I finally sorted it out properly. Two VLANs — one for wired trusted devices, one for WiFi. Here’s the design and what the subnetting decisions looked like.

The topology

The diagram above shows the full picture. Gateway handles inter-VLAN routing. Managed switch carries the trunk down from the gateway and breaks it out to access ports. Two VLANs, two subnets, one physical network.

Subnetting decisions

This is where most people just default to /24 for everything and move on. I wanted to actually think about it.

VLAN 10 — Wired (192.168.10.0/26)

The wired network has maybe five or six devices on it. A /24 would give me 254 usable addresses for a network that will never have more than ten. That’s wasteful and also lazy. A /26 gives 62 usable addresses — still plenty of headroom, and it forced me to actually calculate it instead of reaching for the default.

Block size for /26 is 64:

The desktop gets a static address near the bottom of the range. Picked deliberately — easy to remember, easy to target in firewall rules.

VLAN 20 — WiFi (192.168.20.0/24)

WiFi is a different story. Phones, laptops, tablets, guests occasionally. A /24 is reasonable here — 254 usable addresses, proper headroom. No strong reason to subnet further.

Why separate VLANs at all

The practical reason: I don’t trust the WiFi devices as much as the wired ones. A laptop connecting over WiFi is probably fine, but it’s also the network my phone is on, and guest devices when people come round. Keeping wired and WiFi separated means a problem on the WiFi side can’t directly reach the wired network without going through the gateway first — which is where the firewall rules live.

The study reason: I’m working through CCNA. Setting this up on real hardware is worth more than reading about it. Every time I check a device’s IP or look at a firewall rule, I’m reinforcing something.

What’s next

The inter-VLAN rules are still too loose — currently I’ve allowed everything between the two VLANs just to get connectivity working. Tightening those up is the next job. Eventually I want a third VLAN for IoT stuff, but one thing at a time.

The basic goal was: stop having everything on one flat network, add some segmentation, and set up a VPN so I can get back in when I’m not at home without relying on some third party service.

The setup

Running a UniFi gateway and a couple of UniFi switches and APs. Started with everything on the default network — every device, same subnet, no separation. Fine for a simple home setup, not great if you’re trying to learn networking.

The plan:

• Wired VLAN for the desktop and anything that lives on the desk
• WiFi VLAN for laptops, phones, everything wireless
• Firewall rules between them
• WireGuard VPN on the gateway for remote access

VLANs

UniFi makes VLAN setup pretty straightforward once you understand what you’re doing. Create the network, assign it to the relevant ports or SSID, done. The harder part is thinking through the addressing.

I didn’t just default to /24 for both. The wired network doesn’t need 254 hosts — there are maybe 5 devices on it. Used a /26 instead, which gives you 62 usable addresses. More than enough, and it made me actually think about the subnetting rather than just chucking a /24 at everything.

Once both VLANs were up I tested routing between them — pinged the wired desktop from the WiFi laptop. Worked. Inter-VLAN routing handled by the gateway.

WireGuard VPN

Wanted remote access without using Tailscale or any similar service. WireGuard is built into the UniFi gateway so this was the obvious choice.

The setup itself isn’t that complicated. You configure the server on the gateway, generate a client config, import it into the WireGuard app on your laptop. What’s less obvious is the DDNS piece.

Home internet connections have dynamic IPs. Your ISP can change your IP at any point. If you hard-code your home IP into the WireGuard client config and your IP changes, the VPN stops working silently — it just won’t connect and you won’t immediately know why.

The fix is DDNS — a hostname that automatically updates to point at your current IP. I set this up using ddclient running as a service, updating a Cloudflare DNS record whenever the IP changes. Now the client config points to a hostname rather than an IP and the whole thing just works even when the address rotates.

Firewall rules

This is where I spent most of the time. The main things I wanted to lock down:

• SSH access to the machines on the wired network — allowed from inside the house only, not from the internet directly, only through the VPN
• Same for remote desktop
• Nothing from the outside world should reach internal services without going through the VPN first

Getting firewall rules right requires you to actually think about source, destination, and port for each rule. “Allow SSH” is not a firewall rule. It’s a starting point for a conversation. You need to specify where it’s coming from and where it’s going.

Also found out the hard way that Windows Firewall is a separate layer from the network firewall and needs its own rules if you’re running services on a Windows machine. Spent a while confused about why things weren’t working before I realised I’d sorted the network rules but Windows was still blocking the traffic at the host level.

What I’d do differently

I’d think through the firewall rules before setting up the VLANs rather than retrofitting them afterwards. It’s easier to build the rules into the design than to add them to something that’s already running.

Also would have set up DDNS from day one rather than realising I needed it when the VPN stopped working after my IP changed.

What’s next

The inter-VLAN rules are still too permissive — anything on WiFi can reach anything on the wired network. That needs tightening up. And I want to add a proper isolated network for IoT stuff at some point, things like smart plugs and such probably shouldn’t be on the same network as everything else.

I avoided it for longer than I should have. Not because I didn’t understand the concept, I kind of got it, but when it came to actually working through questions I was slow and uncertain and kept second guessing myself. I was using subnet calculators to check my work and that was the problem, I wasn’t actually learning anything I was just verifying answers.

Eventually I just sat down with a notebook and worked through it until it stopped being scary. Here’s what actually helped.

Why calculators are the enemy (at first)

When you use a calculator you skip the part where your brain builds the model. You type in an address, get back a bunch of numbers, move on. Does nothing for you in an exam or in a real conversation with someone.

The goal with CCNA is to work through subnetting problems in your head, or at most on rough paper, at a reasonable pace. That means you need the patterns to be automatic.

The thing that made it click

Subnetting is just dividing a block of addresses into equal chunks. The prefix length tells you the chunk size. That’s it.

Once you have this table in your head the rest follows:

Each row the block size halves. Usable hosts is always block size minus 2 (one for the network address, one for broadcast).

Working through an example

Say you get given 192.168.10.0/27 and you need to list the subnets.

Block size for /27 is 32. So you just count up in 32s from .0:

• .0 to .31 — first subnet, network .0, broadcast .31
• .32 to .63 — second subnet
• .64 to .95 — third subnet

Keep going until you hit 256. You end up with 8 subnets total. You can work that out in your head in about 20 seconds once the block sizes are automatic.

Where I’m at now

Can get through most subnetting questions without reaching for anything. Still slow on some of the nastier ones. The next thing I need to get solid is VLSM — that’s where you’re carving up address space into different sized subnets to avoid wasting addresses, which is what actually happens in real networks.

Going to do a separate write-up on that once I’ve got enough reps in to explain it properly.