DHCP range
DHCP range
Hello, Your default router IP range is standard. Switching to something like 172.10.6.1 for the router would likely use a start IP of 172.10.6.10 and a subnet count of 200. You probably don’t need to adjust the subnet mask unless you want more flexibility. Setting up VLANs—VLAN 1 at 172.10.7.10, VLAN 2 at 172.10.8.10, and VLAN 3 at 172.10.9.10—all with a pool size of 200 seems correct.
This is unlikely to boost security. You're welcome to adjust the range to better fit your needs, but keep in mind the example you provided falls outside standard private IP ranges and might lead to problems.
- Class A: 10.0.0.0 to 10.255.255.255 – a single network with a large /8 mask (often used by big companies)
- Class B: 172.16.0.0 to 172.31.255.255 – a 172.16.0.0 network with a 255.240.0.0 or /12 mask (commonly for businesses/education)
- Class C: 192.168.0.0 to 192.168.255.255 – a 255.255.255.0 or /24 mask, typical for homes, small businesses, and offices
Adjusting your IP range doesn't enhance security. Everything on your network can be detected by an Nmap scan when someone gains access. What purpose do VLANs serve? Do you have enough devices? Are you trying to isolate broadcast traffic for a specific reason? Each subnet should ideally be a /24 to handle the expected number of hosts.
When dealing with high-bandwidth traffic, it's a serious risk as it can overload router CPU on VLAN-to-VLAN traffic, leaving no capacity for internet routing. It seems you're questioning whether VLAN-to-VLAN routing is necessary at all. Some users prefer isolating IoT devices in their own VLAN and sending only essential traffic to the main LAN. However, this approach contradicts the original design of those devices. One incorrect rule can merge networks entirely, rendering the purpose of separate LANs irrelevant.
With a Guest VLAN, you can keep your main network secure while letting friends or family join under specific conditions. This setup allows client-based isolation, which enhances security. To implement it, configure the following firewall settings:
- Default Action for GuestVLAN_LOCAL: Drop
- Allow DHCP: Accept port 67 UDP
- Allow DNS: Accept port 53 TCP & UDP to your router or DNS provider for that VLAN
- Default Action for GuestVLAN_In: Accept
- Allow established/related: Accept all protocols where State is Established or Related
- Drop Private Networks: Block all protocols to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
- Drop Invalid traffic: Block all protocols with an invalid state
These rules are based on Ubiquiti's EdgeRouter firewall configuration.
Corporate Enterprise reveals their systems to untrained network staff who hold outdated Cisco credentials, reconfigure VLANs haphazardly, and then sell their services to Russian youths who understand that strict network segmentation isn't a solid security measure. If someone brings you something on their phone so risky it could compromise SMB accounts just by sharing the same Wi-Fi network, you should bring in your own security experts. I'm more worried about the quiet neighbor who dresses in black and carries a camouflage laptop with a "Jacking Tool" stenciled on it. That person poses the greatest danger. While I support caution, with Android devices now vulnerable to malware that bypasses two-factor authentication like it's nothing, we should prioritize securing our layer 3 and focus on layer 7. Of course, using firewall groups to restrict unnecessary internet access would help. The rest is a disaster waiting to happen.
It looks like you're feeling frustrated about something related to VLANs. Maybe learning more about network design from companies like Juniper, Arista, Broadcom, Nvidia, Extreme, Aruba, Fortinet could help. They all use VLANs and typically handle them with ACLs, firewalls, or other security measures. VLANs are versatile and most people use them for segmentation, reducing broadcast traffic, or organizing networks logically. Just be careful not to overcomplicate things—most folks don’t treat subnets smaller than a /24 or assume L2 segments are secure.
You aim to divide your network into three distinct sections: primary network, testing environment, and guest network using VLANs.
Oh man, getting crypto’d is like being locked in a digital cage with no key! It usually happens when you accidentally share your private key or click the wrong link. Once it’s all locked up, you’ll need a new one—like swapping out a broken phone for a fresh one. It’s not easy, but hey, at least you’ll have a new password to remember!