What's new

Why do I want to overcomplicate my Lan?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

SecCon

Occasional Visitor
So I am in no way new to networking, I have built my own Cat6 network, pulled my own cables, connected my own patch panels and all that. My equipment is pretty good with EdgeMax 6P Router, EdgeMax Switch and all my fixed devices connected to those via wall sockets I installed myself and everything checks out. The Wifi goes via an AirCube, also Ubiquiti. Got a friend who works as network installation engineer and does these things for a living and got thumbs up from him while doing it.

That's the physical part.

I have a few servers, one running Ubiquiti UISP for an overall looksie and other stuff like a couple of workstations. My main File share is on a standalone Windows Server with 14 TB on it, and its backed up to a NAS on a different location.

Everything runs on 192.168.1.1-255. I have some static mappings for my NAS and the servers and the UISP, but that is about it, oh and the printer and the IP phone line. Everything runs the same network segment. All the static mapping is done on the Router via entries in the DHCP table. All in all we are talking about some 50 devices, laptops, desktops, tablets, smartphones, a TV and an IP phone. Most runs Windows and Android except for some Ipads and iPhones we got from work. One ubuntu running the UISP in Docker.

So why do I post? I seem to have a working network and happy with that.

Well I post because I see all these recommendations about creating sub nets and vlans and what not. I read up a bit yet see no real reason why. Sure, in a complex network you may want to do load balancing and sort out segments per locations and direct one type of devices one way and other types of devices other ways, and of course keeping some sensitive stuff off the web. Separating Wifi from Lan, even separating IP telephony and direct it via its own sub net with optimizations for their protocols and even putting the Aqara Smart Home sensors on its on vLan, becasue they are made in China and you "need to keep them off the internet becasue otherwise they will hack you and give the Chinese or NSA another botfarm" and stuff like that.

So summing up the questions: Is my take on this terribly wrong and what should I do instead and , most importantly, why?
 
WHY?

It's fun, it's what we do :)
 
I can't disagree, but that is not enough reason for me to actually get hands on and do it.

Rather know what I am doing and why. Sure, I have dedicated IP's for all my servers remote management (iBMC, ILO, IPMI) that are even tens on the segment but other than that I have no real reason to make things look "pretty" before functional.
 
what should I do

Perhaps nothing. It's a good small home network and all the devices are yours. You can VLAN eventual less trusted IoTs and Guest Network. That's about it. You have the knowledge - it's a matter of personal preference. Your APs have to be VLAN capable too, if you want to play with VLAN -> SSID.
 
@SecCon

Everyone takes a different approach. I think what spurs some of the overly complicated configurations is someone reads something somewhere and then posts it. There's no need for most of it and some of it's irrational. There are easier ways to block CN call home by blocking them in DNS and FW rules rather than segment the LAN / VLAN / subnet / etc.

Now, if you're running 100's of devices then it makes more sense to segment things to drop the overhead / interrupts from so many devices. The average consumer though isn't running over ~20 devices and it doesn't make that much of an impact to the network performance at that number. Multiply that by # of people in the home and it can grow but, still you're only looking at maybe 50 devices.

I used to want an ER8 Pro before just coming up with my own device to collapse several devices into a single box. Condensing things into a single box makes for management ease. Less bottlenecks to deal with as well when it comes to performance. When you're routing / switching happens in the same device there's virtually no lag to deal with.

Now, there are some instances when you want to complicate things for convenience. Running VPN for the whole LAN can cause issues with things like streaming from your typical providers and require some network magic to bypass their VPN filters. I used to just switch to known working endpoints for say Amazon but, eventually they would blacklist the IP being used and be a real PITA to deal with. Since the VPN software doesn't typically allow for split tunneling I decided to just bypass the VPN using routing statements that force traffic to the destination to use the WAN instead of the default routing table that would normally push it out the VPN interface.

The average person though doesn't do this sort of thing to keep their information private though. They might use a per device VPN or some software to reduce ads. It depends on how knowledgeable they are and in most cases they should stick to using a Mac.
 
I seem to have a working network and happy with that.

Keep it simple. The more complex it is, the more you turn into home sysadmin. Do you need another job?
 
I used to want an ER8 Pro before just coming up with my own device to collapse several devices into a single box. Condensing things into a single box makes for management ease. Less bottlenecks to deal with as well when it comes to performance. When you're routing / switching happens in the same device there's virtually no lag to deal with.
A single box? Sounds interesting. Care to elaborate?

I like to do integrations on hardware to have, well, less hardware, to deal with. But in this area I am currently not merging any predefined roles (router/switch/ap/firewall) since I am still learning and I am not yet sure about what bottlenecks I may unwittingly create or their impact. I am aware of the general rule of thumb; do the configuration as close to the devices as possible, which might imply something like do vlans on the switch rather than on the router. If you need vlans, that is.

I appreciate the received input and reactions, seems I am sane after all. I will of course eventually start sorting things up to look "tidy" with dedicated segments and all that, I am just not comfortable doing it yet and you will see me posting about it. I rather handle a brainstorm about what I want to do and being told what I do wrong, than just do something wrong and not getting what the hell just happened.
Guess it's the way I function, talk my way in a dialogue with peers towards the solution, rather than read 4 books and think I know it all. (I do read the books anyway... ;) ) That is what forums are for and I love traditional forums like this.

Next step is to hook up my firewall machine and I need to read up a bit more on OPNSense before actually connecting the cables, but I guess that may be a topic for another thread.
 
I like to do integrations on hardware to have, well, less hardware, to deal with.

When this hardware fails, all the services running on it fail. Your current setup is better.
 
"Why" depends on your usecase.

For us, we work from home, which means dealing with corporate provided equipment, i.e. 'untrusted' equipment from my perspective. So that equipment goes on a guest network. I don't run IoT equipment, but if I did, again, untrusted, separate guest network.

It's not really anymore complex than that (for me ;) ).

YMMV of course.
 
"Why" depends on your usecase.

For us, we work from home, which means dealing with corporate provided equipment, i.e. 'untrusted' equipment from my perspective. So that equipment goes on a guest network. I don't run IoT equipment, but if I did, again, untrusted, separate guest network.
That is of course very relevant. One might think work computers have more security resources in a large organisation (we are 35.000, and maybe a few dozen within my IT spciality) but the protection is probably rather diluted and as an example I get a lot more spam and phishing mail via work than via private sources.

WiFi VLan coming up I think.... "unsafe w@rk sloths"...
 
Everybody on here probably has different things they have to be wary of. For me it's being a little of a technophile while living with a technophobe. So I can't really take the network down very often, and any smarts just have to work, and work reliably and unobtrusively.
 
Well I have aspergers, and sometimes I just, well talk - about servers, and tech, unaware that the person I am talking to is glazing over and doesn't have a clue what I'm on about as they stand there like a nodding dog. I have started to realise I do it though and try to cut off and talk about stuff they like.

Nice weather today isn't it?
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top