the router).

Once you grasp that, everything else pretty much boils down to managing several isolated networkd and how they cross-talk. You run a dhcp server over each network, its own set of other services and whatnot.

Oftentimes the “home” hardware will expect a single network and use some means of packets broadcast to reach each other. That's how your phone can find all google homes on the network and apple homekit knows where your smart lights are. For that traffic to cross VLANs you’ll have to use some special software like mdns repeaters, but you can still isolate them.

Wrapping up, VLANs basically allow you the physical level isolation over a single cable. Mind that there are, of course, some bugs, e.g. I once found an issue with Unifi access points that allowed a well crafted packet to escape into VLAN 1 no matter what it was supposed to be tagged with. So don’t treat them as physically separate links.

[–] [email protected] 3 points 1 year ago

They are not hard once you grasp the idea. They are like separate networks on layer 2(link) - layer 1 (physical) can be shared.
So you get several separate networks for the price (and equipment) of one. If you want to reach a device on one vlan from another it needs to be forwarded by something.

It gets a bit complicated here - as your idea of the network is on layer 4 where tcp and udp and other protocols live. As you don’t want to connect one vlan to the other - you want something that has access to both vlans to forward your layer 3 data (IP) between the links. This is your router. It will have a virtual network card on each vlan. You can tell your router to send data from one network card to the other to forward the data.

I suck at explaining- so you probably better off doing an Udemy network primer or read up a little bit. Good things to understand are the first 4 layers of osi model and routing.

It’s not hard and you can learn how to use it by poking stuff and googling a bit. Just imagine each vlan as a “copy” of your equipment (layer 1) cables and all. Your switch will have to support it, and if you want to trunk (run several vlans though one link) you need support on the other end as well.

/endwalloftext

[–] [email protected] 33 points 1 year ago* (last edited 1 year ago)

We all go down this hole at the start. The truth is, you should only reserve IPs if you actually need it to stay the same. You don't need to check IPs as often as you think, I promise. The only segmentation and planning you should do for a home network is for subnets/vlans; LAN, Guest, IOT, Server, etc.

Instead of managing the IP addresses, just manage hostnames. Make sure every device with a customizable hostname is easily identifiable. This will help you so much more in the long run.

[–] [email protected] 15 points 1 year ago (1 children)

10.0.0.0/8; so much room for activity.

I currently use 10.0.0.0/24 as infrastructure; 10.10.0.0/24 for hard wired devices; 10.20.0.0/24 for wireless devices; and 10.42.0.0/16 for docker containers provisioned by Rancher.

[–] [email protected] 7 points 1 year ago (3 children)

Can you tell what do the values after / denote? Like /8, /24.

I have seen them in many places. I even use /8 in my Wireguard config. But I do not know what it is. I do not even know its name to look it up online.

[–] [email protected] 6 points 1 year ago

The term you are looking for is CIDR notation. The / is showing what the subnet mask is. So the subnet mask for a /8 is 255.0.0.0, which would be an extremely large network (over 16 million addresses, this was traditionally known as a Class A).

https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation

[–] chepdamona 2 points 1 year ago

It's called CIDR notation, the number represents how many bits of the whole address represent the "network" part of the address. /8 is equivalent to a subnet mask of 255.0.0.0

[–] [email protected] 11 points 1 year ago

I don't.

I currently use 192.168.6.0/24, set DHCP to 100-199, and statically assign a few servers outside that range. Anything else can use DNS via DHCP because I use Windows for AD/DNS/DHCP.

[–] [email protected] 10 points 1 year ago (1 children)

I don't see the need, everything gets IDed by its hostname.

The only thing with static DHCP is IoT stuff that needs a consistent IP for HA to connect to it, and servers.

[–] [email protected] 4 points 1 year ago (1 children)

It can be useful to assign a static IP address for your kids' devices so you can set parental control on pihole/adguard.

[–] [email protected] 3 points 1 year ago (1 children)

Pi-hole can seperate devices by MAC, so it's not really needed to group them.

[–] [email protected] 1 points 1 year ago (1 children)

Wouldn't that require you to use pihole as DHCP though? Afaik DNS packets doesn't contain Mac address, right?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I think it will just identify the device by MAC and use whatever IP that MAC has assigned to block queries. I just noticed the other day that i can select devices by MAC and assign to groups, and my pihole isn't the DHCP.

[–] [email protected] 7 points 1 year ago

I use it for enterprise scale infrastructure deployments. But for a home network, it seems like unnecessary work.

