Internal IPv4 Address Schemes

[Halcyon]

I'm in the process of doing a "network refresh" at home - Retiring some old gear, installing new stuff. At the moment, everything has been lumped into a single Class C address range that has got a bit out of hand. There is no real order to things, servers have static IP's assigned, everything else comes off the DHCP server. At the moment, unless it's an IP I know is static, I have no idea if that device is sitting in the server rack or elsewhere in the house just by looking at the address.

I'm thinking about creating a Class B /23 scheme for the new gear (then migrate the remaining existing stuff over). In other words:

172.16.0.x - For servers, switches, access points, router, firewall etc... (basically all infrastructure/network related stuff)
172.16.1.x - For all other client devices such as computers, printers, cameras, phones, TVs etc...

Of course, I'm never going to actually need 510 IP addresses at home, but for years I've tried to create blocks of IP addresses which serve a certain "category" of device but there are always those devices which could fall into more than one category (or none at all). For example: I have a uRadmonitor which is neither a PC, nor server. It's just a device with an Ethernet port that does "stuff". Shortly I'm getting a solar inverter installed which would also be considered one of these miscellaneous devices.

What does everyone else (with an overly-elaborate IT system at home) do?

[MrSlack]

I did this a couple of years ago. Ended up with a half rack of kit, a HP DL380g7 and a layer 3 switch I skip intercepted from work, a DMZ, an HP MicroServer doing postfix+dovecot on CentOS.

It took a lot of my time away for other things though. I'd rather have my head in a box of transistors at home. Plus the electricity usage went up way too far.

So I had a grand ebay purge, stuck it all back on a single class C with DHCP. I use a RouterBoard RB2011UiAS as the network access point and a RouterBoard hAp upstairs as a repeater and some TP-Link powerline ethernet adapters dotted around for anything else. No idea what the routing arrangement is but it is treated as one flat network. Incoming pipe is an 80Mbit (well 72mbit) FTTC.

I let Google Apps handle all my stuff including printing. I give zero crap about where everything is or what it is now. I think we've got 6 phones, 2 printers, 3 laptops, 2 desktops, 2 smart TVs, a raspberry pi zero, xbox 360, 3 ipads hanging off it and probably about 5 teenagers loitering outside that my daughters have leaked our SSID and password to. Zero problems.

Also the entire network is treated as an insecure public network.

Less is more if you ask me.

[CaptCrash]

Given its a home network, put your static stuff in the low area of the IP range and then create a DHCP scope in the higher address of the range.

eg 172.168.0.1 - 172.168.0.30 for static items, servers, routers/AP's, printers.  Be sparing with this and only static things that need to be static.

Everything else gets DHCP in 172.168.0.100 - 172.168.0.254

Its a home network, don't route and add complexity unless there is something you are trying to solve (DMZ, security zone etc).
Stay with a /24 range unless there is an specific reason requiring you not to.

[Halcyon]

Less is more if you ask me.

I agree. Which is why I'm migrating a few boxes into one machine. My aim is to have just two servers running, one is purely a file server the other will be a domain controller, DHCP server, IAS server (for wireless authentication) and some legacy stuff for my old computers.

Security is very important to me. I use 802.1x on my access point -- More difficult to set up but once it's up and running, no need to stuff around with WPA2 keys. If it's a machine on the domain, it just connects with the logged on user account, no additional passwords needed. If it's a legacy device that doesn't support .1x, it connects to a "guest" network with access to HTTP/HTTPS only to the internet. My friends can have their own accounts which can be disabled/limited if needed without changing passwords on everything else.

Its a home network, don't route and add complexity unless there is something you are trying to solve (DMZ, security zone etc).
Stay with a /24 range unless there is an specific reason requiring you not to.

I do have a DMZ which is used as my "sandbox" network. All my old and vintage computers (if they have NICs) connect to it. They have no access to anything on the inside considering a lot of their operating systems are very old and vulnerable. I also use this for testing and connecting things which have cameras/microphones that can't be manually disabled. I also connect my TV to this so it receives firmware updates but nothing more.

[Maxlor]

What does everyone else (with an overly-elaborate IT system at home) do?

