Use a More Sophisticated IP Address Scheme on Your Network

Let's assume that your router's IP address is set as 192.168.0.1. Yours might be different and that's fine, I just need to assume something here for this post.

Generally, at least in home networking situations, routers are configured to have 255.255.255.0 for their subnet mask. So then, based on the previous assumption of 192.168.0.1 for your router's IP address, your router's local network is everything 192.168.0.x.

But in most routers, you're not constrained to that subnet mask of 255.255.255.0, you can use any valid subnet mask. I'll leave it to you to read up on subnet masks if need be, but I'll note that if you just change this to 255.255.254.0, now instead of your local network being just 192.168.0.x, you also have 192.168.1.x. What's cool about this is that now you can use 192.168.0.x and 192.168.1.x for different things and be easily able to tell at a glance what is what.

So what's a way you could utilize 192.168.0.x and 192.168.1.x separately? Well, for known devices on my network, I like to create DHCP reservations (as I detail in my post Use DHCP Reservations Instead of Static IP Addresses, you should use DHCP reservations, not static IP addresses). So then I could create DHCP reservations for all known devices with IP addresses in 192.168.0.x. And then I could set my DHCP server to utilize addresses starting at 192.168.1.1 and ending at 192.168.1.254. And at that point, I can tell at a glance if something is a known device (has a 192.168.0.x IP address) or an unknown device (192.168.1.x).

And if you like this idea, you can take it to the next level by using 255.255.252.0 as the subnet mask and now, using my previous 192.168.0.1 router IP address as the assumption, your local network is 192.168.0.x, 192.168.1.x, 192.168.2.x, and 192.168.3.x. And now you have 2 additional values available to use in the third octet. So now you could do something like this:

  • 192.168.0.x: use for DHCP reservations for your known devices (that don't fall into one of the following 2 categories).
  • 192.168.1.x: use for DHCP reservations for your known devices that need special access through the firewall. For WiFi calling, my experience is that you need an outbound rule for UDP ports 500 and 4500 (yes, you could turn on IPSec passthrough, but it's better to be more prescriptive about exactly what destination devices need that access).
  • 192.168.2.x: use for DHCP reservations for your known devices that should not have Internet access (for example, let's say you have a printer on your network that you want to be able to print to so you want to access it locally, but you don't want it exposed to the Internet). Then you create firewall rules to block Internet access to and from all of 192.168.2.x.
  • 192.168.3.x: make these the addresses your DHCP server utilizes.

And if you need to be able to use even more than 4 values in the third octet, just change your subnet mask and you can get 8, 16, 32, 64, 128, or even 256 of them.

And then hopefully your guest network can operate on an entirely separate set of IP addresses, maybe even use its own subnet mask so you can do this kind of thing for your guest network too and see at a glance what devices are known and unknown in your guest network (and yes, it can make sense to have known devices in your guest network; see my post Two Security Approaches You Should Be Taking on Your Network for more information on this subject).

Comments
Sony Nair's Gravatar Have you been able to do this with your Synology Router?

The SRM GUI won't allow the DHCP range to be on a different subnet to the gateway.
# Posted By Sony Nair | 8/28/19 10:13 AM
Josh Adams's Gravatar Hey, Sony. Thanks for visiting my blog. Good to talk to you here outside of the Synology Community router forum.

If you use 255.255.252.0 as your subnet mask, then if for example you're using 192.168.0.1 for your router's address, your local network subnet spans from 192.168.0.1 (well, I guess technically 192.168.0.0) to 192.168.3.255. If you use 255.255.248.0 as your subnet mask then your subnet would end at 192.168.7.255. And on and on it goes as you modify the subnet mask to include more and more addresses in the subnet.

So I'm not talking about using a DHCP range that's outside of the subnet of your network, I'm talking about expanding the subnet of your network from the typical one value for the 3rd octet you get with 255.255.255.0 so that you can use multiple values in that 3rd octet position.

On the Synology Router, you provide start and end IP addresses for the DHCP server to utilize and those can be anywhere within the subnet. What I'm suggesting is, again with the router IP address of 192.168.0.1 as the example, that you use 255.255.252.0 as the subnet mask and 192.168.3.1 as the start IP address and 192.168.3.255 as the end IP address for the DHCP Server. The SRM GUI accepts it just fine and, more importantly, it works just fine because the 255.255.252.0 subnet mask means that those 192.168.3.x addresses are part of the same subnet as the router on 192.168.0.1.
# Posted By Josh Adams | 8/28/19 2:40 PM
Sony Nair's Gravatar Hi John, a very useful and informative blog site you have.

Thanks for clarifying - I tried again using the mask of 255.255.252.0 and the SRM GUI did accept it now. I must have made a typo previously when I got the error.

All of my known devices are already set to use DHCP reservations, so I just moved my DHCP range to the next range.

Thanks for tip - really useful.
# Posted By Sony Nair | 8/29/19 7:09 PM
Josh Adams's Gravatar Awesome! I'm glad you were able to get it to work, Sony. Yeah, I agree that it's really useful to be able to group your network clients together. I'm looking forward to when Synology implements VLAN capabilities so we can get even more sophisticated at that point!
# Posted By Josh Adams | 8/30/19 4:43 PM
Sony Nair's Gravatar I was thinking of grouping my IoT devices so I could restrict their access to other devices. I don't think Safe Access is suitable for this, and from what I've read the firewall only manages WAN to LAN traffic. I could be wrong - need to to do some reading up on that.

I'm hoping that Synology do implement vLAN capabilities. I'll be attending the London event on the 19th (I've been going to these for a few years now). Quite disappointed that at last event DSM7 was discussed but the beta is still not yet out.

I'm expecting new hardware announcements too. Possibly new router/mesh with Wifi 6 capability?
# Posted By Sony Nair | 8/30/19 7:21 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.002. Contact Blog Owner