Help a noob create a more secure network

Networking & Firewalls
1

I’ve been a long time follower and learning a lot as I go. Hell Tom’s videos helped me enough to get pfsense running on my network. The problem with my network is its setup up as a flat network. With everything in my house I’ve gotten worried of the amount of security issues at hand and need to fix this once and for all.

I’m your typical homelab guy and I only know enough to make myself dangerous. I read a lot and follow a ton of YouTube video how-to’s. Only thing I’ve yet to undertake is setting up VLANS. Something I wish I would of learned to do a long time ago.

Setup list as follows

Server Rack-

Dell Switch 6248
Dell R610 (Pfsense)
Dell R610 (Domain)
Dell R710 TrueNas Plex

Desktops/Laptops-

Mine
Sons - Laptop
Daughters

IoT -

Ring Doorbell
Simpily Safe Alarm
Google Nest Thermostat
Google Home Hub

Media Center-

TV
Nvidia Shield
Xbox One
Nintendo Switch

Wifi -

Netgear AC1750 (access point mode)

2

For a home network it seems fairly secure to myself. It is pretty similar to my home network.

The one thing I will say is that by default all VLANs really do is separate broadcast domains. If you setup any IP any any rules on your VLANs they can get to any of the other VLANs.

So what you want to do is create ACL/firewall rules to prevent certain VLANs from accessing other VLANs. For example, you would want to prevent the IoT network from accessing any other than the WAN interface.

1 Like
3

Your first step should be planning on paper. I have a similar setup to yours. The process i followed is to first create a list of all devices including servers that need to be on the network. Then divide the devices into groups based on the data they contain/hold. These groups become your VLANs.

For me it was
Core - the core servers and network equipment
Secured - Your machine and other trusted end user machines
Restricted - all other machines like TVs, Media Centre, Game boxes, IOT etc
Guest - For guests who need access to the internet
Kids - I have this only as I still have some controls implemented on their machines. If your kids are old/responsible enough then this is not required
Management - This is the Only VLAN that can be used to access the management/configuration page of the network routers/Switches and servers in the Core VLAN

Once this is done then comes the painful part of trying to determine the what communication is required between the machines sitting in different VLANs. You should prepare this as Source - Destination - Port/Protocol. This will become the basis of your firewall rules. This is tough as you have to take calls between convenience and security.

Do this all on paper and things will change when you do the last part of determining the communication required.

Once this is done and finalized, create the VLANs on pfsense and keep it open initially i.e allow everything on every VLAN. Then start implementing 1 rule at a time. Assuming its a home network you wont have many rules so you should be able to do it 1 rule at a time.

So implement one rule, test all the machines in the source and target VLANs so the behavior is as expected and move forward from there.

All the best.

2 Likes
4

My biggest hurdle is going to be the Dell Switch. The GUI sucks and the cli isn’t for the faint of heart. Pfsense wise I’ve gotten pretty familiar with it and always fall back onto the videos Tom has.

I’ll take some time to draw this out before I make any moves. My single biggest problem is time. Being a truck driver doesn’t lend me a ton of time since I’m on the road quite a bit. But I have my laptop to remote into my network so I can make small changes as I can while I’m out.

Thank you for the help. I’ll use this thread to post questions as I go so not to flood the forum.

5

One more if you WFH especially if your employer has furnished you with a laptop and other devices. I would also suggest using Quad9 for DNS.

6

For what it’s worth here are my thoughts, I too have pfSense running with vlans.

Firstly I would document how you setup the vlans in pfSense, pretty easy to forget a rule or setting when you come to setup another vlan in x months time.

With that in mind I would setup the following vlans below, if you setup more than you need today, you won’t have to remember anything for when you need it later. Plus it goes faster the first time, if you forget the second time :wink: While you might not use a VPN today, if you were to set it up, you would only have to change the WAN on your rules.

LAN subnet 1
Management subnet 10
ISP 20
VPN 30
Children 40
Guest 50
IoT 60
CAM 70

Personally I have very similar rules for my vlans, the difference is which WANs they exit and which vlans they can see. For example the ISP vlan can see the Guest vlan but not vice versa.

I stick all my vlan subnets in an alias, and use this in my rules, it results in needing fewer rules.

I would guess your current subnet is 192.168.1.x, keep that in place, your LAN, then setup the rest of the vlans in increments of 10, e.g. 192.168.20.x etc. Then move your devices accordingly once you have sussed it out.

Dude do not forget to take backups of your pfSense configs, you can never have too many !!! I would also take backups of the switches config too.

Once you have networking on the management vlan, the other devices on their respective vlans, then you can just use the LAN to directly access pfSense in an emergency if your switches go down for some reason. I have a LAN in place but never use it.

Depending on the number of ports you have, you might want to setup a LAGG between pfSense and your switch, LACP if it’s supported would be the better type.

Not sure if your access point will support multiple SSiDs / vlans, if not you can stick it on a single vlan for now then you might want to consider a new AP. If you do, you might want to check that the AP comes with an injector as they will usually be PoE, if you go down the route of IP cams, a PoE switch will be handy.

1 Like