How to set up network properly...

[MelvinKlein1000]

Hello!

 

Following situation:

 

I have to flats in the same buIlding. Each of them having their own subnets.

In the Basements are all servers which are shared.

 

I have an ISP which is able to provide me dual stack.

As the router i'm planning to use the Ubiquiti Dream Machine Pro.

As layer 3 switches i'm planning to use two Ubiquiti USW-Pro-24.

The Modem is a NAT-less one so that the router gets the public IP's to its WAN-Port.

 

Just review the picture below:

 

 

 

So the problem is that i do not have any experience in subnetting or using vlan's.

 

As you can see the two flat-networks should be isolated from each other. 

But they have to share the servers in the basement AND the internet connection.

 

What would you recommend as the basic routing settings or logic in such a case?

 

As always your help is greatly appreciated!!! 

[mMontana]

I hope that... 20.20.20.0/24 and 30.30.30.0/24 are not the actual subnets...

[MelvinKlein1000]

1 minute ago, mMontana said:

I hope that... 20.20.20.0/24 and 30.30.30.0/24 are not the actual subnets...

Hello, thank you very much for your answer!

 

No, they are just examples.

[mMontana]

3 hours ago, MelvinKlein1000 said:

No, they are just examples.

Are you aware that both subnets should never be used in a private network?

[MelvinKlein1000]

5 minutes ago, mMontana said:

Are you aware that both subnets should never not be used in a private network?

As i said, it is just for making it simpler. In reality for the 20.20.20.0 and the 30.30.30.0 are used other subnets like 192.168.0.0/24 and 192.168.1.0/24.

 

Thank you for pointing that out but this is not the problem... 

[shoutingsteve]

7 minutes ago, mMontana said:

Are you aware that both subnets should never not be used in a private network?

Can you explain what you mean by this?  I have never heard of this.

[Lordmage]

3 minutes ago, shoutingsteve said:

Can you explain what you mean by this?  I have never heard of this.

certain subnets are not for home use 

In April 2012, IANA allocated the block 100.64.0.0/10 (100.64.0.0 to 100.127.255.255, netmask 255.192.0.0) for use in carrier-grade NAT scenarios. This address block should not be used on private networks or on the public Internet.

 

this may or maynot help OP https://www.msp360.com/resources/blog/guide-to-subnets-and-ip-addressing/

[MelvinKlein1000]

Is it possible to get back to my original question?

[mMontana]

12 minutes ago, shoutingsteve said:

Can you explain what you mean by this?

https://www.rfc-editor.org/rfc/rfc1918

RFC 1918 explains that better.

Quote

 

 The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

 

The whole IPv4 Internet do not use these addresses. 

 

14 minutes ago, MelvinKlein1000 said:

Thank you for pointing that out but this is not the problem... 

Yes and no. Your current problem is that you don't know to translate your project in realty.

But your "example" is not suitable to be translated in reality, due to the subnet for Flat 1 and Flat 2 that should not be used.

"It's not the same" enought... because it will work anyway (sort of)... but at some point a lot of things won't work. Like reaching Microsoft or some organization part of United states government.

 

Now.

UDM pro, and switches on both flats need to "know" all the VLANs involved, otherwise transport won't work.

For SFP Ports, all VLAN should be tagged.

On rest of the ports of Switch at Flat1, only VLAN for flat 1 should be untagged on all remaining ports and VLAN for Flat2 needs to forbidden.

On rest of the ports of Switch at Flat2, only VLAN for flat 2 should be untagged on all remaining ports and VLAN for Flat1 needs to forbidden.

 

then it's time for some firewall rules... between ... subnets. For firewalling, VLAN, WLAN, WAN... it's all the same. Simply subnets, no matter what.

NO ONE can access to switch management or management server from FLAT1 and Flat2.

6 minutes ago, MelvinKlein1000 said:

Is it possible to get back to my original question?

Call a network specialist. Can comb networks anytime you need

 

This is all volunteer work. Sometimes being picky is considered... unpolite.

[manikyath]

i'm going to assume that this is a "house shared between two households of the same family" situation, and not "renting out both flats to a third party" situation, because in the latter i strongly recommend just pulling in two ISP lines.

 

within that assumption (and for goodness sake, stop talking about the exact ip addresses in the example...)

