Certainly could do that. Would make my config slightly messier, but I think you could have NATed sub-subnet like that, I’d have to ask.
At the moment though I’m not even remotely short of IPv4s. Old kit will hopefully be retiring and be made IPv6-only if possible. Already several old devices have just been retired, freeing up a lot of IPv4 addresses too.’
One reason I don’t like to do that at all is that it would make it far more difficult for me to spy on these devices and any other guest devices. I want to know what they’re getting up to if they use my network. We don’t offer ‘accommodation guests’ internet access now and if we ever do, I would require any such future users to indicate that they understand that we will only ever spy on them for the purposes of network admin and also even then only with their prior agreement.
But as for spying on kit:
- need to find out if it’s phoning home, if so, to where,
- using too much network capacity; especially upstream; suspicious ports or IP protocol numbers,
where,
- is broken - eg horrid NetAtmo weather station that my wife spent good money on, and it kept disappearing from the WLAN and then reappearing and doing an new DHCP request all the time in some crazy fashion.
Say we have a ‘client/user’ category of ‘personal guests - untrusted’, like friends who come to stay and bring kit that I don’t trust - because it could be crawling with nasties. Within this category we have something like ‘long-term resident personal guests untrusted’ and this TV goes into this new sub-sub-category of untrusted long term personal guests. I had part of this design successfully implemented for years until Apple blew the whole thing apart with source MAC address faking, as my design had relied on the insecure, and highly non-maintenance friendly (ie. not sysadmin-scalable) strategy of using certain firewall rules based on whitelisted source MAC addresses.
I need to find out what people do here who know what they’re doing. I’m also thinking about looking into whether or not I can make use of VLANs in my old ZyXEL WAPs which appear to have a feature that looks like it might be useful but who knows what it does because the documentation is a disaster. Written by people who have no idea what it all meant and were too deferential to the gods that are the devs to ask and wouldn’t understand the replies anyway. (From my personal experience of working inside a software company.)