Dynamic or static IP addresses
Discussion
It can be an advantage to use static IP addresses within the local network (LAN) for some devices that you need local access to. eg. CCTV, NAS, servers and other devices you need to access through the IP. Your router has a static IP, eg 192.168.0.1
As for them being more vulnerable, well I suppose they could be but only if you open them up via the firewall, or allow unknowns to use your LAN or WAN
As for them being more vulnerable, well I suppose they could be but only if you open them up via the firewall, or allow unknowns to use your LAN or WAN
From the outside, many ISP's will let you pay extra to get a static IP address, which you might want to make external access easier, e.g. if you're running a VPN or mail server.
Static IP addresses on your internal network can make it easier if you have things that talk to each other. For example my NAS and Home Assistant server are on static IP addresses because other things on the network refer to them by the IP address.
Static IP addresses on your internal network can make it easier if you have things that talk to each other. For example my NAS and Home Assistant server are on static IP addresses because other things on the network refer to them by the IP address.
Never heard of it being a security risk. If you want to find a device on your lan you can search with other tools - look how your printer utility can find your printer when its IP has changed.
Static IPs make management easier on LANs with lots of devices that you need access to withouth havng to go to the router each time to look them up - and that's IF your router will assign names (or let you assign them) to IPs.
For example, I use static IPs on any network devices: Router, Mesh nodes (Orbi), extra access points, printers (saves a WHOLE lot of aggro), that kind of stuff. I do it all at router level - so I set the DHCP reservation using the MAC address in the main router - not on the devices themselves (apart from other routers/LAN kit) - that way saves a lot fo head scratching years down the line when you change other things, or, it means you don't have to physically go through a horrible menu to change the IP on devices that have very limited interfaces (like printers, or devices with no physicat interface at all).
It also means everything is centrally managed.
For external IP I use free dynamic DNS - Asus free one on the router, and DynuDNS on Home Assistant.
Static IPs make management easier on LANs with lots of devices that you need access to withouth havng to go to the router each time to look them up - and that's IF your router will assign names (or let you assign them) to IPs.
For example, I use static IPs on any network devices: Router, Mesh nodes (Orbi), extra access points, printers (saves a WHOLE lot of aggro), that kind of stuff. I do it all at router level - so I set the DHCP reservation using the MAC address in the main router - not on the devices themselves (apart from other routers/LAN kit) - that way saves a lot fo head scratching years down the line when you change other things, or, it means you don't have to physically go through a horrible menu to change the IP on devices that have very limited interfaces (like printers, or devices with no physicat interface at all).
It also means everything is centrally managed.
For external IP I use free dynamic DNS - Asus free one on the router, and DynuDNS on Home Assistant.
The only real reason for a fixed external IP in your home is if you want to be able to connect back to the house using only the IP, ie not relying on a DDNS entry. There's no significant additional risk, just a very long term small risk.
However, note that most of the major UK telcos rarely change the IP you are allocated, so you'll find that you tend to keep the same external IP for a long time. Virgin Media are the most 'sticky' for IPs and if you don't reboot the router you'll likely see the same IP for >5 years. The other main brands might see a change one a year or so.
Regardless of fixed IP or not, you should be careful to ensure anything 'facing' the external internet connection is secured and you don't have services running that someone can get on to. If you've not poked around with the router settings you probably won't, however if you've done things like put a NAS on your network and made forwarding rule on your router to be able to get to that from outside, then you should be careful about the configuration. All IPs will get scanned by threat actors periodically looking for common services running they can connect to. These days it's less about stealing your data or ransomware (there's still plenty of that about), but it's more about trying to get your router or NAS to be part of a threat actor's covert network of proxies they use to hack other places - you'd likely never know you are part of that.
However, note that most of the major UK telcos rarely change the IP you are allocated, so you'll find that you tend to keep the same external IP for a long time. Virgin Media are the most 'sticky' for IPs and if you don't reboot the router you'll likely see the same IP for >5 years. The other main brands might see a change one a year or so.
Regardless of fixed IP or not, you should be careful to ensure anything 'facing' the external internet connection is secured and you don't have services running that someone can get on to. If you've not poked around with the router settings you probably won't, however if you've done things like put a NAS on your network and made forwarding rule on your router to be able to get to that from outside, then you should be careful about the configuration. All IPs will get scanned by threat actors periodically looking for common services running they can connect to. These days it's less about stealing your data or ransomware (there's still plenty of that about), but it's more about trying to get your router or NAS to be part of a threat actor's covert network of proxies they use to hack other places - you'd likely never know you are part of that.
Thanks all. This is for my internal network - NAS, APs, several IP Cameras, etc and an ever-increasing number of IoT devices. All with a view to getting it all into HA one day. Prompted by the pain of having to change subnet recently from 192.168.1 to 192.168.0 and finding stuff not connecting without manual assistance.
If your router allows you should be putting any IoT stuff, and CCTV stuff on separate isolated vlans.
Changing subnets or routers etc is a good reason NOT to use static IPs on devices. If I do want a 'static' IP I tend to reserve the IP in the router, that way if you change routers or ISP, devices will default to DCHP.
Changing subnets or routers etc is a good reason NOT to use static IPs on devices. If I do want a 'static' IP I tend to reserve the IP in the router, that way if you change routers or ISP, devices will default to DCHP.
Edited by megaphone on Monday 9th February 12:15
As said previously... Stick the IoT type stuff on a different subnet and keep it away from everything else.
As for static addresses, the way I'd manage it is to have static assignments in DHCP. That way the address will still be dynamically assigned but you can manage from a central location.
M
As for static addresses, the way I'd manage it is to have static assignments in DHCP. That way the address will still be dynamically assigned but you can manage from a central location.
M
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff