VLAN and IP address naming conventions in pfSense

I’m rebuilding my homelab network and wondering if anyone has naming and numbering suggestions. I’m not asking about what IP ranges can be used. I know about the private IP address ranges: 192.168.x.x, 10.x.x.x, and 173.whatever. But given those ranges, are there better choices to make that will make things easier when dealing with devices on the network in pfSense. Such as on the DHCP Leases screen, or anywhere else in pfSense.

For example, Is there a particular reason to put all wifi devices specifically on 10.x.x.x VLAN rather than a 192.168.x.x VLAN? or save 10.x.x.x for the guest network? Or any other reason you number your VLANs the way you do. Or Is it good to assign IP address reservations based on device type like x.x.x.20 to x.x.x.39 for servers and x.x.x.40 to x.x.x.99 for desktops and laptops?

I’m not asking about technical reasons, although I’m happy to hear about them if there are any, but purely practical reasons to make life easier when managing pfSense. The sort thing where you go “if only I thought of this when I started” kind of advice.

And any other aspect of naming and numbering that makes life easier running pfSense in a homelab network.

I’m planning to have IP address reservations for everything that I can.

For reference, I’m running the following:

  • pfSense on an HP T620 Plus with a four port Intel Ethernet card
  • Unifi 8 port switch
  • Unifi 5 port switch
  • Unifi access point
  • Unifi controller on a Raspberry
  • TP-Link managed switch

All suggestions welcomed.

Edit: forgot to mention all subnets will be /24.

I think for home networks, many people (myself included) will make every subnet a /24 and put the VLAN number in the third decimal block, like

  • etc.

And you’re not likely to run out of addresses as most home networks will probably not even come close to 254 hosts per subnet. The advantage I see in that schema is that by looking at an IP adress, e.g. in a log, you can immediately deduce the subnet (“VLAN”) it is from.

One other interesting thing I’ve run into is network collisions with site-to-site VPNs. I’ve connected two sites which weren’t originally intended to be connected and which function more like peers rather than one being the main site and the other a branch. I’ve had to change IP ranges on one site so that all networks were unique across both sites combined.

I had intended to include in my original post that they would all be /24 subnets. Thanks for mentioning that. :man_facepalming:

I like the idea of encoding the VLAN # into the network address. Up until now, I’ve done the same sort of thing by grouping IP address reservations to make devices easier to find:

10-19 network devices (switches, APs, etc)
20-39 Management
50-79 Servers
80-99 Desktops
100-149 Wild West (everything else)
150-199 Guest
200-220 Lab Network

I was thinking of combining the two ideas by using the starting IP address of each group as it’s VLAN address which is then encoded into the subnet address:

10-19 Network devices - VLAN 10
20-39 Management - VLAN 20
50-79 Servers - VLAN 50
80-99 Desktops - VLAN 80
100-149 Wild West - VLAN 100
150-199 Guest - VLAN 150
200-220 Lab Network - VLAN 200

I’m aware that this sort of numbering approach would have issues if used at any scale.

I would suggest something different for you…

You might consider using the VLAN for the network - like 11 for admin, 12 for IoT, 13 for security, etc and then in each network use IP addresses for those functions. Every VLAN x.y.11/12/13.1-20 is network, 21-30 is printers, 31-40 NAS, 101-199 DHCP range, 200-225 - device static IPs.

This way would be a network device on the IoT VLAN, while would be a network device on the admin VLAN…