How To Create Your Home Private Network

Reading Time: 5 minutes

It’s finally weekend, guys! Let’s make some improvement to your home network.

After this post, you will be able to:

  • Understand why you need a more secure local network
  • Configure your router to create one
  • Get your friends mind-blown with IP addresses other than 192.168.X.X

Let’s go!

What is your local IP address?

Go type ipconfig in Command Prompt (if you’re using Windows) or ifconfig in Terminal, it will print out your PC/laptop’s local IP address. Most likely, it’d start with 192.168. That’s the default local IP address configuration that comes built-in with almost all home routers that your ISP (Internet Service Provider) gave you.

192.168.X.X IP range is too common (which is why they chose them as default IP) that we tend to forget that there are two more IP ranges that can be used for private network as well: 10.0.0.0-10.255.255.255 and 172.16.0.0-172.32.255.255.

Okay, that still doesn’t explain why the default network is not so good. Well, it’s not secure to be exact.

Why your local network is not as good as you think

The world we’re living in is equipped with everything that’s hooked into your home network. You think I’m talking about smartphones, laptops or PCs? No, I’m talking about your CCTV cameras, game consoles, refrigerators, washing machines or even air conditioning systems.

I assume that devices such as smartphones, laptops are somewhat safe and reliable provided that you apply the patches regularly. Others that belongs to IoT’s boom, I’m not gonna give them much credit when it comes to security. And, neither should you!

So, am I telling you to get rid of those devices?

Absolutely not. The fact that they’re not secure doesn’t make them less helpful in our lives.

But here’s the thing. You may have heard something like: your team will only be as fast as the slowest member. The same is true for your home network:

Your home network will only be as secure as the least secure device in your house

The point I’m trying to make is: no matter how careful you are while surfing the Internet with your phone or laptop, hackers still can exploit the weaknesses and breach into your network through the smart devices that you’re so proud of (like how Kevin Hart had 9 gun compartments in his house and still got robbed lol).

Can you make all your IoT devices more secure? I think that’s the manufacturer’s call to make. In the meantime, what we can do is wrap devices like laptops, PCs and smartphones in a separate private network.

Create the network topology

It’s time to get our hands dirty.

Let’s do a little bit of recon first. Right now, your home network probably looks something like this:

A typical home network

In order to accomplish what we’re about to do, you will need to have a router that has LAN routing capability. As I mentioned in my previous post, the default home router that the ISP provided just won’t cut it.

While I can’t specifically tell you what model you should use, I’m gonna show you what I use. I got a few old Cisco devices lying around, and for this post, I’m gonna use a Cisco 1841 router. It’s a little too old but still can does the job super well.

The 1841 has two FastEthernet interfaces (FE0/0 & FE0/1) and as you might guess, one of them will be on the default network (created by the home router) and the other one will be attached to the private network that we’re about to create.

Cisco 1841 – Front View
Cisco 1841 – Back View

With the new router in play, the topology will be something like below with two separate areas.

New topology with two separate networks

From the command above, I know that my default network address is 192.168.1.0/24. The FE0/0 interface is linked to the home router’s network so its IP must be on the same subnet. I’ll choose 192.168.1.254/24.

As for the private network on the FE0/1 side, you can choose any network as long as it’s not on the same subnet as 192.168.1.0/24. For instance, 192.168.2.0/24 is clearly a good candidate. But let’s move out of the 192.168.X.X range for once, shall we? Remember 10.X.X.X is a valid IP range for local network? I’m gonna go with 10.10.1.0/24 for the private network and choose the last IP address, which is 10.10.1.254/24 for the FE0/1 interface.

So finally, the new home network topology will look like this:

New topology with IP addresses on 1841

Configuring the router’s interfaces

Alright, it’s time to play.

One great thing of network devices other than the home router is that, they come unconfigured and you have all the rights (and obligations) to make them behave the way you want.

For the sake of simplicity and I know not everyone is using Cisco devices, I’ll just go quickly through the configuration so that you understand the methodology to apply to your devices.