 

i'd have the ISP network come into the serverroom, where it goes trough your router / firewall / whatever to 3 subnets each separated from each other:

- servers

- flat1

- flat2

 

and to make flat1 and flat2 talk to the servers without talking to each other, my preference remains to just give the servers an IP address in the flat1 and flat2 subnets on which they only serve the services that are supposed to go there. if you insist on firewalling them off, you can set up firewall rules that allow addresses from the flat1 subnet to access an IP address from the servers subnet on a given port number. but if a lot of traffic is flowing over this (for example, network shares) that's a notable strain on your firewall's processor, which is why i prefer the 'leg in every vlan' approach.

2 minutes ago, mMontana said:

Yes and no. Your current problem is that you don't know to translate your project in realty.

But your "example" is not suitable to be translated in reality, due to the subnet for Flat 1 and Flat 2 that should not be used.

"It's not the same" enought... because it will work anyway (sort of)... but at some point a lot of things won't work. Like reaching Microsoft or some organization part of United states government.

i'm a nitpicking arse, and even to me it's blatantly obvious OP just punched some numbers into his schematic so he doesnt post the actual addresses he's using. if you're falling over this to the point you cant actually answer OP's question, you should go do some introspection instead of flooding this thread with garbage that is so far beside the point you're derailing the entire thing.

[mMontana]

@manikyath you're so kind...

[manikyath]

7 minutes ago, mMontana said:

@manikyath you're so kind...

thank you, it's what i pride myself on.

[mMontana]

To act like a sinkhole? Sorry, I don't believe you.

[MelvinKlein1000]

25 minutes ago, mMontana said:

https://www.rfc-editor.org/rfc/rfc1918

RFC 1918 explains that better.

The whole IPv4 Internet do not use these addresses. 

 

Yes and no. Your current problem is that you don't know to translate your project in realty.

But your "example" is not suitable to be translated in reality, due to the subnet for Flat 1 and Flat 2 that should not be used.

"It's not the same" enought... because it will work anyway (sort of)... but at some point a lot of things won't work. Like reaching Microsoft or some organization part of United states government.

 

Now.

UDM pro, and switches on both flats need to "know" all the VLANs involved, otherwise transport won't work.

For SFP Ports, all VLAN should be tagged.

On rest of the ports of Switch at Flat1, only VLAN for flat 1 should be untagged on all remaining ports and VLAN for Flat2 needs to forbidden.

On rest of the ports of Switch at Flat2, only VLAN for flat 2 should be untagged on all remaining ports and VLAN for Flat1 needs to forbidden.

 

then it's time for some firewall rules... between ... subnets. For firewalling, VLAN, WLAN, WAN... it's all the same. Simply subnets, no matter what.

NO ONE can access to switch management or management server from FLAT1 and Flat2.

Call a network specialist. Can comb networks anytime you need

 

This is all volunteer work. Sometimes being picky is considered... unpolite.

I’m thankful for all help. Please don’t interpret any arrogance into my comments I just tried to push it in the right direction. I love this community and for sure you are all volunteers. Sometimes it is necessary to simply tap a little on the brake.

 

25 minutes ago, mMontana said:

https://www.rfc-editor.org/rfc/rfc1918

RFC 1918 explains that better.

The whole IPv4 Internet do not use these addresses. 

 

Yes and no. Your current problem is that you don't know to translate your project in realty.

But your "example" is not suitable to be translated in reality, due to the subnet for Flat 1 and Flat 2 that should not be used.

"It's not the same" enought... because it will work anyway (sort of)... but at some point a lot of things won't work. Like reaching Microsoft or some organization part of United states government.

 

Now.

UDM pro, and switches on both flats need to "know" all the VLANs involved, otherwise transport won't work.

For SFP Ports, all VLAN should be tagged.

On rest of the ports of Switch at Flat1, only VLAN for flat 1 should be untagged on all remaining ports and VLAN for Flat2 needs to forbidden.

On rest of the ports of Switch at Flat2, only VLAN for flat 2 should be untagged on all remaining ports and VLAN for Flat1 needs to forbidden.

 

then it's time for some firewall rules... between ... subnets. For firewalling, VLAN, WLAN, WAN... it's all the same. Simply subnets, no matter what.

NO ONE can access to switch management or management server from FLAT1 and Flat2.

Call a network specialist. Can comb networks anytime you need

 

This is all volunteer work. Sometimes being picky is considered... unpolite.

Ayyy mates! Please calm down! This is a community. Not a place where someone should hate on someone else!!! 