I assign DNS names to things, so I don't have to care about IP addresses. I assign numbers sequentially, since I don't see the point in trying to make device classes in IP space.

If you have so many devices that the name alone isn't enough to help you remember what and where a given host is, you can always add grouping in DNS, eg. have a CNAME for "hostA.example.org" that points to "hostA.roomB.rackC.example.org". Or maybe add a TXT record with a small note that explains what/where a host is.

I do run DHCP with partially fixed IPs; i.e. well-known hosts always get the same IP by means of a MAC->IP mapping on the DHCP server side; if a new device connects for the first time, it gets a dynamic address.

[Stupid Beard]

I favour the 10/8 subnet, because there's lots of room to spread out in and 10.0.0.x is quicker and less typo prone to type than any of the other ranges. Every time I try and type 192.168.x I typo something. Usually the 168.

[rrinker]

 Don't overcomplicate it. Even in my heyday of running stuff at home, I didn't use anything beyond a 192.168/24 subnet. Low addresses for statics like the server and router, high addresses DHCP for workstations.
 I long ago gave up running my own mail server and all that. I have but one server now, with 13TB of storage in it, that holds my music and videos and backs up all my other computers. Everything is stored on at least two physical drives, no RAID BS to worry about, so the server is made up of a mix of drive sizes. I do this stuff all day long at work - I don't want to manage stuff when I get home, as well. So now I keep it simple.
 Even if I end up using my design for model railroad control, interfacing the individual modules via Ethernet - I STILL won't fill up an entire Class C subnet, though the model railroad stuff you actually get its own, not use the same one as the rest of the house. I envision that on its own switch even.

[PlainName]

The one contribution I can make is to say: don't use an obvious address prefix. That is, 10.0 or 192.168 or 176.16 etc. Why? Because someone else will have chosen obvious ones too, and one time when you're out and about trying to VPN in you can't because of an address clash. Actually, if you're unluck (and choose 192.168) it will be most times...

So think about something you really wouldn't pick, and use that.

Edit: also don't worry about how easy it is to type in or remember. Use a local DNS server to provide meaningful names you use instead. Hell, that's the only reason DNS exists, you know, so silly not to take advantage.

[AlxDroidDev]

Unless you have >254 devices on your home, I see no need to have a class B network at home. Like others have said, you are overcomplicating things. Be more practical.

You can segment your network w/ having to resort to a class B. For example:

192.168.0.1 ~ 10   : network devices (switches, router, access points)
192.168.0.11 ~20  : servers and NAS
192.168.0.21 ~ 30 : printers
192.168.0.31 ~ 40 : multimedia devices (TVs, home theaters, DLNA players, etc)
192.168.0.41 ~50 : computers w/ fixed address
192.168.0.51 ~ 60 :  virtual machines
192.168.0.61 ~ 150 :  DHCP for local users
192.168.0.151 ~ 200 : DHCP for guest network

and that still leaves you with 54 addresses on that subnet to allocate as you want or resize the segmentation above.

The above is just a suggestion. Feel free to use any address range reserved for private use, which are: 10.x.x.x , 172.16.x.x - 172.31.x.x, 192.168.x.x.

[tooki]

The one contribution I can make is to say: don't use an obvious address prefix. That is, 10.0 or 192.168 or 176.16 etc. Why? Because someone else will have chosen obvious ones too, and one time when you're out and about trying to VPN in you can't because of an address clash. Actually, if you're unluck (and choose 192.168) it will be most times...

Ummmmmmmm… uhhh… am I misunderstanding you? Are you suggesting randomly choosing any range of IP addresses, with the idea being that that will let you easily VPN in from outside?

You must use the 10.x.x.x, 172.16.x.x–172.31.x.x, or 192.168.x.x address ranges for private networks, because all other addresses are assigned to the public Internet or otherwise reserved. That's why you see them all the time, because they are mandatory for private IPv4 networks.

[suicidaleggroll]

The one contribution I can make is to say: don't use an obvious address prefix. That is, 10.0 or 192.168 or 176.16 etc.

You just listed the only three IP ranges reserved for private use (192.168.x.x, 172.[16-31].x.x, and 10.x.x.x).  If you deviate from those ranges, you'll run into conflicts with public servers...that's a terrible suggestion.

