IP Plan

Avoid the most common default, 192.168.1.0/24, when you expect to use VPNs. It often conflicts with hotels, offices, and ISP routers.

Example small homelab plan:

192.168.10.0/24  trusted clients
192.168.20.0/24  IoT and media devices
192.168.30.0/24  servers and NAS
192.168.40.0/24  guest Wi-Fi
192.168.99.0/24  network management

Gateway convention: .1
Infrastructure reservations: .2 through .49
Dynamic DHCP pool: .50 through .240
Spare room: .241 through .254

Use home.arpa for local names. It is reserved for home networks and avoids the leakage/conflict problems of ad hoc names like home.lan.

nas.home.arpa
pihole.home.arpa
gateway.home.arpa
switch-01.home.arpa

DHCP And DNS

• Use DHCP reservations for anything you SSH into, bookmark, monitor, or expose as a service.
• Hand out the gateway as DNS until a local resolver is intentionally deployed.
• If using Pi-hole or another DNS filter, give it a reservation first, then point DHCP DNS options at that address.
• Keep a small static/reserved range per subnet so replacements do not collide with dynamic leases.

Cabling And Wi-Fi

• Prefer wired AP backhaul over mesh when you can run Ethernet.
• Use a PoE switch for APs and cameras if the budget allows it.
• Label both ends of each cable and keep a simple port map.
• Put the gateway, switch, DNS server, and NAS on UPS power if outages are common.

Examples

Beginner Upgrade

Goal: Keep the ISP router but stabilize a small lab.

1. Set DHCP reservations for NAS, Pi, and any SSH hosts.
2. Move local names to home.arpa.
3. Disable duplicate DHCP servers on secondary routers or APs.
4. Wire the main AP instead of relying on wireless backhaul.

VLAN-Ready Plan

Goal: Prepare for future segmentation without enabling it immediately.

1. Choose non-overlapping /24 ranges for trusted, IoT, servers, guest, and management.
2. Reserve .1 for the gateway and .2-.49 for infrastructure on every subnet.
3. Buy a gateway and switch that support VLANs and inter-VLAN firewall rules.
4. Document which SSIDs and switch ports will eventually map to each network.

Anti-Patterns

• Double NAT without a reason or documentation.
• Using 192.168.1.0/24 when VPN access is planned.
• Dynamic addresses for NAS, Pi-hole, Home Assistant, or other service hosts.
• Consumer routers repurposed as APs while their DHCP servers are still enabled.
• Flat networks with cameras, smart plugs, laptops, and servers all sharing the same trust boundary.

…

santa-method

通过双评审智能体对结果进行对抗式校验，提升输出发布前的可靠性