Networking 101
authored by frederic
Overview
DirkNirkle asked me write something about networks, kind of a 101 class in a sense. I’ll cover the basics of networking, subnetting and IP addressing, and share my opinion as to why separating your Christmas lighting network from your main network might be a good idea.
Analogy
Picture all of us standing in Dirk’s living room with drinks in hand talking about Christmas lights or football or politics or our kids. Dirk, being an observant host, noticed Jchuchla’s cup is almost empty so from across the room Dirk cups his hands around his mouth and faces Jchuchla, yells “Hey Jon, want a refill?” Jon turns his head towards Dirk and yells back, “Yeah, that would be great!”
The living room is the “network” (local area network) All of us in the living room are “nodes”. Dirk cupped his hands and faced Jchuchla, which means he directed his “data” in the direction of a specific node (switched versus hub) Dirk used Jchuchla’s name in his “data packet” was addressed to a specific node (IP address) Jchuchla acknowledged the “data packet” by replying to Dirk.
That is the premise of networking. Let’s go through it with more detail.
Computer networks are categorized by size and region and I’ll keep this simple and only describe the two we use most in our homes: WAN and LAN.
A local area network (LAN) is the network within our house, and a wide area network (WAN) is the network our personal network within our house connects to in order to access the rest of the world.
Addressing & Subnetting
Everything on a network must have an address, and we mostly use an addressing scheme called IP4, which means each address is comprised of four numbers, each with a range of 0-255. They’re called octets because they only go from 0-255. Why? 8 bits. If you convert 0 to 8-bit binary it’s 00000000 and if you convert 255 to binary it’s 11111111. This binary conversion is important.
IP4 networks are also scalable and that’s what the network mask does. You might notice IP addresses are often shown with a “/” followed by a number. That number is the quantity of bits representing the network in the four-octet IP address. Since there are four octets, 8 bits a piece, the number following the slash cannot be greater than 32. 4 octets x 8 bits = 32 bits total.
Network: 192.168.1.0/24
Convert the IP to binary: Code:
The “/24” means the first 24 bits of the octet represents the size of the network, and the remaining 8 bits represent the number of nodes. Now convert that back to decimal:
Network: 192.168.1.x, where the x represents nodes 0-255. I can have 255 nodes on this particular network.
Since each octet has 8 bits associated with it, and “/24” is divisible by 8 to get 3, it might be obvious that the first three octets would be the network and the last octet would be associated with the nodes. That worked out in this example, but not all networks are “/24” and can be other ranges which is why the conversion to and from binary is so important to do every time. Here is my pay-to-use wifi network:
192.168.240.240/28
Convert to binary: Code:
So, converting back to decimal the network is 192.168.240.240 and the nodes can be .240 through .255 giving us only room for 16 nodes.
Now, let’s talk about the number of nodes. On every network, we lose two nodes to the network operation: the first one, and the last one. So my pay-to-use wifi network only has room for 14 nodes. The first one is reserved out of habit, and the last one is required to be reserved because it’s the broadcast address.
The networks get even smaller once we take into consideration the network addresses assigned to the various network components:
192.168.240.240 – reserved 192.168.240.241 – router/firewall 192.168.240.242 – east-facing access point 192.168.240.243 – west-facing access point 192.168.240.243-254 – addresses available to connected devices that want to pay for wifi access 192.168.240.255 – reserved broadcast address
The result is 11 nodes (.243-.254) are available for wifi devices.
Here’s a shorthand chart that may be useful to you: Code:
A note about static and dhcp-assigned IP addresses. Static means the IP address is hard-coded into the network node and always the same. That means your printer will always be 192.168.1.40 and your computers can find it easily – it’s always in the same spot. The same for Christmas controllers. Hard-coding static addresses makes configuring those controllers in your show computer that much easier. They’re always in the same spot.
Now that we have a basic foundation of networking, let’s look at our home network more specifically: Click image for larger version.
The IP addresses in the diagram are typical and yours might be different.
With a 192.168.1.0/24 network, losing two (.0 and .255) for reserved address, our home network can support up to 253 nodes. There is nothing wrong with assigning one or more of them of them to your Ethernet-based pixel controllers and bridges, and calling that a “Christmas network”. Many of us do it that way. You can see an E1.31 pixel bridge in the above diagram at the bottom.
