Are IP Segments with the same Subnet mask isolated at the basic network layer

[fozzie bear]

This is a very basic newbie question so please be kind

I am setting up a new router for my home network, and I want to create 4 Vlans:-

• Vlan0-DEFAULT-10.0.0.0/24 This will be my main secure network for my pc laptops and server
• Vlan1- GUEST-10.0.1.0/24 For guest internet access. I know from reading that selecting Guest in the setup that they are isolated from everything but the internet.
• Vlan2- IOT-10.0.2.0/24 For my wireless IOT devices
• Vlan 3-CCTV-10.0.3.0/24 For all my CCTV cameras

Q1 Are these all different subnets even though they share the same netmask and do they provide basic separation?

Q2 On my current ISP gateway I’m running out of IP addresses as I have numerous static IPs for devices I don’t want changing. Does each of the above have 253 separate available IP addresses?

Q3 When configuring VLans in a router does the DHCP server serve out IP addresses for each Vlan range as above

The router is a TP-Link ER7212PC (I know..... but that’s what I’ve purchased because its got built in Omada controller to mange my TP-Link EAP245 access points) and by default all Vlans can communicate with each other rather than be isolated by default.
I’m talking to TP-link to see if I can use Gateway ACLs to block traffic from Vlans 2 and 3 from communicating with Vlan0 whilst still being able to access devices on these Vlans 2 and 3 from Vlan0

This is a home network and I’m not looking for enterprise security just something better than my current setup where everything is on the same subnet

Many thanks
John

 

[ColinTaylor]

A1 Yes. VLANs are separate networks. The IP addresses and netmasks used don't really have anything to do with that (provided they don't conflict).
A2 Yes.
A3 Usually, but I'm not familiar with your specific hardware.

 

[fozzie bear]

A1 Yes. VLANs are separate networks. The IP addresses and netmasks used don't really have anything to do with that (provided they don't conflict).
A2 Yes.
A3 Usually, but I'm not familiar with your specific hardware.

Many thanks @ColinTaylor . I appreciate your reply and confirmation
John

 

[CornfieldWin]

A2. Actually no. The max number of device address is 254, not 253 as only 255 (all ones in binary) and 0 are reserved., and 1 thru 254 can be used.

A3. A DHCP server just dishes out IP addresses which are best allocated in advance to MAC address for most clients thus simulating fixed IP addresses without having to configure each device individually. This policy uses the DHCP hosts configuration information for core network documentation as well. But DHCP is like the honey badger, DHCP don't care, it will spew whatever you assign. It is a separate matter to keep VLANs/subnets properly aligned. So, you can have a single DHCP server take care of multiple VLANs/subnets as long as they are reachable to each other. Or you can run multiple DHCP instances, one for each pool of reachable VLANs/Subnets (L3 VLANs being the latest but your equipment likely does not yet support those). Lastly consider isolation or sharing VLAN/subnets via routing table rather than firewalls rules if simple access is the only concern. Basically that is why local routing exists and is much simpler and more efficient than firewall rules.

Why not use 10.0.0.0/16 which I personally treat as 10.0.device_type.device_address, e.g 10.0.0.1 is the LAN IP and gateway address, 10.0.10.3 is the third mesh router, 10.0.50.6 is the sixth indoor LED. That gives you 254x254 potential network addresses (subnets) EACH with potentially 254x254 device address (which I divide as 254 device_types x 254 device_addresses),

Note as a further elaboration for a smallish network, if device_types map directly to VLAN ids or to subnet qualifiers, or better yet both to keep things in sync, you could move back to 10.0.0.0/24 and know immediately by looking at an IP address the device_type, vlan, subnet, and the particular device which I believe is basically what you proposed. Either way the IP addresses would remain globally unique whether you separated into multiple VLANS or merged them back into one pool of addresses. I stick with 10.0.0.0/16 because I want more than one type on a particular VLAN or subnet, so type and VLAN/subnet are not synonymous. Don't feel that you have to get caught in Class C thinking, its been deader than a doornail for a long time. There is no more important move in setting up a network than the policy for structuring and tracking IP addresses from the smallest to the largest network (the interplanetary Internet).

 

[ColinTaylor]

A2. Actually no. The max number of device address is 254, not 253 as only 255 (all ones in binary) and 0 are reserved., and 1 thru 254 can be used.

He asked how many addresses would be available for his devices. So it's 253 because one of the addresses would be allocated as the gateway address.

Your A3. TLDR.

 

[CornfieldWin]

Point. 253.

Your A3. Too bad ADHD. You know what they say about getting out of the kitchen.