Please help me re-do my DHCP entries and prepare for VLAN's

[MannyLNJ]

Good <fill in your time of day here>

I need advice and guidance on how to re-configure my IP address layout without destroying the network and incurring the wrath of my wife.

Currently I am running OPNsense 25.1.9_2-amd64 on physical hardware with two internet connections

Primary is Optimum Fiber [wan] and if it goes down it OPNsense should switch to the T-Mobile internet gateway [opt1]  until Optimum comes back

Optimum is giving me a 173.3.X.X address and T-Mobile is assigning 192.168.12.X so while neither is using CGNAT I think the 192.168 network should not be using for my internal devices

I currently have ISC DHCPv4 setup with a Subnet of 10.1.0.0 and using a mask of 255.255.0.0 and a single pool of 10.1.1.10 to 10.1.1.245

Right now I am mapping each known MAC to a static IP in the following range

10.1.1.10 - 10.1.1.254 assigned to physical network hardware
10.1.2.1  - 10.1.2.254 assigned to wired computers
10.1.3.1  - 10.1.3.254 assigned to wireless interfaces of the same computer example if my Dell Laptop 1 is 10.1.2.5 when connected over ethernet it is 10.1.3.5 when connected to wifi
10.1.4.1 -  10.1.4.254 Printers
10.1.5.1 -  10.1.5.254 My IOT Devices


I know that my range is too messy and too large and I want to pare it back. I have upgraded all my switches to managed ones so I can implement VLANS.

I am going to want to have the following VLANS unless there better ideas. I am going to use letters to identify each VLAN although I know they are assigned by numbers

VLAN A is for my personal computers that I have full management over they can access any of my personal devices including printers and my NAS
VLAN B is for the printers they should only be able to be accessed by the devices on my local network
VLAN C is for my smart devices which should not talk to any of the systems in VLAN A
VLAN D is for identified guests they should only have access to the internet and printing.
VLAN E is for systems connected to my network that I have not identified and assigned to A-D

If more information is needed please ask,

[cookiemonster]

VLANs will be better than what you have, or creating physical networks. If you have spare ports on your OPN device that you can plug a switch (not even managed one required) into it, that is a new network, separate from the others.
Going the VLAN route, if you only need up to 250 ips in the range (leaving technicalities aside of network ip, broadcast, etc.), then class C is good i.e:
VLAN A - 192.168.10.0/24
VLAN B - 192.168.20.0/24
etc.
All I would do is to avoid future VPN troubles, avoid the usual ranges 192.168.0.0/24 and 192.168.1.0/24 and use 10 or other unusual digit for this third number.

[MannyLNJ]

Let me give some more background

The OPNsense system is upstairs and it has 4 Ethernet ports
ETH 0 goes to the ONT
ETH 1 goes to a managed switch
ETH 2 goes to the Tmobile home internet
ETH 3 is unconnected

The managed switch it is plugged into feeds into my basement switch which is also managed.

That switch feeds a few computers and the solar inverter monitor. That switch also branched out to a managed switch in my wife's office and the living room where my AP is located.

There are 4 managed switches in all

Thanks for the help

[cookiemonster]

If I understand it correctly then ETH0 is your WAN. But ETH2 is also a WAN ?. I don't know what "Tmobile home internet" is but from the sound of it, I imagine it an ISP router/modem combo-type thing. If yes, then your are on a multi WAN setup. That's fine but is an important part of the setup.
That out of the way then you could lay another cable from ETH3 but you can also use VLANs on ETH1 as you are thinking. Makes sense.
 

[zakaron]

This seems like a pretty standard setup that you are proposing. If you ask 10 different network engineers, you'll probably get slightly different nuaunces between them. For me, I like having a dedicated network management vlan. This would be your default or native vlan between switches and firewall. This would be the address range to assign your managed switches and Opnsense. I threw my Aruba cluster APs on the network management scope also since I didn't feel a need to have them on their own AP management vlan. I would also suggest a server vlan since you mentioned having a NAS. I run a couple other servers (like Plex) so I created a vlan for just servers. My old Dell R210 (this runs my Opnsense) only has 2 ethernet ports, so I had to build all vlans under 1 port, but for home use and even small/medium office use 1Gb is plenty of bandwidth. You can get fancy and create a link aggregate (lagg) in Opnsense with eth1 and eth3 using LACP protocol and then create a port-channel (or linkagg depending on what vendor terminology you prefer) on the switch. That will give you 2Gb bandwidth for all vlans to route between one another if you feel like getting fancy. Again, 1Gb would be plenty, but since you have an unused port I threw that out there.

As for address space, your proposed 10.1.x.x as a /24 should suffice, unless you have more than 254 devices going into that vlan. In which case, I would suggest a 10 number like cookiemonster proposed so that you if you needed to extend a vlan's address range you can easily do so without running into the next. For example:
vlan 1 = 10.1.1.0/24
vlan 2 = 10.1.2.0/24

If you ever needed to extend vlan 1 to a /23, that address space would interfere with vlan 2. If you did this:
10.1.10.0/24
10.1.20.0/24

You would be able to extend your vlans subnet without interference. Just thoughts for future proofing.

Also remember that when creating your policies, think of the vlan just like an interface. Traffic coming in on vlan 1 is just like traffic coming in on a physical eth 1 interface.

I set mine up like this:
vlan 10 = network management 10.4.10.0/24
vlan 20 = servers 10.4.20.0/24
vlan 30 = hard wired PCs 10.4.30.0/24
vlan 40 = printers 10.4.40.0/24
vlan 50 = private wifi 10.4.50.0/24
vlan 60 = guest wifi 10.4.60.0/24

I didn't have to create vlan 10 on Opnsense since this is my native/default vlan - I just assigned IP 10.4.10.1 to my LAN facing port. I then created all vlans on the switches and used vlan 10 as the default/native on the uplink to Opnsense server and to each other switch uplink.

Good luck with your new build out!