Use a More Sophisticated IP Address Scheme on Your Network

Let's assume that your router's IP address is set as 192.168.0.1. Yours might be different and that's fine, I just need to assume something here for this post.

Generally, at least in home networking situations, routers are configured to have 255.255.255.0 for their subnet mask. So then, based on the previous assumption of 192.168.0.1 for your router's IP address, your router's local network is everything 192.168.0.x.

But in most routers, you're not constrained to that subnet mask of 255.255.255.0, you can use any valid subnet mask. I'll leave it to you to read up on subnet masks if need be, but I'll note that if you just change this to 255.255.254.0, now instead of your local network being just 192.168.0.x, you also have 192.168.1.x. What's cool about this is that now you can use 192.168.0.x and 192.168.1.x for different things and be easily able to tell at a glance what is what.

So what's a way you could utilize 192.168.0.x and 192.168.1.x separately? Well, for known devices on my network, I like to create DHCP reservations (as I detail in my post Use DHCP Reservations Instead of Static IP Addresses, you should use DHCP reservations, not static IP addresses). So then I could create DHCP reservations for all known devices with IP addresses in 192.168.0.x. And then I could set my DHCP server to utilize addresses starting at 192.168.1.1 and ending at 192.168.1.254. And at that point, I can tell at a glance if something is a known device (has a 192.168.0.x IP address) or an unknown device (192.168.1.x).

And if you like this idea, you can take it to the next level by using 255.255.252.0 as the subnet mask and now, using my previous 192.168.0.1 router IP address as the assumption, your local network is 192.168.0.x, 192.168.1.x, 192.168.2.x, and 192.168.3.x. And now you have 2 additional values available to use in the third octet. So now you could do something like this:

• 192.168.0.x: use for DHCP reservations for your known devices (that don't fall into one of the following 2 categories).
• 192.168.1.x: use for DHCP reservations for your known devices that need special access through the firewall. For WiFi calling, my experience is that you need an outbound rule for UDP ports 500 and 4500 (yes, you could turn on IPSec passthrough, but it's better to be more prescriptive about exactly what destination devices need that access).
• 192.168.2.x: use for DHCP reservations for your known devices that should not have Internet access (for example, let's say you have a printer on your network that you want to be able to print to so you want to access it locally, but you don't want it exposed to the Internet). Then you create firewall rules to block Internet access to and from all of 192.168.2.x.
• 192.168.3.x: make these the addresses your DHCP server utilizes.

And if you need to be able to use even more than 4 values in the third octet, just change your subnet mask and you can get 8, 16, 32, 64, 128, or even 256 of them.

And then hopefully your guest network can operate on an entirely separate set of IP addresses, maybe even use its own subnet mask so you can do this kind of thing for your guest network too and see at a glance what devices are known and unknown in your guest network (and yes, it can make sense to have known devices in your guest network; see my post Two Security Approaches You Should Be Taking on Your Network for more information on this subject).