DHCP range

[aaronf15]

Hi There,

 

Here is the default IP range of my router:

 

 

Should I change the range for increased security as 192.168.1.1 is very common. If I changed it to something like 172.10.6.1 for the router then a start IP of 172.10.6.10 then a pool counts of 200?  Would i need to change anything at all about the subnet mask?

 

I would also be setting up VLANs

 

VLAN 1: 172.10.7.10

VLAN 2: 172.10.8.10

VLAN 3: 172.10.9.10

 

All with pool counts of 200. 

 

 

 

[MrMase]

3 minutes ago, aaronf15 said:

Hi There,

 

Here is the default IP range of my router:

 

 

Should I change the range for increased security as 192.168.1.1 is very common. If I changed it to something like 172.10.6.1 for the router then a start IP of 172.10.6.10 then a pool counts of 200?  Would i need to change anything at all about the subnet mask?

 

I would also be setting up VLANs

 

VLAN 1: 172.10.7.10

VLAN 2: 172.10.8.10

VLAN 3: 172.10.9.10

 

All with pool counts of 200. 

 

 

 

This is unlikely to increase security but your free to change to a range that suites your preference, however please take note of the below as your example range is outside of the Private IP ranges and could cause issues.

 

Class A Range from 10.0.0.0 to 10.255.255.255 - a 10.0.0.0 network with a 255.0.0.0 or /8 (an 8-bit) mask (Typically used by large businesses)

Class B Range from 172.16.0.0 to 172.31.255.255 - a 172.16.0.0 network with a 255.240.0.0 or /12 (Typically used by businesses / education)

Class C Range from 192.168.0.0 to 192.168.255.255 - 192.168.0.0 network masked by 255.255.0.0 or /16, however for home use this is typically 255.255.255.0 or /24 (Primary used by homes, small businesses and offices).

[Needfuldoer]

Changing your IP range is not a security measure. A list of everything on your network is only an nmap scan away once someone gets in.

 

What do you need VLANs for? Do you have that many devices? Are you trying to separate broadcast traffic for some reason? Each of those subnets will need to be a /24 to accommodate that many (potential) hosts anyway.

[TomChaai]

I assume you'll want to set up 3 VLANs and 3 DHCP ranges, each with an address pool of 200 and subnet mask of /24?

If your packets travel across VLANs, this makes routing necessary, your LAN side is no longer just an L2 switch, but a L3 one.

[Alex Atkin UK]

29 minutes ago, TomChaai said:

If your packets travel across VLANs, this makes routing necessary, your LAN side is no longer just an L2 switch, but a L3 one.

Which if you do that for anything high-bandwidth is a very bad idea as you could easily max out the routers CPU on VLAN to VLAN traffic alone, leaving nothing for Internet routing.

 

Then again, I kinda feel if you need to do VLAN to VLAN routing, then you probably didn't want those devices on different LANs to begin with.  I realise some people prefer to keep their IoT devices on their own VLAN then route the traffic necessary onto the main LAN, but honestly you're going against how the device was designed to work so just asking for problems.  Plus one wrong mistake in the VLAN to VLAN rules and you just basically combined the networks, making the whole point of have different LANs pointless.

[MrMase]

1 hour ago, Alex Atkin UK said:

Which if you do that for anything high-bandwidth is a very bad idea as you could easily max out the routers CPU on VLAN to VLAN traffic alone, leaving nothing for Internet routing.

 

Then again, I kinda feel if you need to do VLAN to VLAN routing, then you probably didn't want those devices on different LANs to begin with.  I realise some people prefer to keep their IoT devices on their own VLAN then route the traffic necessary onto the main LAN, but honestly you're going against how the device was designed to work so just asking for problems.  Plus one wrong mistake in the VLAN to VLAN rules and you just basically combined the networks, making the whole point of have different LANs pointless.

However having a Guest VLAN so when friends / family come over you don't have to expose your main network to them and can enable in the right circumstances client based isolation is a nice thing to have from a security perspective.

 

To achieve that you would want the following firewall rules

 

GuestVLAN_LOCAL

Default Action: Drop

Allow DHCP: Accept port 67 udp

Allow DNS: Accept port 53 tcp & udp to your router / dns service provider for that vlan.

 

GuestVLAN_In

Default Action: Accept

Allow Established / Related: Accept all protcols where State is Established or Related

Drop Private Networks: Drop all protocols to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16

Drop Invalid traffic: Drop all protocols where State is Invalid

 

The above are based on Ubiquiti's EdgeRouter firewall rules

[wseaton]

2 hours ago, MrMase said:

However having a Guest VLAN so when friends / family come over you don't have to expose your main network to them and can enable in the right circumstances client based isolation is a nice thing to have from a security perspective.

 

 

Corporate Enterprise's *expose* their infrastructure to incompetent network admins with worthless Cisco certs who VLAN everything in sight, turn switches into swiss chees, and then get crypto'd by Russian teenagers who know that vertical network segmentation is not a proper security mitigation practice. 

 

If you have a friend pop over with something on his smartphone so dangerous it can bust SMB shares by simply being on the same SSID you need to hire your friends as security consultants.  I'm WAY more concerned about the reclusive teen next door who dresses in black and carries a camo spray painted laptop with "Jacking Tool"  stenciled in the front. He's your real threat.

 

I'm all for being cautious, but with android devices now being nailed by malware that walks through 2FA like it was peanut butter we really, really, really need to get out of 2006, layer 3 and focus on layer 7., IMO of course.

 

Use firewall groups to block off gadgets that don't need to be on the internet. The rest is PEBKAC....

[Lurick]

2 hours ago, wseaton said:

 

Corporate Enterprise's *expose* their infrastructure to incompetent network admins with worthless Cisco certs who VLAN everything in sight, turn switches into swiss chees, and then get crypto'd by Russian teenagers who know that vertical network segmentation is not a proper security mitigation practice.

Lol, you seem upset bro, did the naughty VLAN touch your management network? Maybe take some basic network design courses from Juniper, Arista, Broadcom, Nvidia, Extreme, Aruba, Fortinet, etc? They ALL use VLANs and just about everyone who uses VLANs does it with (V/R/P)ACLs, firewalls, and/or some other security and segmentation methods in the mix except when they're just trying to cut down on broadcast traffic or keep a network logically segmented. VLANs can serve a lot of different purposes in a network and almost nobody "throws them around left right and center" as you seem to allude to aside people who have no clue what they're doing and couldn't subnet anything smaller than a /24 and think L2 segments means secure.

[aaronf15]

8 hours ago, Needfuldoer said:

Changing your IP range is not a security measure. A list of everything on your network is only an nmap scan away once someone gets in.

 

What do you need VLANs for? Do you have that many devices? Are you trying to separate broadcast traffic for some reason? Each of those subnets will need to be a /24 to accommodate that many (potential) hosts anyway.

I'm wanting to use VLANs to separate my main network, test environment and guest network.  

[Sir Asvald]

22 hours ago, wseaton said:

 

Corporate Enterprise's *expose* their infrastructure to incompetent network admins with worthless Cisco certs who VLAN everything in sight, turn switches into swiss chees, and then get crypto'd by Russian teenagers who know that vertical network segmentation is not a proper security mitigation practice.

You are one funny person. How does someone get cypto'd? Go on, explain to me how.