Run Multiple IP Ranges on Your HOME Network

Updated: Feb 10, 2021

So you want to run a secondary IP range (subnet) at home. This really shouldn't be hard, right? If you've ever been in IT, you've noticed your work network routes multiple ranges (for your servers vs your desktops, etc.) But... there is enterprise 'secret sauce' functionality that for some reason, consumer networking appliances just don't make easy (or possible) to enable.


There are many ways to ultimately get two separate ranges routing to each other, but it's entirely dependent on your setup. So I'm going to outline some of the main options out there- and go into depth in the option that I actually started my endeavor because of.


The flexible way (My Way): With a Layer 3 managed switch coming off your router

Scenario this is best for: You want a function-parity lab setup that imitates a work environment. This was my scenario.


The cost-effective way: With your existing router running custom firmware (tomato/DD-WRT/merlin)

Scenario this is best for: You want a straight-forward, easy setup and happen to have existing compatible hardware (or are willing to invest in a new router)


The manual way with device type limitations: Assigning multiple sub-interface IP's to each of your devices.

Scenario this is best for: You really want a way to keep two separate subnets, but don't have the hardware above capable of routing that traffic though


The jury-rigged way: Assign a larger /23 subnet to a range

Scenario this is best for: You actually just need a bigger IP pool because you're reaching 250+ devices on your network.



The Flexible Way: Get a layer 3 switch and set up VLANs

Get yourself a Cisco SG350 (or similar layer 3 SMB switch) and set all the ports to VLAN mode 'General' (more info on VLAN mode types here). This is a specific kind of 'home' mode that allows VLANs to communicate with each other however you want them to, no restrictions, isolation or specific VLAN tagging and assignments that 'access' and 'trunk' modes bring. This is great for home users because VLANs are really overkill in a household, but the usefulness of layer 3 switch VLANs being able to direct and forward traffic between the gateway IP's of each VLAN are exactly what we need since most home routers can't do this themselves.


Also, for a router to be able to direct traffic to an external router/switch that has those sub-interfaces as gateways on different subnets, you must configure a static route off the primary router to direct its traffic outside of itself and forward requests to the router or switch that is aware of and capable of directing traffic to that range. The static route must be from the primary address of the router (aka the gateway IP, like 192.168.1.1) to the IP address of the router or switch on the SAME SUBNET. So say, you needed to send traffic to the .2.x network, and the .2.x gateway was .2.250 and on that same .2.1 switch its IP that spoke to .1.x was .1.250, you wouldn't set the static route to .2.250 because 192.168.1.1 has NO ACCESS to .2.x, and a gateway IP has to be on the same subnet as the primary router's IP. So the static route would be sent from 192.168.1.1 to 192.168.1.250. That way it hits that switch, and the switch takes care of the request from their internally as it knows where 192.168.1.x is and 192.168.2.x traffic is.


You DO NOT need to set a static route for the other side though (the switch back to the router) as the default routes that will populate in the switch when it connects back to the router will all point to 192.168.1.1 anyway, as when you originally configure the switch's management IP, you'll have to set that 192.168.1.1 as its gateway IP, and from there it will forward ALL traffic to its gateway (192.168.1.1). So that's it. Here are the steps boiled down:

  1. Create your secondary IP range and gateway IP on a new VLAN on your layer 3 switch.

  2. Assign each port you want that you want talking to each other, regardless of VLAN assignment, as 'general' ports

  3. Create a static route on your router that directs traffic to that secondary IP range over to the gateway IP you've assigned on your new VLAN on the layer 3 switch.

In summary, a subnet is layer 3 isolation. A VLAN is layer 2 isolation. And since layer 2 is the physical address layer, a physical switch (LAN) can serve as layer 2 isolation too. Hence, VLAN. A virtual LAN, for virtually imposed isolation. Same thing, you just don't need to buy a whole new switch to isolate the traffic. And allowing VLAN access to other VLANS is like connecting a physical cable between 2 physical switches.


The Cost-Effective Way: Set up a second range on your router

Here, I'm going to link you to individual router firmware procedures you may need to do to successfully assign sub-interface IP's to your applicable router. None of these are super straightforward or easy when you compare it to enterprise router built-in functions, but they can get the job done- and you won't need to invest in any new hardware if you happen to have a Tomato or DD-WRT flashable router lying around.


Tomato: http://tomatousb.org/forum/t-567153/multiple-subnets

Summary: You'll need to SSH into your router and run a command to assign your main interface a secondary address. This may be different depending on firmware revision and your device, so this post should at least send you in the right direction.


DD-WRT dual-router: https://www.ikus-soft.com/en/blog/2012-11-24-multiple-subnets-routing-with-dd-wrt/

Summary: This is for a dual router setup... so if you've got 2 DD-WRT compatible routers laying around this could be good.


DD-WRT VLANs: https://blog.flashrouters.com/2015/04/06/what-is-a-vlan-how-to-setup-vlan-ddwrt/

Summary: This is essentially just assigning VLANs (for the multiple IP ranges) through your router instead of a separate layer 3 switch like in the next section.



The manual way with device type limitations: Set secondary IP's per device

So this is actually really really easy if you've got Windows computers in your house.