I agree with the other suggestions to stay with a standard /24 network, use dedicated ranges for classes of devices, and run a local DNS for name resolution.  AlxDroidDev's suggested ranges are actually very close to what I use at home.  There's no reason to get more complicated than that in a home environment.

[PlainName]

am I misunderstanding you? Are you suggesting randomly choosing any range of IP addresses

I think you are slightly misunderstanding. Yes, you should (although you may not if you so wish) the private address ranges, but just look at this thread:

You can segment your network w/ having to resort to a class B. For example:

192.168.0.1 ~ 10   : network devices (switches, router, access points)
192.168.0.11 ~20  : servers and NAS

Yes, mine is 192.168.0.x too. What I am saying is don't use that sub-range because every other bugger has also use it. Use something you wouldn't otherwise use, like 192.168.75.x. Or 172.27.34.x. Those are much less likely to be encountered on your travels, so VPNing back to home shouldn't trouble you in the way it does me.

[AlxDroidDev]

and that still leaves you with 54 addresses on that subnet to allocate as you want or resize the segmentation above.

Actually, another use for those 54 address remaining just came to mind: IoT and development boards.

[PlainName]

You just listed the only three IP ranges reserved for private use (192.168.x.x, 172.[16-31].x.x, and 10.x.x.x).

Gosh, I thought y'all were supposed to be clever and perceptive chaps. You perhaps missed that I specified only the first two octets, leaving a VAST number in the private ranges. For instance, I note '172.16' which leaves free '172.17.x.x' and '172.18.x.x' and .172.19.x.x' and ... well, surely you get the idea and I don't need to specifically mention everyone?

Tip: trying thinking about what you're reading before your knee jerks.

[Monkeh]

You just listed the only three IP ranges reserved for private use (192.168.x.x, 172.[16-31].x.x, and 10.x.x.x).

Gosh, I thought y'all were supposed to be clever and perceptive chaps. You perhaps missed that I specified only the first two octets, leaving a VAST number in the private ranges. For instance, I note '172.16' which leaves free '172.17.x.x' and '172.18.x.x' and .172.19.x.x' and ... well, surely you get the idea and I don't need to specifically mention everyone?

Tip: trying thinking about what you're reading before your knee jerks.

Try thinking about what you're saying. You just ruled out three /16s (and 192.168.0.0/16 is the whole private allocation!), when you meant to say avoid the common /24s.

[PlainName]

when you meant to say

I thought the gist of the principle would be recognised, so having to be forensically specific (and check twice before posting once) wouldn't be necessary. Still, it is a Friday and well after beer o'clock   

[tooki]

Yes, mine is 192.168.0.x too. What I am saying is don't use that sub-range because every other bugger has also use it. Use something you wouldn't otherwise use, like 192.168.75.x.

But your post ruled out the entire 192.168/16, which is why all of us assumed you were ruling out all of the private address spaces, not just subnets of them.

Gosh, I thought y'all were supposed to be clever and perceptive chaps.
[…]
Tip: trying thinking about what you're reading before your knee jerks.

I'm thinking you need to check your tone, since the fact that everyone who replied to you understood your post exactly the same way. That tends to support the idea that your post was unclear, not our cognitive abilities. Additionally, you used nonstandard terminology, from which it follows that readers must guess what you mean, as opposed to seeing it written clearly using the correct terms.

[Halcyon]

Yes, mine is 192.168.0.x too. What I am saying is don't use that sub-range because every other bugger has also use it. Use something you wouldn't otherwise use, like 192.168.75.x. Or 172.27.34.x. Those are much less likely to be encountered on your travels, so VPNing back to home shouldn't trouble you in the way it does me.

I think you're getting a little muddled up. Private address space (192.168.x.x, 10.x.x.x or 176.16.x.x etc...) is just that, it's private. It doesn't matter if a billion other people in the world use the same IP address as I do. It won't matter even if I take my laptop or phone to another network as I'll be using DHCP to initially get one of their IP addresses. Once the VPN tunnel is established, everything gets routed out the VPN tunnel, not out to their LAN. You can set up matrixes as well so one connection has priority over others. No problems at all with doing this. I've done it many, many times before and haven't run into issues.


