Colonel Panic wrote:Is there a disadvantage to changing the subnet mask to 255.255.0.0 and then having "normal" stuff on 192.168.2.xyz and IoT stuff on, say, 192.168.3.xyz? I have yet to get my head around VLANs - and know I should - so this is possibly an alternative...
You're starting to conflate too separate issues.
Re: changing the subnet to 255.255.0.0 - not really the thing to do. Sometimes in an office environment we might do 255.255.252.0 (i.e. 1024 addresses) but generally having more than few hundred devices on the same subnet is not a good idea.
Having separate logical networks for different types of devices however may be rational. I've currently got 5: -
normal
guest - can only access the internet, nothing else
IoT - can only access the internet, nothing else
kids - like the normal network, but via a content filter - can also access the normal network
teenagers - same as 'kids' but different ruleset
If you did something like this, you might take a strategy of
normal = 10.10.0.0/24
guest = 10.10.4.0/24
IoT = 10.10.8.0/24
kids = 10.10.12.0/24
i.e. each is still a 255.255.255.0 mask, with 254 available addresses
Implicitly you're choosing 10.10.0.0/16 (e.g. mask 255.255.0.0) as the range you'll use for your internal networks. So if you were ever routing with another network, you could summarise your network as 10.10.0.0 mask 255.255.0.0. Unlikely in practice to happen in a domestic context.
For vlan think about these as logically separate wires and switches.
Each port will usually have 1 untagged VLANs associated with it, and 0 or more tagged VLANs associated with it.
Untagged simply means 'normal'. i.e. the network that a normal device plugged into that port will connect to. Usually people use VLAN = 0 as the general default network, so if all your ports are configured as VLAN =0, untagged you've just got a 'normal' network.
But then say you want to route 3 logically separate networks over one wire to an outbuilding, you may also add two 'tagged' VLANs onto that port. e.g. VLAN = 1 and VLAN = 2.
Add the other end of the wire you have another switch with the same config on it, and you've joined the two switches together for three logically separate networks.
For individual ports on both switches you can then choose which are untagged as VLAN 0, 1, or 2 and it's as if you've got 3 logically separate networks joined by one wire.
similarly for wireless you make an association between an SSID and a VLAN, and can have multiple logically separate SSIDs on the same hardware linking to logically separate networks.