Are you getting many collisions? Packets not received.

In Homeseer Network Setup, you can list subnets...
Additional Local Subnets, Comma Separated

Increasing your local subnet to a /16 (255.255.0.0 netmask) will simply increase the number of devices you can have on a single subnet. Since you're pushing 200 devices already, I would suggest moving to a /16 at a minimum so you don't run out of address space. This is the simplest change you can make.

However, increasing the address space will not cut down on broadcast traffic or isolate devices from one another. It just gives you a larger space to work with. On a modern gigabit network with typical devices that many of us have, I wouldn't really be too concerned with broadcast traffic. Broadcasts are typically a very small percentage of traffic (unlike in years or decades past, when LANs were 10 Mbps or even 1Mbps as opposed to today's typical 1000 Mbps). The lights on your switches are indicators of activity, but not good indicators of saturation. Consider that the LAN can transmit and receive many many thousands of packets per second, and the flashing LED is meant for human eyes, which are much slower.

If you are concerned still, measure the bandwidth on your most active devices with a tool like Wireshark. If your links really are saturated, which I doubt they are, you can break it out into separate VLANs for broadcast domain separation, or even better onto different switches. But again, it's VERY rare to saturate today's switches with traffic.

If you create multiple VLANs then you will need to implement routing between them. You can purchase rather expensive layer 3 switches and set up static routing between VLANs, or use your router to handle traffic between VLANs. At that point your router becomes a choke point for all traffic crossing VLANs.

Long way of saying you probably don't need to go to the trouble and expense of segmenting traffic. Just increase your subnet from the current /24 (255.255.255.0) to /16 (255.255.0.0) to increase the number of available IP addresses and be done with it.

I would not recommend creating multiple subnets. I would not be worried about broadcasts either. If you want to isolate you network intensive stuff like media players and servers, the easiest way is to place the devices with the heaviest streaming on a single switch, isolating the traffic from the rest of your network (automatically).

tenholde

Great information - I am not going to add this overhead and go for the /16 option as suggested.

Sorry for the long delay - was offline for a bit longer than I planned.

Give me a sec, I will outline my config, it may be helpful.


Sent from my iPhone using Tapatalk

Drink the Kool-Aid!!!!!

I had an episode last week when watching a movie on Kodi and saw a Roki pop up advertising the movie I was watching.

Heck, I'm German and don't even drink beer!

Seriously - 200 devices of which a majority are configured by the manufacturer in a "insecure" manner where admin, full control, or full internet access is required to operate. Probably riddled with versions of JAVA (or whatever) that are completely outdated and unpatched.

A few years ago I was at a security conference and the speaker went insane about Android devices... Then he stated that you all Apple folks think that you're off better? NOT... Why does IOS trust root certificates from the University of Athens? Just doesn't seem right, does it?

Anyways... You know where I am coming from. Welcome to "Internet of Things"... My apologies to anyone I may have offended.

For the folks that didn't understand my point above. You want to isolate devices in such a manner that protects your interests the best. Don't trust the vendors that provide you these devices. Use the common sense risk model based on your level of risk you want to accept. Yes, you, as you're accepting the risk by connecting the devices. Read the terms of agreement.

Well, I want to stand up my own security video monitoring system as well. I don't like cloud products (skybird, ring, arlo, etc) because:
1. They save to the cloud where I don't have control over who accesses my recordings.
2. This traffic has to span my WAN connection the feeds will consume some of my ISP connection.

Additionally, my ISP does limit me to 1024 GB of data. I could pay $50 more for the “swindeal” of unlimited usage, or I could take measures to limit my activity. NOTE: I came close to consuming the full 1024 GB back in July and August (966 GB) and have since put in stricter enforcement to stop AD based traffic, DNS, NTP. I have also taken a more proactive approach to patching in order to reduce WAN based traffic for patches.

Personally, now that I have a good managed POE switch, I am ok with spending what would be 9 months of unlimited access ($450) if it means I can forgo the “swindeal” charge for unlimited usage of the service I already pay for. Here, I already have a NAS and don't mind adding more drive space and building an NVR server.

I too am leery of IOT devices but understand that they are not likely going anywhere. I divide IOT devices by what network access they require. There are IOT devices that need:
1. Internet access only
a. An example of this would be: an Amazon Dot, or irrigation system.
2. Devices that need local access only
a. IP camera system that has local LAN for recording video/audio feeds.
3. Devices that need Internet and local access.
a. Home Automation systems, Home alarm systems, smart TVs (if you want to stream to them from your wifi connected phone or you want DLNA access), and media center systems.

I approach access to the public Internet as grant it only if absolutely necessary. If a device does not need access to the big I I don’t give it access to the big I. conversely, if a device needs access to the big I but not the internal network I will give it exactly that. The biggest risk are devices that need both Internet access and Local LAN access.

Here I have 4 main components of my network infrastructure and run 4 separate VLAN networks:
VLAN 1: Network equipment only.
VLAN 2: Internal network (all clients and servers).
VLAN 192: will be used for IP security cameras.
VLAN 172: Internet only access and access to reverse proxy. Commonly known as, Guest Internet access.

see the network Diagram below.

Additionally, each VLAN gets a separate /24 Subnet which allows for some 254 nodes possible nodes per subnet. I allow for dynamic routing between vlan subnets and use ACL rules to block inbound traffic between my internal secured network and my security camera and guest vlans (see table below).

For security only the firewall and the management switch port is allowed to have access to all VLANS. All other network equipment only has an IP address on the network infrastructure VLAN subnet but can forward data for the other VLANS. This reduces risk of attack from my security camera and guest subnets.

Here, I also port isolate down-link switch ports (in my case to the wireless AP), guest network switch ports, and IP camera switch ports (once deployed). I also suppress broadcast and multicast traffic on all my wifi networks. on my guest network i have guest isolation enabled. Be careful suppressing multicast and broadcast traffic as this will brake some network services (ex: bonjour).

Lastly, I deny DNS requests to the public Internet except from my DNS server on my Firewall. all DNS requests are then redirected to my internal DNS server. I then setup DNS blacklists on my firewall (using PFBlockerNG) to redirect resolution of DNS requests for known malicious or ad based sources. Additionally I have PFblocker completely blocking inbound and outbound traffic to malicious or ad based sources.

Kerat,

I completely agree. While not the exact same, I have a similar configuration.

I agree with you, improperly secured web services and devices on an internal LAN are what lead to the last few major business data breaches. It should be more alarming to consumers than it is. Hell, I am a network guy that ended up giving in and doing what I do at work at home because of how alarming it is to me.

On the topic of tin foil hats, the whole big brother is watching 1984 thing is already here and now. I finally gave in to echo dots (even thought they royally freak me out) once I started figuring out everything we as consumers have already freely given up... You would be surprised to see what your phone is logging sitting on your desk and turned "off", or in your hand while you facehole/twitrage/snapporn?