Use a More Sophisticated IP Address Scheme on Your Network

Posted At : August 14, 2019 10:56 PM | Posted By : Josh Adams
Related Categories: Router

Let's assume that your router's IP address is set as 192.168.0.1. Yours might be different and that's fine, I just need to assume something here for this post.

Generally, at least in home networking situations, routers are configured to have 255.255.255.0 for their subnet mask. So then, based on the previous assumption of 192.168.0.1 for your router's IP address, your router's local network is everything 192.168.0.x.

But in most routers, you're not constrained to that subnet mask of 255.255.255.0, you can use any valid subnet mask. I'll leave it to you to read up on subnet masks if need be, but I'll note that if you just change this to 255.255.254.0, now instead of your local network being just 192.168.0.x, you also have 192.168.1.x. What's cool about this is that now you can use 192.168.0.x and 192.168.1.x for different things and be easily able to tell at a glance what is what.

So what's a way you could utilize 192.168.0.x and 192.168.1.x separately? Well, for known devices on my network, I like to create DHCP reservations (as I detail in my post Use DHCP Reservations Instead of Static IP Addresses, you should use DHCP reservations, not static IP addresses). So then I could create DHCP reservations for all known devices with IP addresses in 192.168.0.x. And then I could set my DHCP server to utilize addresses starting at 192.168.1.1 and ending at 192.168.1.254. And at that point, I can tell at a glance if something is a known device (has a 192.168.0.x IP address) or an unknown device (192.168.1.x).

And if you like this idea, you can take it to the next level by using 255.255.252.0 as the subnet mask and now, using my previous 192.168.0.1 router IP address as the assumption, your local network is 192.168.0.x, 192.168.1.x, 192.168.2.x, and 192.168.3.x. And now you have 2 additional values available to use in the third octet. So now you could do something like this:

  • 192.168.0.x: use for DHCP reservations for your known devices (that don't fall into one of the following 2 categories).
  • 192.168.1.x: use for DHCP reservations for your known devices that need special access through the firewall. For WiFi calling, my experience is that you need an outbound rule for UDP ports 500 and 4500 (yes, you could turn on IPSec passthrough, but it's better to be more prescriptive about exactly what destination devices need that access).
  • 192.168.2.x: use for DHCP reservations for your known devices that should not have Internet access (for example, let's say you have a printer on your network that you want to be able to print to so you want to access it locally, but you don't want it exposed to the Internet). Then you create firewall rules to block Internet access to and from all of 192.168.2.x.
  • 192.168.3.x: make these the addresses your DHCP server utilizes.

And if you need to be able to use even more than 4 values in the third octet, just change your subnet mask and you can get 8, 16, 32, 64, 128, or even 256 of them.

And then hopefully your guest network can operate on an entirely separate set of IP addresses, maybe even use its own subnet mask so you can do this kind of thing for your guest network too and see at a glance what devices are known and unknown in your guest network (and yes, it can make sense to have known devices in your guest network; see my post Two Security Approaches You Should Be Taking on Your Network for more information on this subject).

Comments (14) | PDF | Send | del.icio.us | Digg It! | Linking Blogs | 1038 Views
Comments
[Add Comment]
Sony Nair's Gravatar Have you been able to do this with your Synology Router?

The SRM GUI won't allow the DHCP range to be on a different subnet to the gateway.
# Posted By Sony Nair | 8/28/19 10:13 AM
Josh Adams's Gravatar Hey, Sony. Thanks for visiting my blog. Good to talk to you here outside of the Synology Community router forum.

If you use 255.255.252.0 as your subnet mask, then if for example you're using 192.168.0.1 for your router's address, your local network subnet spans from 192.168.0.1 (well, I guess technically 192.168.0.0) to 192.168.3.255. If you use 255.255.248.0 as your subnet mask then your subnet would end at 192.168.7.255. And on and on it goes as you modify the subnet mask to include more and more addresses in the subnet.

So I'm not talking about using a DHCP range that's outside of the subnet of your network, I'm talking about expanding the subnet of your network from the typical one value for the 3rd octet you get with 255.255.255.0 so that you can use multiple values in that 3rd octet position.

On the Synology Router, you provide start and end IP addresses for the DHCP server to utilize and those can be anywhere within the subnet. What I'm suggesting is, again with the router IP address of 192.168.0.1 as the example, that you use 255.255.252.0 as the subnet mask and 192.168.3.1 as the start IP address and 192.168.3.255 as the end IP address for the DHCP Server. The SRM GUI accepts it just fine and, more importantly, it works just fine because the 255.255.252.0 subnet mask means that those 192.168.3.x addresses are part of the same subnet as the router on 192.168.0.1.
# Posted By Josh Adams | 8/28/19 2:40 PM
Sony Nair's Gravatar Hi John, a very useful and informative blog site you have.

