1

I want to connect some devices to the internet and have them isolated from the rest of my network. Since I also want to use PiHole, I also don't want the DNS resolution of the "outer" network to be affected.

My setup is the following:

Internet <-- ISP Router <-- Velop internal router
              ^                      ^       ^
              |                      |       |
           untrusted               PiHole    |
            server                           [other devices]

Image with the same representation

How should I configure the IP/subnet mask and default gateway to achieve this isolation?

Nice to have: the internal network to be on the 192.168.0.0/24 space.

Eduardo Aquiles
  • 13

1 Answers1

1

Try this:

Not sure what your routers are (Specifically the ISP Router, sometimes these have very limited options), these instructions can be modified if needed to suit a specific device.

Topology

Internet <-- ISP Router [ROUTER A] <-- Internal Router [ROUTER B]
              ^                      ^       ^
              |                      |       |
           untrusted               PiHole    |
            server                           [other devices]

IP Addressing / Subnetting

(Only considerng IPv4)

You have 3 private IPv4 address spaces to use as per RFC1918:


10.0.0.0        -   10.255.255.255  (10.0.0.0/8, Class A)
172.16.0.0      -   172.31.255.255  (172.16.0.0/12 Class B)
192.168.0.0     -   192.168.255.255 (192.168.0.0/16 Class C)

You state you would like the internal network to use the 192.168.0.0/24 subnet. A possible problem with this is that the 192.168.0.0/16 address space is very popular, the 192.168.0.0/24 and 192.168.1.0/24 subnets even more so. If you ever want to use a VPN in the future, you may run into address conflicts.

To avoid this, I recommend either using a less-popular range within 192.168.0.0/16 such as 192.168.147.0/24, or use a subnet in another network block entirely, such as 10.50.20.0/24. For this example, I will use addresses from the Class A block (10.0.0.0/8), however you can change this if really needed.

Router A - ISP Router: Using 10.50.20.0/24 subnet.

  • LAN IP Range: 10.50.20.0
  • Subnet Mask: 255.255.255.0
  • Router LAN IP: 10.50.20.1
  • WAN interface configured according to ISP connection (Possibly auto-config via, for example, PPPoE)

Devices connected to Router A (Untrusted Server) should have an IP in the 10.50.20.0/24 range, subnet mask of 255.255.255.0 and default gateway of router A (10.50.20.1).

Router B - Internal Router: Using 10.50.30.0/24 subnet.

  • LAN IP Range: 10.50.30.0
  • Subnet Mask: 255.255.255.0
  • Router LAN IP: 10.50.30.1
  • WAN interface with an IP from Router A's LAN range, such as 10.50.20.2, subnet mask of 255.255.255.0, default gateway of router A (10.50.20.1).

Devices connected to Router B (PC, Phone, PiHole server, etc) should have IP's in the 10.50.30.0/24 range, subnet mask of 255.255.255.0 and default gateway of router B (10.50.30.1).

Internal devices can have DNS set to the PiHole server, whereas devices in the untrusted zone can use regular DNS (Such as 1.1.1.1 or ISP-provided)

Additionally, you may be able to use a single router which supports multiple segregated networks, however if you have the hardware, the above setup should work well.

M_D
  • 582