Please do not interpret arrogance to my or someone else’s replies. Such questions thrown like the one from @shoutingsteve are not unwanted… he’s all the rights to throw in any question he has to understand certain replies. 
 

Furthermore please don’t get me wrong. Sometimes someone has to moderate a little so that in case someone else is the future trying to read this topic is not blown away by slightly off topic things. 
 

that said just calm down respect each other and move on with sharing your experience with the community. 
 

 

 

[Lurick]

I'm going to split this into two options and then address some misconceptions in here later

I'm not 100% sure if the UDM pro can do multiple DHCP servers or not but I would hope it could.

 

OP, you have a couple options:

1) Put a L2 switch in each flat and run a cable back to the UDM pro and do subnets there and put an ACL that blocks them from talking to each other. Then you could permit each subnet to access specific hosts (DNS, etc) if you want or just have the UDM hand out public DNS to each flat instead and keep private DNS servers for yourself.

 

2) UDM Pro > A single switch and then splitting to the flats and a VLAN per port going to each flat with a L2 unmanaged switch at each flat (similar to option 1 but more cable mess). Then you would provide a subnet for each SVI (L3 Vlan) and then do trunking down to the UDM Pro and segment everything there.

The other option is a L3 switch, as you have setup, to each flat and the SVI/routing done on the L3 switch and pointed back to the UDM Pro for the default gateway.

 

I think option 1, assuming my assumptions are right about the UDM Pro, would be the cleanest and simplest. You would do a few NAT statements on the UDM Pro to allow all the flats to share the single public IP address no problem. If the UDM Pro cannot do multiple DHCP subnets then you could do option 2 with the multiple switches and run the DHCP server on each for each subnet.

 

Both of the above options, imo, are solid and provided you're not doing Double NAT at any point would keep things clean and easy to manage overall while keeping traffic segmented between flats. Just make sure you setup firewall rules properly and ideally test to make 100% sure you can't access hosts between flats.

 

 

Misconceptions:

You 100% can use whatever IP address space you like. HOWEVER the reason for private address space is to ensure none of that is publicly routable and therefor you don't pick some public space and then cannot get to it. For example if you used 8.8.8.0/24 then suddenly you're not able to hit 8.8.8.8 for Google's DNS. However there is NOTHING stopping you from using whatever address space you want privately provided you keep this in mind. If we're getting into BGP routing advertisements then yes, you would need to make sure you're not advertising subnets to the ISP you don't own as that would be big trouble but beyond that, no private is only to make sure you're not using someone else's space.

[MelvinKlein1000]

3 minutes ago, Lurick said:

I'm going to split this into two options and then address some misconceptions in here later

I'm not 100% sure if the UDM pro can do multiple DHCP servers or not but I would hope it could.

 

OP, you have a couple options:

1) Put a L2 switch in each flat and run a cable back to the UDM pro and do subnets there and put an ACL that blocks them from talking to each other. Then you could permit each subnet to access specific hosts (DNS, etc) if you want or just have the UDM hand out public DNS to each flat instead and keep private DNS servers for yourself.

 

2) UDM Pro > A single switch and then splitting to the flats and a VLAN per port going to each flat with a L2 unmanaged switch at each flat (similar to option 1 but more cable mess). Then you would provide a subnet for each SVI (L3 Vlan) and then do trunking down to the UDM Pro and segment everything there.

The other option is a L3 switch, as you have setup, to each flat and the SVI/routing done on the L3 switch and pointed back to the UDM Pro for the default gateway.

 

I think option 1, assuming my assumptions are right about the UDM Pro, would be the cleanest and simplest. You would do a few NAT statements on the UDM Pro to allow all the flats to share the single public IP address no problem. If the UDM Pro cannot do multiple DHCP subnets then you could do option 2 with the multiple switches and run the DHCP server on each for each subnet.

 

Both of the above options, imo, are solid and provided you're not doing Double NAT at any point would keep things clean and easy to manage overall while keeping traffic segmented between flats. Just make sure you setup firewall rules properly and ideally test to make 100% sure you can't access hosts between flats.

 

 

Misconceptions:

You 100% can use whatever IP address space you like. HOWEVER the reason for private address space is to ensure none of that is publicly routable and therefor you don't pick some public space and then cannot get to it. For example if you used 8.8.8.0/24 then suddenly you're not able to hit 8.8.8.8 for Google's DNS. However there is NOTHING stopping you from using whatever address space you want privately provided you keep this in mind. If we're getting into BGP routing advertisements then yes, you would need to make sure you're not advertising subnets to the ISP you don't own as that would be big trouble but beyond that, no private is only to make sure you're not using someone else's space.

