Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

carving up a flat network without taking the house offline

A staged migration of a flat home network into VLANs, and the mistakes that made the first attempt a near-disaster.

John Mylchreest
John Mylchreest
2018-09-19 · 4 min read

Network cables running into a rack-mounted switch

For years everything in the house sat on one flat /24. Laptops, servers, the telly, a worrying number of cheap IoT gadgets I'd rather not name, all on the same broadcast domain, all able to talk to everything else. It worked, in the way that a single fuse for the whole house works right up until it doesn't.

The plan was sensible: split it into VLANs. Trusted, servers, IoT, guest. Firewall between them, IoT walled off from everything except the internet, guests walled off from everything full stop. The plan was sensible. The execution, on the first attempt, was not.

Where it went wrong

My mistake was treating it as one big-bang change. I drew up the lovely diagram, configured all the VLANs and inter-VLAN rules on the firewall, retagged the switch ports, and pushed the lot in one evening.

A rack of networking equipment in a datacentre

Within minutes I'd locked myself out of the firewall. The management interface had moved to a VLAN my laptop was no longer on, the laptop had pulled a new address from a DHCP scope that didn't yet route anywhere useful, and the only way back in was a console cable and a torch, on the floor, behind the rack, at half past eleven. My partner's view of "the wifi's down again" was, fairly, not a charitable one.

How I should have done it

Second time around I did it the boring way, one VLAN at a time, in an order that meant I never sawed off the branch I was sitting on.

  1. Create the new VLAN and its subnet on the firewall, with DHCP and firewall rules in place but no clients yet. Nothing changes for anyone.
  2. Verify routing and rules from a single test client moved onto it deliberately. Prove it works before anyone depends on it.
  3. Migrate the management network last, and only after confirming I had a working console path as a fallback.
  4. Move real devices over in small batches, watching for the ones that quietly assumed a flat network. There were a few. The networked printer, predictably, was the worst offender, and one "smart" plug simply refused to discover its hub across a subnet boundary until I relaxed a multicast rule.

The thing nobody warns you about is how many consumer devices assume the whole world is reachable on layer 2. Discovery protocols, mDNS, casting, half the IoT tat in the house: it all wants a flat network and sulks when it doesn't get one. mDNS reflection on the firewall sorted most of it, and the rest got a deliberate, narrow hole punched through the rules.

It's running properly now. The IoT VLAN can reach the internet and nothing else, which is exactly where I want a houseful of cheap microcontrollers, and the segmentation has already paid for itself in peace of mind. The lesson, which I clearly needed to relearn in person, is that you migrate a network the way you defuse a bomb. One wire at a time, and never the one you're standing on.