I appreciate everyone's suggestions about breaking up a 192/24 range (this seems to be a very popular approach), however I've done it to death and it doesn't work for me. Having to keep track of what goes into 192.168.0.50-192.168.0.70 just means more record keeping. It also means a lot of reserving addresses so that the right device ends up in the "right range" is something I'd rather avoid. I'd just keep everything "below" .100 as network/infrastructure/stuff in the rack and everything .101 and above as stuff outside the rack/everything else.

I favour the 10/8 subnet, because there's lots of room to spread out in and 10.0.0.x is quicker and less typo prone to type than any of the other ranges. Every time I try and type 192.168.x I typo something. Usually the 168.

I do like this idea though! I do it all the time. These days I use about 5-6 different keyboards between work and home. Muscle memory is a bitch and I often find myself hitting the wrong key.

[MrSlack]

It does matter if two people use the same private space if you use VPN between them and this is a very common scenario. This is a regular problem for us. We have a 10.0.0.0/8 net and so do all our clients!

Eventually when IPv6 appears globally the notion of NAT and a private address space will hopefully bugger off.

[Halcyon]

It does matter if two people use the same private space if you use VPN between them and this is a very common scenario. This is a regular problem for us. We have a 10.0.0.0/8 net and so do all our clients!

Eventually when IPv6 appears globally the notion of NAT and a private address space will hopefully bugger off.

It becomes messy if you're trying to connect two sites via a VPN that have the same address space so that Site A can talk to machines in Site B and vice versa. It's possible to solve the issue with NATing but it's messy and not best practice. If you're just taking a laptop out to a site and VPN into home, it won't matter. Your laptop will be going out a different gateway to the one on their local LAN. If you want to access both the remote VPN network and the local network, then you have problems -- This can only be solved by changing one of the ranges or fiddling with NAT.

[nfmax]

I find these days that, if ever I bother to look, a large part of my local LAN traffic is in fact IPv6. I think I have only two devices left which don't natively support v6, one of them, unfortunately being the Internet router. Which is OK, because my ISP doesn't either. Both need to be replaced soon!

[jhalar]

I just use more 192.168 /24 subnets , the router takes care of forwarding traffic between them. I keep lab devices separate, I might generate broadcasts on my net gear that the clients do not need to see. IPv6 is subnetted the same way from my ISP allocation (/56).

192.168.1.0/24 Normal clients inlcuding wireless
192.168.2.0/24 Servers
192.168.3.0/24 Network Lab
192.168.4.0/24 Electronics Lab
192.168.10.0/24 VPN client addresses

[Brumby]

when you meant to say

I thought the gist of the principle would be recognised, so having to be forensically specific (and check twice before posting once) wouldn't be necessary. Still, it is a Friday and well after beer o'clock   

You don't have to be forensically specific - just clear on what you are saying with the words you have typed.  I, too, read it the same as others have commented.

Specifically:

The one contribution I can make is to say: don't use an obvious address prefix. That is, 10.0 or 192.168 or 176.16 etc.

That seems pretty clear to me.  It may not be what you meant to say, but that's what you typed.

... and none of what follows indicates any different:

Why? Because someone else will have chosen obvious ones too, and one time when you're out and about trying to VPN in you can't because of an address clash. Actually, if you're unluck (and choose 192.168) it will be most times...

So think about something you really wouldn't pick, and use that.

Edit: also don't worry about how easy it is to type in or remember. Use a local DNS server to provide meaningful names you use instead. Hell, that's the only reason DNS exists, you know, so silly not to take advantage.

Please don't take offense if people here challenge what is said if they believe it to be wrong.

[PlainName]

Please don't take offense if people here challenge

Since you ask so nicely, I'll just have a half hour sulk instead.

[jwm_]

The other day I was pleasantly surprised to find time-warner has given my house a whole publicly routable /64 ipv6 subnet. Yay. 18 quintillion addresses all my own. It is nice that i can directly ssh or connect to anything on my local network now from anywhere. I directly print to my home printer from the office or ssh into my laptop sitting on my desk without having to set up any special forwarding. handy.

 (I do whitelist boxes on my router though for public access, so much crappy IoT stuff just assumes it isn't connected to the public internet as its only half assed security measure)

   John