  1. Go to Control Panel

  2. Go to Network and Sharing Center

  3. Go to Network Connections

  4. Find your NIC that you've got connected and right click>properties

  5. Double-click "Internet Protocol Version 4 (TCP/IPv4)

  6. Click 'Advanced...' in the new window (this should only be available if you've set a static IP, aka the 'use the following IP address' option)

  7. Click 'Add...' under IP addresses, and assign a new static IP on the secondary IP range

  8. Boom. Don't even need to set up a gateway IP, as the subnet mask is the broadcast domain so each client will send its requests to the whole /24 subnet in the new range anyway. You're done, and now you're talking to a whole new network range.

You should be able to do this on Linux boxes too. Pretty much any 'smart' device (aka one with a Linux or Windows based OS)


There are plenty of limitations here, but for a quick and dirty way to talk to some of the hosts you may have already assigned to a secondary IP range, you can use a Windows PC as a 'jump box' to bridge the gap and talk to all the other machines while you set up your switch or router to be the gateway to that range for all other devices to talk to them too.


The jury-rigged way: Create a larger subnet

Simply reassign your IP pool on your router to use a /23 subnet (255.255.254.0), this will allow for a max of 512 (510 useable) hosts over the 256 (254 useable) host limit of /24 (255.255.255.0). This is an ugly way to do things as it can lead to more congestion in your broadcast domain, and isn't super easy to keep track of logistically with all those IP's on your network being assigned (especially if they're being randomly assigned with DHCP). But hey, it makes it very easy for anyone who has exhausted their 254 host limit on a /24 subnet. If you do use DHCP to assign all your hosts to begin with, you don't have to do anything manual on any device except that simple change on the router.



Below are some scenarios and a mental walkthrough that may help you wrap your head around how VLANs work in practical application (in an example vSphere environment).


Scenario 1: is port mode access a form of access isolation to prevent devices assigned to a specific VLAN from getting traffic even if someone tries to send it to them?


Scenario 2: or is port mode access about broadcast domains to prevent requests from the same subnet from being broadcast to a port on a different VLAN- aka more focused on preventing broadcast domain packet congestion. If that was the case, then wouldn't a VLAN be the equivalent of just connecting something to a different physical switch anyway (because a switch is its own broadcast domain, but when it leaves a switch it enters another)?


Scenario 2 seems more logical, but scenario 1 explains what everyone always says about VLANs


In scenario 1, if I assign an ESXi host (which has addresses and VMs on both VLAN subnets) to VLAN 2, it should theoretically prevent traffic destined for the 1st VLAN (subnet .1.x) to hitting that physical port, thereby preventing it from getting to any clients behind that port.


In scenario 2, if I assign an ESXi host (which has addresses and VMs on both VLAN subnets) to VLAN 2, it should still allow traffic to pass through to it but only because there's a route to the gateway IP. without a gateway, any traffic from VLAN 2 that wanted to talk to another client would be prevented from talking to it because the switch would isolate that traffic internally even though it's sitting on the same subnet.


NOW scenario 2 seems more like what VLANs are supposed to be, a layer 2 "virtual" LAN, and a LAN is essentially a broadcast domain in itself.


Where does the isolation happen, I know it's layer 2... but in what way?


So ports don't have mac addresses, but the devices connected to them do. But if a PORT is assigned a VLAN, then it's applied to everything connected to that port right?


Final scenario, if you had a set of switches working as a LAN, physically NOT connected to another set of switches, and both LANs were on the same subnet, you would have complete isolation between the two similar LANs simply because there is no physical connection between them... like 2 people that live in the same apartment complex but are totally unaware of each other.


So a VLAN should act as that logically- allowing you to use the same physical switches with physical connections to each other, but still preventing traffic from knowing about each other. And each 'access' port is essentially a logical connection enabled to let those virtual switches talk to each other on that port.


What would this do though to the ESXi host scenario? If it were assigned VLAN 2 within the same VLAN enabled switch (or set of switches), it WOULD be logically isolated from all VLAN 1 traffic (.1.x) when connected to the same local physical switch. But when it leaves the switch and VLANs no longer are honored, you should still have connectivity to all the other devices... making that isolation pretty pointless, but still necessary because VLAN gateway IP's are the only way for some switches to utilize sub-interfaces.


So essentially, you assign ESXi hosts to VLAN 2, but all the .1 devices are connected through a trunk/general port that don't care or know (or technically, tag) VLAN traffic, then because VLANs are only LAYER 2, you would have no traffic prevented from talking to VLAN 2 at all. The only issue (I believe) might be having access to the VLAN 2 gateway IP... but again, devices that don't care about VLANs should be switched through the switch without any issue.


Helpful links to articles that can explain for different scenarios:

https://community.spiceworks.com/topic/1173360-two-subnet-lan

https://community.spiceworks.com/topic/277423-configure-dd-wrt-as-a-router

https://coertvonk.com/sw/networking/dd-wrt-heading-two-networks-asus-rt-ac68u-11717

https://serverfault.com/questions/696903/how-can-i-create-routes-between-two-separate-lans

https://www.snbforums.com/threads/different-subnets.27045/ So anyway, I hope this has helped in some way- I spent forEVER trying to track down what I thought would be a dead simple task in just introducing a secondary IP range to home networks... but clearly, this is functionality that home hardware just really doesn't do like enterprise gear does.


102 views0 comments