Hello! Thank you for your reply!

 

The assumption from minkyath are correct!

Same familiy, two flats, same bulding, shared servers...

 

Okey so:

 

For 1)

as far as i know the UDM is capable of providing multiple DCHP subnets. But the problem is that one of the SFP+ need to stay unused for future FTTH usage. So I only have one SFP+ Port which can be used to get to my 2 flats. 

 

For 2)

In case got it right: I have to get another SFP+ L3 swtich and "splitting" the single UDM SFP+ port i have into many and then go to L2 umnanged switches and from there to my devices inside of the flat? The SFP+ ports on the L3 switch are then provided with their own subnet and vlan tag? 

 

Yes, only the UDM is doing NAT. Thats the point keep things as simple as and as solid as possible!

 

 

Thank you for pointing out some misconceptions. I'm aware of that. 

 

 

 

[Lurick]

2 minutes ago, MelvinKlein1000 said:

For 1)

as far as i know the UDM is capable of providing multiple DCHP subnets. But the problem is that one of the SFP+ need to stay unused for future FTTH usage. So I only have one SFP+ Port which can be used to get to my 2 flats. 

 

For 2)

In case got it right: I have to get another SFP+ L3 swtich and "splitting" the single UDM SFP+ port i have into many and then go to L2 umnanged switches and from there to my devices inside of the flat? The SFP+ ports on the L3 switch are then provided with their own subnet and vlan tag? 

 

Yes, only the UDM is doing NAT. Thats the point keep things as simple as and as solid as possible!

 

 

Thank you for pointing out some misconceptions. I'm aware of that. 

 

 

 

Got it that makes sense.

For point 2, yes, you would tag the packets at the switch connected to the UDM pro going to the L2 unmanaged switches. Basically set the ports as access with a different VLAN tag per flat. Then a trunk port between the switch and UDM pro would work

[MelvinKlein1000]

14 minutes ago, Lurick said:

Got it that makes sense.

For point 2, yes, you would tag the packets at the switch connected to the UDM pro going to the L2 unmanaged switches. Basically set the ports as access with a different VLAN tag per flat. Then a trunk port between the switch and UDM pro would work

Okey... just looked for L3 SFP switch from Ubiquiti... yeah looks a bit empty... they are selling only a aggregation switch with SFP ports.

 

So then lets assume that i have a L3 switch for each flat and the UDM as the L3 switch for the server network.

 

is it possile to "pass through" the server network and internet to the first L3 switch and from there to the second L3? I mean the benefit is that you are able to look at each flat as their own encapsulated network with their own subnet and DHCP servers? In that case i would say that the L3 switches using the UDM as their default gateway... okey so far so good?

 

The point is that all networks sholud use the same private dns server for my domain and cloudflare for all other queries.

 

But in this case i have double NAT right? 

[MelvinKlein1000]

31 minutes ago, Lurick said:

Got it that makes sense.

For point 2, yes, you would tag the packets at the switch connected to the UDM pro going to the L2 unmanaged switches. Basically set the ports as access with a different VLAN tag per flat. Then a trunk port between the switch and UDM pro would work

Other Idea: 

 

UDM Pro to a aggregation L2 switch then to two L2 switch and segmenting it on the UDM? the benefit would be that i could connect my servers via sfp and when they are hit hard they have 10G connectivity 

[Lurick]

28 minutes ago, MelvinKlein1000 said:

Okey... just looked for L3 SFP switch from Ubiquiti... yeah looks a bit empty... they are selling only a aggregation switch with SFP ports.

 

So then lets assume that i have a L3 switch for each flat and the UDM as the L3 switch for the server network.

 

is it possile to "pass through" the server network and internet to the first L3 switch and from there to the second L3? I mean the benefit is that you are able to look at each flat as their own encapsulated network with their own subnet and DHCP servers? In that case i would say that the L3 switches using the UDM as their default gateway... okey so far so good?

 

The point is that all networks sholud use the same private dns server for my domain and cloudflare for all other queries.

 

But in this case i have double NAT right? 

You could/should be able to do ACLs on the switch to block traffic except allowed stuff to other VLANs in that case which would still allow you to keep it single NAT.