[–] dream_weasel 6 points 1 year ago

I reserve everything below .100 for static IP devices like switches/access points and my work devices, the rest is all dynamic lease DHCP.

I could just set up a dashboard or figure out how to use hostnames, but I'm a caveman and I remember the IPs of the devices I want to ssh or browse to in my network.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

I live alone. So I just have reserved IPs for each of my devices. Any new device gets assigned >200 so that I can easily identify new stuff, or rogue devices - which hasn't happened lol. The only special IP is my pihole that gets 192.168.1.2 next to my router since I consider it infrastructure basically. Plus pihole is my dhcp server and dns obviously

[–] [email protected] 3 points 1 year ago (1 children)

I like the range for new devices- hadn’t thought of that!

[–] [email protected] 4 points 1 year ago

Yeah makes it easier to identify new stuff. Like I recently added a new NAS into my network, and I didn't have to try and figure out which device it was identified as. Just sitting at 200.1 so I could give it a name and assign a static IP.

[–] [email protected] 5 points 1 year ago (2 children)

For work we have standards, ideally we separate VLANs by device type and firewall off their communication, but on a home network, I'd generally group by category. .1-9 network gear like switches and firewalls. .10-19 IOT. .20-29 servers & NAS. So on and so forth.

[–] [email protected] 4 points 1 year ago

I’m paranoid so I have created a physically separate network for the IoT stuff. Everything gets its IP from the same server from a /25. The lower is the trusted network, high IPs are not. IoT network devices cannot open connections to the other network. A bit awkward, but works fine.

[–] [email protected] 4 points 1 year ago (1 children)

I see no reason to put iot devices on the same lan as my servers/home network, and I never suggest that to friends.

[–] dream_weasel 2 points 1 year ago (2 children)

So separate WiFi name or (or probably router/AP) for separate vlan?

[–] [email protected] 1 points 1 year ago

Vlans are virtual lans. So no extra equipment, but your router (as minimum) must support them. If your AP also supports them, you send two vlan through one cable (trunking), and attach each vlan to its own SSID on the AP. There will be no connection between devices on SSID1/Vlan1 and devices on SSID2/vlan2. It’s like you have two cables. To make a connection between those devices you must tell your router to forward the packets between the virtual lans.

That’s the whole trick - you see one cable, but inside it’s like 4000 cables. It’s the same inside your switch/router with vlan support - you see one physical port, but it’s 4000 inside - one for each of the 4000 cables. Each one works and behaves like a physical one. You get data in from one, and can forward it upstream to internet or into one of the other nic’s/cables as that’s what a router does

[–] [email protected] 1 points 1 year ago

That's what I do. All my IOT stuff that I can't get wired or via Zigbee/Z-Wave goes on a separate VLAN along with my Home Assistant server. I have an mDNS repeater for ease of access to TV stuff via apps (might spin TVs off into its own VLAN, just haven't gotten around to it) but a 1-way firewall rule that only allows the main network to initiate connections. Certain devices which don't need internet at all get static IPs and completely firewalled.

[–] [email protected] 3 points 1 year ago* (last edited 10 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
AP WiFi Access Point
DNS Domain Name Service/System
HA Home Assistant automation software
~ High Availability
IP Internet Protocol
IoT Internet of Things for device controllers
NAS Network-Attached Storage
Unifi Ubiquiti WiFi hardware brand
Zigbee Wireless mesh network for low-power devices

8 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

[Thread #71 for this sub, first seen 20th Aug 2023, 22:05] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Sounds like fun but watch out for man in middle…home tech support!

Remember upper executive mgmt (wife) will have priority demands and expect to bypass all support/ticketing processes c/o direct access/shoulder tap, 24x7.

Tip - create high priority user stories for your upper exec mgmt needs and your rest activities (sports, call of duty, tinkering in garage/shop/man cave, etc etc etc et al) so your impl supports your key stakeholders while also aligning with your favorite best practices.

.local is the important part imo—actually, tbh I am not a super fan of the .local dns method and how it punks networks (basically like entering a crowded bar and yelling YO BRAH!) BUT it is simple and low effort (see high pri user stories).

Good luck with your PI plan, could you include us in PI retrospective so we can learn from you? Godspeed.

:]

[–] [email protected] 2 points 10 months ago

The only one I set static is the servers and that's for port forwarding. So I set it to what it was using at the time. Unifi IDs the devices for me otherwise.

[–] [email protected] 2 points 1 year ago (1 children)

Son, I think it's time you learn about vlans.

