Kea + Subnets: Seeking help from the network experts if possible

Started by hakuna, February 08, 2026, 09:29:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2026, 09:29:56 AM
TL;DR: Multiple Subnets with one LAN interface

My current homelab/home network is all under 192.168.1.0/24, I know, a mess :)

I did update OPNSense, the new firewall rule is in place so is KEA over ISC.
I created a few subnets to organise things like: 10.19.4.0/24 for IoTs

OPNWrt is just a dumb WiFi6 wireless router, no DHCP, no DNS, nothing, only radio.
OPNSense does everything.

I reserved my tablet under 10.19.4.0/24 but still getting 192.168.1.0/24 IP
I expected it to receive 10.19.4.0/24 and have no internet access because there are no firewall rules yet.

I don't need the complexity of VLANs.

Some reading suggests that I need to create Virtual Interfaces.
I remember creating virtual interfaces via CLI years ago when I tried VLAN for the first time.

I found some old posts that mention CLI to get multiple subnet but that breaks my backup.
I have the config backup and hardware backup, if the current box dies, plug the other one, import backup and voila.

So it looks like that the only way to have multiple subnet with a single LAN interface is via ........ VLAN.
Other readings makes me believe that the subnet should just work.

Thank you

February 08, 2026, 12:08:18 PM #1
While the underlying FreeBSD OS supports 'aliases' on network interfaces in a similar way to Linux I'm not sure that all of the plumbing through OPNsense and KEA DHCP is in place to support it.

It would be a much better idea to use VLANs and perhaps delare your site as 10.19.0.0/16 since you used that IP range already and then subnet in to VLANs like:

vlan0.1   [DEFAULT] 10.19.1.0/24
vlan0.2   [MGMT]    10.19.2.0/24
vlan0.10  [LAB]     10.19.10.0/25
vlan0.254 [IOT]     10.19.254.0/24
vlan0.255 [GUEST]   10.19.255.0/24

then everything will fit together nicely ;-)

Mike
February 08, 2026, 12:16:55 PM #2
Keep in mind that you need a managed switch to configure VLANs. And if wireless clients are involved also an AP that supports multiple SSIDs.

You cannot have multiple networks on a single interface with DHCP.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 08, 2026, 12:37:53 PM #3
Quote from: miketubby on February 08, 2026, 12:08:18 PMIt would be a much better idea to use VLANs

then everything will fit together nicely ;-)



Quote from: Patrick M. Hausen on February 08, 2026, 12:16:55 PMKeep in mind that you need a managed switch to configure VLANs.

Thank you Mike/Patrick :)

I won't try to reinvent the wheel and follow the VLAN gang as you suggested.

I was already planing to replace my unmanned Netgear with a SFP+ one ( I am building a NAS, I don't need 10G network but with everything going so sideways in price and HDD already showing signs, I better do it now before network gears gets bitten by the AI bug also :-) )


Cheers guys
February 08, 2026, 02:49:57 PM #4
Quote from: hakuna on February 08, 2026, 12:37:53 PMI was already planing to replace my unmanned Netgear with a SFP+ one ( I am building a NAS, I don't need 10G network but with everything going so sideways in price and HDD already showing signs, I better do it now before network gears gets bitten by the AI bug also :-) )

I have a MikroTik CRS317 as my 10G core switch, which has 2 x Netgear GS728TXP, 2 x GS110TP and an GS316EP hanging off it along with my NAS (10G interface) and my main Linux R&D box (10G interface).

I did as I suggested and use 10.xx.vv.0/24 subnets where 'xx' is my site ID and I keep the third octet of the IP address the same as the VLAN tag, so if 'vv' is 20 then it's on VLAN20 - just makes it easy to remember.

If you're dual stack and are running IPv6 with a /48 then I parition at the /49 boundary and the bottom half is outside the firewall and the top half is inside, eg. 2001:DB8:1234:8000::/49 is inside. Then I do the same trick an use the VLAN tag in the IPv6 /64s so 2001:DB8:1234:8020::/64 is on VLAN20.

Keeps everything memorable.

I also look after five sites so we use different site codes and use WireGuard to link various VLANs over IPv4 or route over IPv6.

Mike
February 08, 2026, 11:24:09 PM #5
Quote from: miketubby on February 08, 2026, 02:49:57 PM... so if 'vv' is 20 then it's on VLAN20 - just makes it easy to remember.... Keeps everything memorable.


I am so keeping things easy.
On a high-level, this is my humble home network but remember, as you might have noticed, I am newbie when it comes to networking haha:

  • Sophos SG210v3: OPNSense latest, WireGuard for my GrapheneOS phone when out, all the traffic goes via the VPN
  • Lenovo miniPC01: Proxmox: Pi-Hole + Unbound recursive DNS01
  • Lenovo miniPC02: Proxmox: Pi-Hole + Unbound recursive DNS02
  • Netgear SG110: Dumb 16x ports switch: Working on its replacement
  • ASUS RT-AX53U: Dumb OpenWRT AccessPoint, it provides radio only, OPNSense does everything, enforces everything with firewall

I haven't looked into IPv6 yet, for what I am running, IPv4 + mDNS is working fine.
Will look into it once I have a proper network in place, mine as it stands is a mess (1 subnet with everything)

Thanks a lot :)
Print
Go Up Pages1
User actions