General Networking advice for the home

[toxic]

Hello,

Starting with an advanced question because I might be able to solve my question alone if it works : would that work if I setup my lan to be a 10.0.0.0/16 and then apply firewall rules to 10.0.0.0/24 or 10.0.1.0/24 ? I mean would they apply to all my devices having ian IP in 10.0.1.x even if their subnet mask is in /16 and not in /24 ? (and not apply to all devices in 10.0.0.x.)
Is there another simpler way to have all devices in the /16 and apply fw rules to a wide range of adresses in a CIDR-like notation or some IP ranges ?
(I've been using aliases for that as of today, in which I've put all individual IPs from 10.0.0.10 to 10.0.0.29 for example, and I know this way works, but I did that for 10 or 20 IP, for 254 repeated 254 times... it'll be unreasonable I think...)

My issue is that I moved from no firewall just using my ISP router to opnSense trying to have no anyTOany rule, using VLANs, ... And now I'm already at about 80 fw rules and stil having to consider mDNS proxies and things like that... In essense, just doing a lot of work to bring back features that are designed to "simply work" on unmanaged networks...
In essence : I've been trying to be paranoid more than necessary and it's now too much of a hassle for little to no gain...

So I'm revamping all of my LAN to greatly simplify, acknowledging that I'm putting more trust into the devices/user, but hey, I'm at home... I mostly trust myself and will focus more on monitoring now that I've setup something to crunch the logs Plus suricata is up and has the ET Pro rules, not as good as not needing it, but hey...

What I intend to have :

• 1 VLAN for my CCTV
• 1 VLAN for all the rest:
  
  • 1 subnet for just my piHole DNS (to enforce it's usage and avoid NAT from client to resolver)
  • A big subnet for everything else.

This last big subnet, in fact, I would like to keep it organized, so one flat nework with mostly all the same rules (*to* will be fine this time ).
But still I'd like to keep all my "server-like" devices with a similar IP, my Wireledd devices, media, and smart-home devices, somehow all on the same network so broadcast and such things work seamlessly, but still more or less organized so I can have simple rules like "all servers can access internet only through this VPN" or "No access to the outside world for the smart-home devices"...

My intended categories :

• Networking stuff (managed switches, wireless AP, Logstash ...) similar to OOB but on the same network because home...
• Servers (NAS, docker, downloaders, raspberryPis, ...)
• Laptops and Computers using wires
• All wireless devices (smartphones, laptops, ...)
• media (TV, XBox, tvheadend, kodi, ...)
• SmartHome gadgets (light fixtures, ...)

I have quite a few devices but I will still keep my current way of doing this : all devices are using DHCP and all of them have a static lease based on their MAC, so 1 big subnet and organize my devices giving them the proper IP, that I know how to do, and some IP range for devices yet unknown for me to later setup a static lease in the proper IP range. (even if the GUI is a bit painful for that and even the unbound config file format is not as concise as it could be to mass-import/export/edit such static leases... The pihole config file for DHCP leases was way more friendly, but hey, no pihole on this subnet, will deal with dnsmasq.).

What I'm not sure, is how to simply assign fw rules to a big chung of an even bigger subnet...

If you have better ideas for a simple home/lab network like this, I'm all ears Trying to find the right balance between fine-grain control and minimize admin efforts...

Thank you in advance for all your king help or advice !