Thanks for clarifying - I tried again using the mask of 255.255.252.0 and the SRM GUI did accept it now. I must have made a typo previously when I got the error.

All of my known devices are already set to use DHCP reservations, so I just moved my DHCP range to the next range.

Thanks for tip - really useful.
# Posted By Sony Nair | 8/29/19 7:09 PM
Josh Adams's Gravatar Awesome! I'm glad you were able to get it to work, Sony. Yeah, I agree that it's really useful to be able to group your network clients together. I'm looking forward to when Synology implements VLAN capabilities so we can get even more sophisticated at that point!
# Posted By Josh Adams | 8/30/19 4:43 PM
Sony Nair's Gravatar I was thinking of grouping my IoT devices so I could restrict their access to other devices. I don't think Safe Access is suitable for this, and from what I've read the firewall only manages WAN to LAN traffic. I could be wrong - need to to do some reading up on that.

I'm hoping that Synology do implement vLAN capabilities. I'll be attending the London event on the 19th (I've been going to these for a few years now). Quite disappointed that at last event DSM7 was discussed but the beta is still not yet out.

I'm expecting new hardware announcements too. Possibly new router/mesh with Wifi 6 capability?
# Posted By Sony Nair | 8/30/19 7:21 PM
Jeremy Vedder's Gravatar The strategy genre is the ultimate test of wits and smarts. With that said, if you think you have the skills, strategy, and tactics, then, you are more than welcome to prove your prowess in the Arena of Valor. <a href="http://arena-valor.com/">arena of valor</a>
# Posted By Jeremy Vedder | 10/16/19 9:33 PM
AOL gold's Gravatar This post was very helpful for me. keep sharing your thoughts. AOL gold desktop is the best software to protect your computer files from viruses add malware. anyone can use AOL gold. If you have any problem then kindly contact remotesupport.aol.com.
# Posted By AOL gold | 11/1/19 7:05 AM
Assignment help's Gravatar Assignment help is something most students need, regardless of their academic level, eagerly and desperately looking for assignment writing. Students who lack knowledge and skills to construct proper assignment writing fears hearing the word assignment writing. In such circumstances, online assignment help is what you need to relieve your stress. The Assignment writing is exactly what you need at that time.We deliver 100% satisfactory results to clients, including the assignment of expert opinion and services. We provide assignment assistance to students who are looking for a reliable substitute.

Online Assignment Help Australia
Assignment Help Sydney
Assignment Help Melbourne
My CDR Report Writer
Dissertation Writing Services UK
Programming Coding Help

https://onlineassignmenthelpaustralia.com/
https://assignmenthelpsydney.com/
https://assignmenthelpmelbourne.com/
https://mycdrreportwriter.com/
https://dissertationwritingservicesuk.com/
https://programmingcodinghelp.com/
# Posted By Assignment help | 11/1/19 1:51 PM
international freight forwarding in delhi's Gravatar Nice article, thanks for sharing your view.
# Posted By international freight forwarding in delhi | 11/7/19 4:57 AM
Arc Worldwide's Gravatar As one of the leading freight transportation and logistics companies in Delhi, we deals in providing expert freight shipping and transportation services.

https://www.arc-worldwide.com/
# Posted By Arc Worldwide | 11/7/19 4:58 AM
Academic Assignment Help's Gravatar We offer quality custom writing and editing help. Seek our professional assistance and receive remarkable guidance.

https://custompaperswritinghelp.com/SPSS-data-anal...
# Posted By Academic Assignment Help | 11/13/19 12:03 PM
Thesis Writer's Gravatar We offer professional capstone, thesis and dissertation writing services. Our help is quality and reliable.

https://thesis-dissertationwritinghelp.com/profess...
# Posted By Thesis Writer | 11/13/19 12:04 PM
edward tricky's Gravatar quickbooks is a software program that manages your day to day transaction and expenses. you can easily use it on the desktop. if you are having any issue then kindly visit https://24qb.org/quickbooks-customer-service/.
# Posted By edward tricky | 11/16/19 3:38 AM
Lindsey Owens's Gravatar We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work
https://customessaywritershub.com/thesis-editing-s...
https://thesis-capstonewritingservices.com/capston...
# Posted By Lindsey Owens | 11/29/19 2:05 AM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.9.002. Contact Blog Owner