Subnet Config Question

I would like to split my network and subnet it so that my IoT devices are on a separate subnet from my home network for security reasons. I have provided a list of hardware and where I’m currently at below. My question is at the bottom.


  • Netgate 4100 Max Firewall (multiple interfaces)
  • TP-Link TL-SG3428X 24-Port Layer 3 Switch
  • Windows 2019 Server (DNS, DHCP, NTP, etc.)
  • 2 Wireless Access Points connected to the TP-Link switch


  • Subnet 1: - Main LAN subnet (everything right now)
  • Subnet 2: - New IoT subnet

I have the new interface setup in the pfSense (Netgate) firewall ( That port is connected to the switch (port 24). The firewall is configured to do DHCP relay to the Windows DHCP server. I have a zone setup on the DHCP server.

How do I get all of the IoT devices to request DHCP from the 192.168.1.x zone when they’re all on the same network? I’m imagining I’ll need a separate WAP that is on the 192.168.1.x network, relaying to that DHCP zone or I’ll have to statically assign them, correct?

I use VLANs and static assignments (mac address = ip address; assigned by pfsense). Just curious: why use the windows 2019 server for DNS, DHCP, NTP, etc. (and static assignments) when pfSense does this very well (without the overhead of Windows)?

Good morning MaxK. It’s just preference. I run all of my IP assignments from Windows DHCP. I prefer to run a DHCP zone with an exclusion range. This allows me to statically assign all of my network gear and still allow everything else to be regular DHCP, but have it all in one place. I know the router would do the same, but I prefer AD, DNS, DHCP, iSCSI, etc. to all be in one place. I wouldn’t “put all my eggs in one basket” for an enterprise, but for home it’s fine.

One of the issues I have is that I have over 100 IP devices and I’m really trying to avoid going to static IP assignments.

For others who stumble across this post, I just contacted a networking friend of mine. I can possibly use the guest interface of my existing WAP and assign it as the wireless radio for my subnet. I’ll give it a try and let everyone know.

What WAPs do you have? You will likely need to do some snooping to see what VLAN tag they use for the guest network if that’s your only option.

I have 2 tp-link AX11000 WAPs currently. I’m working at the moment, so I haven’t had the chance to see if they have the option to do what I need them to do yet.

The manual says they have a guest network option, but I’d be curious if you could use it without having those running DHCP for the network.

Using a full consumer router as a WAP is usually limiting unless you can throw something like DD-WRT on them. Doesn’t look like those have that option though.

All this to say…what you really want is a full network VLAN to isolate the layer 2 traffic. That will make handling L3 stuff (like DHCP which is really more like 2.5) a lot simpler.

I was wondering if I’d have to resort to flashing OpenWRT (or similar) on them to do this.

That’s ideal, but doesn’t look like it’s an option:[Brand*~]=tp-link

I just looked at both and the TP-Link Archer AX11000 isn’t supported for DD-WRT or OpenWRT. Bummer.

To have an effective subnet setup with two networks you want to make sure you are using a switch that is managed so that you can assign VLAN’s to the ports you will be using to connect your Access points and ethernet based devices through.

I.e I have a 24 port HPE Switch that has 3 VLAN’s, 1 is for unmanaged traffic, 2 is for the internal network traffic and 3 is for guest device network traffic. This is all managed through a mikrotik routerboard that has the SFP port setup as the Internal management port, lan1 as the WAN for the guest network, lan2 for guest devices (also linked to the wifi on it for guest devices to use).

In your case your IoT network would sit on VLAN3, the vlan ID will be assigned to the device when its connected to the AP and port that is being used through the switch and the DHCP host of the network.

Using a basic guest only ssid on a router only will only isolate the connected devices from the internal network and each other as you would also want to have either a firewall forwarding rule for your homeassistant server to see and control the devices on the second network or have a dual network interface at least so that you can assign one port to the internal vlan and the other port to the IoT vlan.

Robert, it’s a managed switch. So realistically I’m looking at VLAN tagging an additional WAP (or likely 2 in my case to cover square footage) with the interface from the Netgate on the switch to do this properly it sounds like?

I wasn’t trying to cheap out… just hopefully avoid 4 WAPs in my home. It’ll definitely be easier that way though.

That is an option.

For cheaper than those, you could just upgrade your existing AX11000s to something like the Ubiquiti U6 Professional or U6 Enterprise (for about the same cost).

I’ve been hearing my colleagues talk about those. Any subscription costs associated or is it only the equipment cost?

Just the one time equipment cost.

Not sure if those consumer routers will give you the option to assign vlans to the ports being used and to route wifi traffic based on SSID being used as it depends on the firmware and the specific model options, you would need to have a test fit out see if you can get it working once you plan it out based on the options you have to work with.

The general idea with setups using ubiquiti or other similar brands is that you have a single point of management for multiple AP’s to push settings to and they are easier to control what vlans are assigned to each. It’s one reason I am using a mikrotik at the moment since I got two of them free from a client that went into liquidation a few months back.

I’m using an RT-AX88U for my main wifi as the mikrotik only supports 2.4Ghz, the pro model of the main router I have does support vlans but I would be upgrading it to one with 10GbE ports but that point when I need to upgrade it.

also for ref I have the following vlan port setup on my switch:

I’m slowly re-configuring to a dedicated IoT Vlan through the mikrotik wifi once I have things working properly as I need it to, but should give you a visual to help guide you.

Robert, I believe you’re correct. I’ve given up and have ordered 2x Ubiquity U6 Professionals. Thank you all for your amazing assistance!

1 Like

yeah, I switched to ubiquiti so that I could facilitate this same thing. It was worth the money IMO, working with the ubiquiti hardware has been so much easier, in addition to the fact that ubiquiti will give support if you need

1 Like

You can still keep those devices that you still have just keep them patched up and use them for other parts of the network if you need to or put them to use else where. i.e I would hand me down my networking gear to my parents as I upgraded my gear.

Exactly. Our whole family benefits from our upgrades. Moms/dads, brothers/sisters, neighbors, etc. Nothing gets scrapped since we tend to buy high end gear. Thank you all SO much! I’ve enjoyed this conversation a lot. Have a great day!

Oh, and BTW… patching the routers as we speak. :slight_smile:

1 Like