[–] [email protected] 3 points 1 year ago (3 children)

I know they exist and vaguely what they do, but I don’t know how to set them up. What’s their advantage over simple DHCP reservations for a small client list?

[–] [email protected] 9 points 1 year ago

Based on what you described I really don’t think you need a vlan.

[–] [email protected] 3 points 1 year ago (1 children)

VLANs are a way of separating your network into logical networks without physically separating them. They are useful, but generally require your networking equipment to support them. Most cheap home switches don't really support VLANs, nor do most consumer routers.

[–] [email protected] 2 points 1 year ago (1 children)

I do believe vlans has a place in a home network - to separate guests from home network. Several of the home routers that provide a guest SSID will use vlans. It’s a basic part of openWRT and most home routers. One vlan for upstream and one or two(guest) for inside

[–] [email protected] 1 points 1 year ago (1 children)

The guest wifi may use VLANs on the backend, but it is in no way surfaced to the person managing it. I run Unifi equipment at home, which gives me the power to do all of that however I want, but it doesn't sound like the OP is there yet.

[–] [email protected] 1 points 1 year ago (1 children)

I have a dream machine myself and I’m so sorry I got it. It can do quite a bit, but I can’t have more than one vlan upstream - and it can’t handle igmp forwarding…. It’s shiny though with a nice gui and apps

[–] [email protected] 1 points 1 year ago (1 children)

They certainly have their limitations. I think the same limits are one the gateway I have(I run my own controller, so a dream machine is overkill). Can't say I've encountered a situation where I need WAN VLANs on a home system, though.

[–] [email protected] 1 points 1 year ago

The “normal” use-case would be that some IPTV providers will have iptv and “internet” on separate vlans

[–] [email protected] 1 points 1 year ago (1 children)

How small a client list are we talking? If it's that small, then that would beg the question, why would you need dedicated ranges in the first place?

[–] [email protected] 2 points 1 year ago (2 children)

A couple dozen devices maybe. I don’t really need dedicated ranges, but it’s nice to know exactly which device I’m looking at just by the IP when reading logs.

[–] [email protected] 1 points 1 year ago

Checking logs is perhaps the only real reason I can see for reserved ip-s. But then again you can do reverse lookups - and like I said in another reply ipv6 is dynamic by nature, so any device will only stay on the same ip for the configured amount of time.
You might not know, but several of your devices might already be communicating using ipv6 on your home network. Both windows and iOS will use link (osi layer 2) local IPv6 and mdns for discovery and communication. This is not true if your switch denies IPv6 but you’d need a level 2 switch or some way to block IPv6 multicast for that.

[–] [email protected] 1 points 1 year ago (1 children)

I'm not saying in anyway that what you're doing is in anyway wrong. It's good that you're thinking the way you are. Just saying, if you're in this frame of mind now, it's a good time to look at vlans. Think dedicated ranges with the benefit of reduced traffic saturation.

[–] [email protected] 3 points 1 year ago (1 children)

I don’t see how VLANs would help OP.

[–] [email protected] 0 points 1 year ago

I didn't say they would. I said it's a good time to learn.

[–] [email protected] 2 points 1 year ago

I put them into groups, servers, consoles, computers, phones, smart devices, media. Between 10 to 20 per range.

Everything else the dhcp server gives out ip over x.x.x.150 so easy to see new stuff.

[–] [email protected] 2 points 1 year ago

Many, many, many subnets, so many subnets, different subnets for vms, for jailed services, for guest wifi, 'secure' wifi, 'normal' wifi (ie phones and shit), my workstation has a routed subnet for its lxc containers, I have remote subnets for my wifi routers over vpn when I travel (with restrictions similar to home access and the same 3 ssids), an unrouted subnet for stuff like bmcs, switches and infrastructure, a subnet in my dmz with statics, the backside of that subnet, the subnet that subnet uses for upstream access.

I have a lot of subnets.

[–] [email protected] 1 points 1 year ago

I do the same for desktop machines, just to identify immediately without hostnames.

[–] [email protected] 1 points 1 year ago

I have a few vlan subnets, one for IOT devices (smart junk, automation, media players etc), one for general LAN devices (mostly computers, NAS etc), one for VMs and other services and one for guest access. all with their own fairly simple firewall rules to eachother and to the web. there are also matching Wifi networks for IOT, Main and Guest that are on those Vlans.

As for DHCP, I tend to set the DHCP ranges for xxx.100 - xxx.254 and anything below 100 is for static allocations. all in standard 192.168.x.x ranges, no need to go bigger than that. I only have IPv6 for the VMs for testing cause i'm still learning how to use that properly and safely.