User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
router:networking [2024/10/24 06:17] willyrouter:networking [2025/02/06 09:17] (current) – removed willy
Line 1: Line 1:
-====== Network Layout ====== 
- 
-For a general IP networking understandings [[https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking|this]] could be a good starting point. You should be familiar with basic subnetting and routing.to understand the following content. 
- 
-Let's start with the high level organization, you have two macro areas to consider: 
-  * Internal network, or the home network, is the network (or networks) that sits on top of your [[:networking|backbone]] and connects all your home devices (home automation, webcams, server, computers, tablets...) together. You can have one single flat home network or a mix of different subnets for different purposes, like one for home automation devices, one for webcams, one for computers. 
-  * External network, or the internet, which is what's outside the home network and should be considered //unsafe//, but it's also the only way into your home network services when you are not at home. 
- 
-In the middle of the two, you need a firewall / router device and some magic glue to let things speak together safely and effectively. On the //[[selfhost:simple_approach|simple]]// side of things, you can use your home server as firewall/router. On a more advanced approach, you should use a dedicated firewall appliance with [[networking:using_opnsense|opnSense]]. 
- 
- 
-===== Internal Network addressing ===== 
-You need to choose a proper subnet for your home network, and it must be a **private** subnet. The IANA defines  [[https://en.wikipedia.org/wiki/Private_network|ranges]] of private subnets that you can safely use.  
- 
-Of the various available ranges, my suggestion is to use the **10.X.Y.Z** and try to avoid the most obvious combinations like 10.0.0.0/24, because you might stumble on some devices that use those ranges and that might complicate things. You should be creative and create your unique subnet using any logic you want. As for my home network, i picked my ZIP code and house number to combine in a unique subnet starting with 10, and on a /24 (254 hosts) size. 
- 
-For the following, i will assume your home network uses **10.20.30.0/24** as LAN, **10.20.254.0/24** as DMZ (if needed) and **10.20.1.0/24** as VPN (if needed) subnets. 
- 
-You should not use a subnet in the 192.168.x.y range as many of these ranges are already used by ISP routers and devices and in case of a clash you might end up having to replace addresses on all your internal hosts, and this can be a mess. 
- 
-You also need to choose some IP addresses range assignments. I suggest at the least: 
-  * A range for DHCP (10.20.30.100 - 10.20.30.200) since most of your phones/tablets will need those dynamic addresses 
-  * A range for network devices, like WiFi APs (10.20.30..2 - 10.20.30.19) 
-  * A range for home servers/HomeAssistant/etc (10.20.30.20 - 10.20.30.29) 
-  * A range for webcams / IoT devices (10.20.30.30 - 10.20.30.69) 
-  * A range for fixed IPs (10.20.30.70 - 10.20.30.99) 
-  * A fixed IP for your home server (10.20.30.1) 
-  * A fixed IP for your router/gateway, if different from the home server (10.20.30.154) 
- 
-Of course, you might want to add VLANs so separate IoT stuff and/or create more segments as you prefer. 
- 
- 
-===== External Network ===== 
-Upstream fro your home, lies your ISP (Internet Service Provider), or ISPs. They will place in your home one (or more) //gateways//, which are just some networking boxes. These boxes will come preloaded with some specific configuration, often WiFi access, and some ethernet plugs. You should disable the WiFi (you will be using __your__ wifi) when possible, and just plug those into your firewall or home server dedicated ethernet plugs with 1:1 cables. 
- 
-Your ISP gateways will typically have addresses like 192.168.0.1 or 192.168.1.254. 
- 
-You **do not need** to have two ISPs. It's a resilience point tough, if you plan to host critical services you might want to have two. If you have only one, just ignore anything related to the second one in the followings. 
- 
-I will assume that your access to the **external network** is hidden behind  CG-NAT (Carrier Grade NAT) and thus you do not have, and cannot have, a real IP visible from outside in any possible way. This is the common truth for mostly everybody nowadays. 
- 
-(For you lucky from the USA, where sometimes you can, maybe paying or even for free, get a real IP, this might not apply, but since the world is big and 99% of people cannot access IPs anymore...) 
- 
-Note that i am __not__ talking of a **static** IP address.... i am talking of a **public** IP address at all. You will //not// get out of CG-NAT with dyn-dns tricks or any kind of port-forwarding. CG-NAT is a jail you need to evade from, somehow, and you need outside help to do that. 
- 
-The way to go around the CG-NAT limitations that i will show you involve having / renting a server with a static IP address on the internet. This can be the cheapest VPS (Virtual Private Server) out there, or a more powerful real hardware, it doesn't really matter. What you need is one fixed, public IP address to map with your domain and subdomain names. You might want, if you have the opportunity, to get two for resilience and redoundancy purposes. 
- 
- 
-===== Domain Name ===== 
- 
-You **need** a domain name. This is not optional, because SSL certificates can be released only to domain names and not directly to IP addresses, and also because when you are outside home, you need a //name// to reach home.  
- 
-I will assume you own **mydomain.com**. There are plenty of cheapo domains and also some are for free, remember you don't necessarily need a second-level domain, something third level under //.eu.org// for example would work fine. You will need somebody to manage your DNS records because you **cannot** use your home server for this, but this is usually provided by your DNS registrar. You sohuld also be able to create sub-domains, like service.mydomain.com, to host specific services that require a subdomain. 
- 
-So, i assume you have the following sub-domains: 
-  * __mydomain.com__: your main domain 
-  * __home.mydomain.com__: your home server subdomain 
-  * external.mydomain.com: the name for your main external server 
-  * failback.mydomain.com: a name for a second, if available, external server 
- 
  

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information