First thing first, I will connect the 1841’s console port to my PC and start a Putty session:

Cisco 1841 console

Then, I’ll go to configuration from the terminal mode:

c1841>configure terminal
c1841(config)>

Next, I will configure FE0/0 interface by assigning the IP address 192.168.1.254/24 and bring it up.

c1841(config)>interface fastEthernet 0/0
c1841(config-if)>ip address 192.168.1.254 255.255.255.0
c1841(config-if)>no shutdown

Ok, cool. I will then move onto the FE0/1 interface. We will do the same thing but just notice the difference in the IP address:

c1841(config)>interface fastEthernet 0/1
c1841(config-if)>ip address 10.10.1.254 255.255.255.0
c1841(config-if)>no shutdown

Then let’s check if we did something wrong:

show current interface configuration

We got each interface’s IP address right. Let’s move on.

Configuring DHCP servers

The next thing I have to do is configure the DHCP servers. Notice that I’m using the plural form here.

For those who don’t know, for your device to have an IP address, you have to manually assign it (like I did above) or configure a DHCP server so that devices can obtain IP addresses automatically.

In the 192.168.1.0 network, the home router also acts as a DHCP server. The problem is, the default DHCP IP range is from 192.168.1.2 all the way to 192.168.1.254, which means that the FE0/0 interface on 1841 can’t use 192.168.1.254 IP address (you can only assign static IP addresses that are not in the IP range of DHCP server).

The default DHCP IP range

That being said, I need to reserve some addresses so that I can statically assign them to devices. In this case, I will limit the DHCP IP range from 192.168.1.2 to 192.168.1.191. What it means is that, the IP from 192.168.1.192 to 192.168.1.254 can be used as static addresses.

Limit the DHCP IP range

That’s it for 192.168.1.0 network.

As for 10.10.1.0 network, I have to create a new DHCP server on the 1841 router. We will apply the exact same thing: only use IP addresses from 10.10.1.1 to 10.10.1.191 for DHCP pool. The setup is pretty straight-forward:

c1841(config)#ip dhcp excluded-address 10.10.1.192 10.10.1.254
c1841(config)#ip dhcp pool private
c1841(dhcp-config)#network 10.10.1.0 255.255.255.0
c1841(dhcp-config)#default-router 10.10.1.254

And we’re done configuring the DHCP servers.

Testing the new private network

We’re going through a lot and it’s time to check if the 10.10.1.0 network is working properly. The easiest way to confirm is to test if I can ping a device in 10.10.1.0 network from a device in 192.168.1.0 network.

I already have my PC connected to 192.168.1.0 network. As for the private network, I will plug in my old Raspberry Pi 2 to the FE0/1 interface. With the new DHCP setup, I’m pretty sure that the Pi will end up having 10.10.1.1 IP address.

Test new private network

Alright, let’s find out if my PC can ping the Pi?

At first, PC failed to ping the Pi

The reason is, my PC’s default gateway is 192.168.1.1, which is the home router. And as I mentioned above, the home router doesn’t have LAN routing capability so it doesn’t know where the 10.10.1.0 network is to forward traffic into.

Home router has no idea where to route the traffic

Fortunately, almost all operating systems allow us to add the routing rules. On Windows, we can add the rule as follows:

route ADD 10.10.1.0 MASK 255.255.255.0 192.168.1.254

We can interpret the command above like this: whenever the destination is in 10.10.1.0 (on the FE0/1 interface), the default gateway is 192.168.1.254 (the FE0/1 interface) instead of 192.168.1.1. We can confirm the rule being added:

Routing rule was added
Now the PC itself has the routing rule

Now let’s ping the Pi again.

This time, we can ping the Raspberry Pi

We can see the replies coming back from 10.10.1.1.

Notice that there are other ways to solve the problem above, all of which would involve adding more configuration to the 1841 otherwise we’ll lose the connectivity to the Internet. Let’s save it for another post.

I can even ssh into the Pi.

We can ssh into the Raspberry Pi

That means that the new private network is working properly.

However…

No Internet!

We got no Internet access from the private network. That’s the problem we’ll be solving in the next post.

Conclusion

In today’s blog post, I hope we’re now aware of the necessity of having a private home network and the methodology to create one. Of course, it would require much more work until everything becomes fully operational but today we made a great start.

In the next post, we will add the necessary configuration so that we can have the access to Internet from the private network.

Thank you for your time and I’ll see you in the next post.

Trung Tran is a software developer + AI engineer. He also works on networking & cybersecurity on the side. He loves blogging about new technologies and all posts are from his own experiences and opinions.

Leave a reply:

Your email address will not be published.