The green lines represent your local area network (private) and the red line represents the public connection you have to your ISP.
Isolation of Christmas Network
There are two potential problems with doing the above as described however: the potential of bandwidth limitations (data clogs) and security.
Bandwidth
Think of bandwidth as a road or highway. In the middle of the night when there’s no traffic, one can drive very fast without any interruptions. During rush-hour, that highway is a lot like a parking lot. Networks are the same way. The bandwidth (highway) is only so big, and if you plug in too many nodes (cars) the network gets congested (parking lot).
Security
Yeah, we all have a firewall/router appliance connecting our private network to our ISP to get internet which helps protect our privacy. Windows also has a firewall built-in that provides another layer of protection. One people often don’t think about is physical security.
In order to connect to our local area network, we have to plug in and that is severely hampered by the structure of our home. We lock our doors and windows, we have walls, etc. We thwart physical security by running a cat5 out the window to our pixel controller. It might not seem like a big deal but remember back when you installed Windows and it asked you, “Enable File Sharing and Network Discovery?” and you enthusiastically clicked “Yes!” ? Well, anyone plugging into your network that’s on your front lawn can do the same and they will see all of your computers and potentially, all the data that’s on them.
How likely is that to be a problem? Well, back in 2013 I came home from work and found one of my neighbors sitting on my stoop with his laptop, a cup of coffee, and his cell phone. He was making cold-calls trying to set up appointments for the next day. Why was he doing that on my stoop? A truck got caught on his cable TV wire and ripped it off his house, killing his internet and phone service. He didn’t want to use my pay-per-use wifi, so he decided all on his own to help himself and unplug my Christmas lights and plug his laptop into the Ethernet jack on the front of my house.
Are you kidding me? I never imagined that scenario could happen, and thus I paid very little mind to the risk of having my private network on my lawn.
For those two reasons, security and available bandwidth, my Christmas network is now separate from my private network. You can do the very same thing by purchasing another router/firewall appliance to make the connection between the two, like in this diagram: Click image for larger version.
This diagram looks a lot like the first one, with the addition of a router/firewall appliance forming another network. As before, the red line is the public connection to your ISP, the green is your private network. The blue lines represents your “Christmas network”.
The key to physical security is to keep the green (private) network inside the house, along with the router/firewall that connects the blue (Christmas) network. The only network that passes through the exterior walls of your home should be the blue network. Your show computer inside would plug into the blue network, probably in one of the LAN jacks typically found on the back.
Setting up that router isn’t tricky at all. On the WAN side, you’d assign a network address associated with your existing private network. I used 192.168.1.2 in this example. The default gateway would be the router that’s already there and connected to your ISP and in this example that would be 192.168.1.1.
On the LAN side of the Christmas router, you would set up another network and in this example I used 192.168.200.0/24, with .1 being assigned to the router itself, .0 and .255 being reserved, the netmask being 255.255.255.0, leaving 252 usable IP addresses for pixel controllers, bridges, the show computer, and whatever else you want to plug in on the lawn.
Out of the box, most router/firewall appliances give full access to devices on the LAN side to the WAN side but not the reverse. That means at this point, we’ve only isolated the network traffic of our private network and our Christmas network. Now Netflix won’t interfere with pixel data and vice versa.
But it’s not secure. If you were to plug your laptop into your Christmas network and type “ping 192.168.1.53” you will be able to ping the bottom computer in the right of the diagram. That computer won’t be able to ping any of the pixel controllers because the firewall blocks by default traffic originating on the WAN side which is connected to your private network.
So, you must edit the default firewall rules of the Christmas router/firewall to change that behavior. Since every device you might buy is different, I can’t really give a step-by-step on how to do that for all of them so instead I’ll share the concept:
You want to create a firewall rule (or set of rules) that prevents the Christmas network from seeing all the nodes on your private network except for 192.168.1.1 which is the default gateway (the other router) to the public internet. Doing so isolates the networks and protects your private network, but also gives the Christmas network internet access for firmware upgrades.
If you want to take security to the next level, you can use MAC address filtering and only put your Christmas controllers (and show computer’s) MAC addresses in the list. That way, anything randomly plugged into your Christmas network will not have access to anything.
Hope that helps you out.