I have 3 axis to segment. function, elevation and orientation.
hence the abc seemed to make sense to me
if I need to go the octet route I need math skills which I still dont have 
You have calculators available online that allow you to break down your IPv4 subnet into smaller subnets, based on amount of devices. Lookup variable-length subnet masking or VLSM. You can start with something smaller than a /16, and break that down into smaller subnets.
Here is something that might be useful to you:
Best appoach is to plan your subnets in advance (take into account that the number of devices will probably increase over time), document it and then start implementing your network based around that documentation. If you're ever in doubt, look at the documentation.
1 Like
thank you so much for your help. I am still confused and this is not out of disrespect. I still am not sure why 10.a.b.c is less good than 10.0.b.c
I am, very much so
Well I tried to think up of a counter argument to that logic, but I couldn't come up with anything good.
I'll just say this: If your current networking subnet scheme allows you to split a single server room into separate subnets (for say prod, dev, dmz, etc) on a single floor, or say allow two server rooms on different floors to co-exist in a single subnet a way you can document and understand, go for it.
Just try not to lump thousands of hosts in a single subnet for performance reasons if you can help it, if your network ever gets that big.
One mistake is that you have added on every interface the gateway. Remove it.
Also I would advise to remove the port 2 from vlan 1, since it is untagged.
After you do these things run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
2 Likes
Just click the image upload function in the menu bar
content removed due to considerations
if only I knew about linux
I am having the hardest time in the world getting the output of these statements into my clipboard.
xterm or uxterm assume prior knowledge.
please hold on I will plow through
Which OS are you using?
Normally you just mark the text with your mouse and that puts it in the clipboard
Is the problem related to your homework / assignment?
(The diagram looks professional (?) to me.)
Debian 10. with xfce4 as desktop. I am running proxmox 6.2 (fully updated)
Using (U)xterm terminal I have no way of copying multiline output to clipboard.
Try as I might I can only get the first selected line
This is my own personal assignment to get my office in order. Long gone are the days I had homework assigned by a tutor 
I see.
Use a better terminal emulator like xfce4-terminal, gnome-terminal, etc. These modern terminal emulators will allow you to copy multiple lines easily using mouse cursor (not to mention that they are fancy and easy to use).
Or if you are hardcore and want to use the old-fashioned (U)xterm terminal, you can redirect the output to a file (or use tools like xclip).
2 Likes
thx, awesome
root@OpenWrt:~# ubus call system board
{
"kernel": "4.19.79",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,rango",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r11266-34939711a5",
"target": "mvebu/cortexa9",
"description": "OpenWrt SNAPSHOT r11266-34939711a5"
}
}
I'll do the rest in a short while
root@OpenWrt:~# uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd68:74a7:6e62::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1' # this should be 10.0.0.1 but to get things barely usable I have no option now
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '5t 3 2 1 0'
option vid '1'
config interface 'if_Switch_APs'
option proto 'static'
option ifname 'eth0.10'
option netmask '255.255.0.0'
content removed due to considerations
config interface 'if_Servers'
option proto 'static'
option ifname 'eth0.20'
option netmask '255.255.0.0'
content removed due to considerations
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4'
option vid '2'
config interface 'if_Trusted'
option proto 'static'
option force_link '0'
option netmask '255.255.0.0'
content removed due to considerations
option ifname 'eth0.30'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '30'
option ports '5t 2t'
config interface 'if_Guests'
option ifname 'eth0.40'
option proto 'static'
content removed due to considerations
option netmask '255.255.0.0'
option force_link '0'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '40'
option ports '5t 2t'
config interface 'if_Peripherals'
option ifname 'eth0.50'
option proto 'static'
option netmask '255.255.0.0'
content removed due to considerations
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '50'
option ports '5t 2t'
config interface 'if_IOT'
option ifname 'eth0.60'
option proto 'static'
option netmask '255.255.0.0'
content removed due to considerations
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '60'
option ports '5t 2t'
is there anyway to avoid outputting mac addresses? the list is huge for a newcommer```
uci export dhcp; uci export firewall;
it will take me like 1 to 2 hours removing all macs (not effectivly but I keep getting distracted by a todler. ohh these corona times at play again)Thanks to search engine, I found this answer which may be helpful to you.
- Save the output to a file, e.g.
output.txt - Run command
sed -E -i "s/([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}/AA:22:CC:44:DD:66/" output.txt - All MAC addresses in
output.txtwill then be changed toAA:22:CC:44:DD:66.
3 Likes
root@OpenWrt:~# uci export firewall
package firewall
#//-- all default settings by my openwrt distro for this particular device (linksys WRT3200ACM)
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT' # not default, i changed that to accept
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'lan'
option name 'block iot wan'
option src_ip '192.168.1.128/25'
option dest 'wan'
option target 'DROP'
config rule
option src 'lan'
option name 'block default ipcam'
option src_ip '192.168.1.10'
option dest 'wan'
option target 'DROP'
config redirect
option dest_port '443'
option src 'wan'
option name 'guideriis'
option src_dport '443'
option target 'DNAT'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.1.111'
config forwarding
option dest 'wan'
option src 'Guest'
config forwarding
option dest 'wan'
option src 'GuestZone'
config forwarding # i dont remember doing this. I actually dont think I did. Is this a default of some kind?
option dest 'wan'
option src 'GuestFWZone'
thx for this option. when thinking longer about it;
Do we really need an uci export dhcp output?
What in there is useful so I can extract that.