Recommendations for best private IP range to use for home network and VLAN configuration. - eviltoast

I know many people have asked this question before and the answer is subjective and a lot of time down to the personal preference. Have reviewed numerous posts and watched videos from Lawrence Systems, Willie Howe, Techno Tim etc for advice but still unsure as to how to layout my network.

I have had some issues using the 192.168 range with VPN clashing and from watching videos it is advided to move from the deafult configuration 192.168.1.0 to something less commonly used within the RFC1918 ranges

I have Unifi network devices UDM PRO SE as my router and potentially looks at a pfsense or other firewall device to sit between router and ONT modem although that is for another later project at the moment.

This is my initial design but looking to move to some of the other ranges 10.0.0.0/8 or 172.16.0.0/12

https://preview.redd.it/jy9bche2t92c1.png?width=974&format=png&auto=webp&s=60646f546aa0885d624b7efb126ecbbf55ce31d1

Mgmt - This is the default network for my UDM Pro SE, Unifi Flex XG and Unifi POE 16 switch, U6 Mesh AP. Only network infra runs on this network and believe it is recommended for Unifi to leave it on VLAN 1

Public Network (DMZ) - I have just added this and will be building a couple of PI holes as well as using either SWAG of Traefik as a reverse proxy. Thinking a couple of Zimaboards and using docker containers (Internet Access Inbound/Outbound)

Main Network - This is where i run my laptops/desktop/QNAP NAS (Dedicated Network Card)
(Internet Access Outbound)

Guest Network - Completely isolated from my other networks when visitors come
(Internet Access Outbound)

Camera Network - Unifi Protect Cameras and Floodlight (No Internet access)

IoT Network - All IOT devices/SONOS/Nest etc (Internet access) *
I may separate this into two subnets NIot (no internet access - smart plugs etc) and Iot (internet access - Alexa, Sonos etc)

Kids Network - Just for my children and heavility content censored/blocked. No access to social media/youtube (kids is allowed), whatsapp etc my boys are 4 and 5 (Internet access outbound)

Lab Network - ESXi Server mainly for testing. Isolated from other network but can connect to QNAP NAS (on its own Dedicated 10g network card) for storage services NFS/iSCSI for ESXI VM storage (Internet access outbound)

I was thinking initially of moving to 172.16.0.0/12 as this seems to be the less used of the RFC1918 ranges

Eg: 172.30.0.0/16 172.30.1.0

		[172.30.10.0](https://172.30.10.0)

		[172.30.20.0](https://172.30.20.0)	etc

Perhaps have the Guest network remain on 192.168.X.X as it won’t be making VPN connections and to differentiate from other networks. Maybe the DMZ on another range such as 172.20.X.X so it is different than the others also. Lab can remain as is as it won’t be making VPN connections

Firstly what do you guys think of the VLAN layout, i think I have covered everything I need but open to recommendations/advice.

Secondly what do you guys recommend I change my Private IP ranges to to stop any further clashes. Thankfully I am still in the process of building this out and have not yet created firewall rules etc so can make changes now to improve and get things right.

  • Supergrunged@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I don’t think it’s more clashes here, but more how much of this is wireless? Especially if cameras are wireless, it can bog down bandwidth as a whole… Everything else looks as it should, where an IP address conflict, would pop up as an error in the router.

    • PaulRobinson1978@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      With the exception of Iot devices (Alexa/SONOS/Nest/Ring) and mobile phones everything is hard wired with cat6 including the cameras using POE. The issue I had was making a VPN connection to a business client which used the same ranges (192.168.10.X).

      My company also uses 192.168.X.X for guest networks and 10.X ranges for numerous clients which is why i was considering moving to 172.16.