User Tools

Network Layout

For a general IP networking understandings this could be a good starting point. You should be familiar with basic subnetting and routing.to understand the following content.

Let's start with the high level organization, you have two macro areas to consider:

  • Internal network, or the home network, is the network (or networks) that sits on top of your backbone and connects all your home devices (home automation, webcams, server, computers, tablets…) together. You can have one single flat home network or a mix of different subnets for different purposes, like one for home automation devices, one for webcams, one for computers.
  • External network, or the internet, which is what's outside the home network and should be considered unsafe, but it's also the only way into your home network services when you are not at home.

In the middle of the two, you need a firewall / router device and some magic glue to let things speak together safely and effectively. On the simple side of things, you can use your home server as firewall/router. On a more advanced approach, you should use a dedicated firewall appliance with opnSense.

Internal Network addressing

You need to choose a proper subnet for your home network, and it must be a private subnet. The IANA defines ranges of private subnets that you can safely use.

Of the various available ranges, my suggestion is to use the 10.X.Y.Z and try to avoid the most obvious combinations like 10.0.0.0/24, because you might stumble on some devices that use those ranges and that might complicate things. You should be creative and create your unique subnet using any logic you want. As for my home network, i picked my ZIP code and house number to combine in a unique subnet starting with 10, and on a /24 (254 hosts) size.

For the following, i will assume your home network uses 10.20.30.0/24 as LAN, 10.20.254.0/24 as DMZ (if needed) and 10.20.1.0/24 as VPN (if needed) subnets.

You should not use a subnet in the 192.168.x.y range as many of these ranges are already used by ISP routers and devices and in case of a clash you might end up having to replace addresses on all your internal hosts, and this can be a mess.

You also need to choose some IP addresses range assignments. I suggest at the least:

  • A range for DHCP (10.20.30.100 - 10.20.30.200) since most of your phones/tablets will need those dynamic addresses
  • A range for network devices, like WiFi APs (10.20.30..2 - 10.20.30.19)
  • A range for home servers/HomeAssistant/etc (10.20.30.20 - 10.20.30.29)
  • A range for webcams / IoT devices (10.20.30.30 - 10.20.30.69)
  • A range for fixed IPs (10.20.30.70 - 10.20.30.99)
  • A fixed IP for your home server (10.20.30.1)
  • A fixed IP for your router/gateway, if different from the home server (10.20.30.154)

Of course, you might want to add VLANs so separate IoT stuff and/or create more segments as you prefer.

External Network

Upstream fro your home, lies your ISP (Internet Service Provider), or ISPs. They will place in your home one (or more) gateways, which are just some networking boxes. These boxes will come preloaded with some specific configuration, often WiFi access, and some ethernet plugs. You should disable the WiFi (you will be using your wifi) when possible, and just plug those into your firewall or home server dedicated ethernet plugs with 1:1 cables.

Your ISP gateways will typically have addresses like 192.168.0.1 or 192.168.1.254.

You do not need to have two ISPs. It's a resilience point tough, if you plan to host critical services you might want to have two. If you have only one, just ignore anything related to the second one in the followings.

I will assume that your access to the external network is hidden behind CG-NAT (Carrier Grade NAT) and thus you do not have, and cannot have, a real IP visible from outside in any possible way. This is the common truth for mostly everybody nowadays.

(For you lucky from the USA, where sometimes you can, maybe paying or even for free, get a real IP, this might not apply, but since the world is big and 99% of people cannot access IPs anymore…)

Note that i am not talking of a static IP address…. i am talking of a public IP address at all. You will not get out of CG-NAT with dyn-dns tricks or any kind of port-forwarding. CG-NAT is a jail you need to evade from, somehow, and you need outside help to do that.

The way to go around the CG-NAT limitations that i will show you involve having / renting a server with a static IP address on the internet. This can be the cheapest VPS (Virtual Private Server) out there, or a more powerful real hardware, it doesn't really matter. What you need is one fixed, public IP address to map with your domain and subdomain names. You might want, if you have the opportunity, to get two for resilience and redoundancy purposes.

Domain Name

You need a domain name. This is not optional, because SSL certificates can be released only to domain names and not directly to IP addresses, and also because when you are outside home, you need a name to reach home.

I will assume you own mydomain.com. There are plenty of cheapo domains and also some are for free, remember you don't necessarily need a second-level domain, something third level under .eu.org for example would work fine. You will need somebody to manage your DNS records because you cannot use your home server for this, but this is usually provided by your DNS registrar. You sohuld also be able to create sub-domains, like service.mydomain.com, to host specific services that require a subdomain.

So, i assume you have the following sub-domains:

  • mydomain.com: your main domain
  • home.mydomain.com: your home server subdomain
  • external.mydomain.com: the name for your main external server
  • failback.mydomain.com: a name for a second, if available, external server

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

More information