Home network help wanted

Networking & Firewalls
1

Hello there

I am looking for help with upgrading and increased control over my home network. I have a little, but not very much, experience with configuration and administration of networks, but have tried to learn a lot via e.g. Lawrencesystems’ YouTube channel. I have, among other things, a desire to master the setup and maintenance of division into multiple VLANs.

I have the following setup now:

Synology AC2600 router with 2 wifi networks, which is properly divided into VLANS, managed by a built-in function in the router. I have some Tado heating system, a synology NAS and 2 old Netgear GS110TP swithes, where the switches are simply used to extend the wired network and create space for more wired devices.
I have a few different computers, a wireless printer, some wireless security cameras from Reolink, and various mobile phones and tablets, as well as some specific devices that I eventually want to switch from wifi to wired connections.

Some time ago I bought a Netgate 2100 which I want to set up first in my network instead of my ISP’s router.
In addition, I am considering replacing the switches (possibly with equipment from Unify), but I am not clear which equipment and models I should choose. And I’m not sure if I should add access points from Unify as well, or if it’s fine enough to use my existing router, my provider’s router or possibly both.

I would like to learn how to set up the network myself and have an overview, but in the past I have had challenges configuring my NAS to be accessed remotely, and I have also not succeeded in getting external access to my printer. So any help on concepts and configurations I should focus on will be appreciated.

Therefore, I would like to hear from you about the following:

  1. Which devices should be isolated in separate VLANs and how do I best ensure this?
    For example, would it be possible to have a guest network that has access to my chrome-casts, printer and Sonos system, but not to my server and my cameras.
    Can a mobile device, based on the mac address, be set up to be able to e.g. all devices in VLAN 1 and at the same time a specific device in VLAN2, without the device having access to all devices in VLAN2?

  2. I understand that Unify devices are easy to set up, but is it okay to have a specific device to be able to manage the network remotely from? I don’t usually need that with my Synology server.
    What equipment can you recommend?

  3. What should I be aware of in order to gain secure access to my various devices from external computers, without exposing and risking unwanted intrusion on my network in general?

I hope you can and will help me on my way and look forward to hearing from you!

With best regards

Allan

2

Like most things it all depends then once you know what is possible you’ll realise there are other things you want to add.

If you are running ethernet cable, I would run two lines to each location, might sound like a waste but you can always put these lines into a LAGG between switches which gives you some redundancy if they fail. This is a task you only really want to do once.

Definitely buy an AP for your wifi, I have TP-Link EAP 245, this can be powered over PoE with your 110TP (mine are). The main benefit is that you can better place this in your house, somewhere high and central works best. This model has a 2nd ethernet port, meaning I can daisy- chain another AP or switch if I need too, I haven’t but could!

Vlans are the way to go, I’ve used the following:

MGMT - put networking kit on
ISP - for traffic leaving via the ISP
VPN - for traffic leaving via the VPN
CAM - IP cams with no traffic leaving anywhere
GUEST - Guest wifi without traffic shaping and adblocking
Print - for my printer which Guests can also access

Personally I think it’s better to think of roles for networks, then build rules for them in pfSense, then just add devices to them without thinking about it.

You also need to add OpenVPN, this allows you to dial home and view your cameras. You can have a rule that your OpenVPN dials into your ISP vlan and can also access the CAM vlan. However the CAM vlan cannot access the ISP vlan and does not exit the WAN.

If your NAS has more than one NIC put one on the CAM vlan and the other on the ISP vlan, it will make life a bit easier, if not you can add an exception rule, so all your cameras record to the NAS on the ISP vlan.

I generally don’t use the LAN for anything except for accessing the pfSense box directly if something were to go wrong.

Before I would have said Netgear switches do the job and are cheap, however prices are all over the place and supply is erratic, so you might be stuck with what you can get your hands on.

The NAS is probably a bit crappy to run virtual machines from, but you might want to consider buying a cheap box and running something like PROXMOX for say an always on controller for your wifi, though you don’t need it on all the time.

I personally wouldn’t spend a lot until I know what I need, sounds like you need a managed switch (non-poe) and an AP for now, when counting ports keep in mind that if you have connect to other switches downstream that would be two if you use a LAGG.

There’s loads to consider but that should give you a few hints.

1 Like
3

I have a video for setting up rules for home on a pfsense here that might help and as far as using UnFi switches, all of them support VLAN’s as do their access points so it comes down to what you need for your network in terms on number of ports and range.

1 Like
4

Thank you very much for your detailed answer.
Your reasoning for adding APs instead of using wireless routers makes a lot of sense. So does your recommendation about VLANS, although there is still something technical I need to get my head around…

For example, I was absolutely convinced that for each vlan you made a whitelist/blacklist of the MAC addresses you wanted to include/exclude, to ensure that no matter where in the network you connect a device, it will access that particular vlan. Is this approach not used?

I have just got a new ISP. I can choose to use their provided router or my own equipment. I just need to tag the internet port (which I assume is WAN) to vlan 101. I’m trying out the setup off premise, as I’m not at home for the next few days, but wouldn’t it be correct to put a VLAN tag 101 on the mvneta0 interface and just an ‘Internet’ description, and then under interface assignments change the network port for WAN to be 'VLAN 101 on mvneta0 (Internet)? Or should I add this association as a new interface, by

In the setup of the WAN interface, it puzzles me that I can select ‘IPv4 Configuration Type’ and 'IPv6 Configuration Type
', which default is set to DHCP and DHCP6. I can not understand the purpose of this, it is incoming traffic that is not assigned IP addresses. I can understand it for LAN which is the network I am building, but why should this also be defined for WAN? And should the item ‘Alias IPv4 address’ be filled with a range of IP addresses, and if so, for what purpose?

When I set up the individual DHCP servers for each of my vlans, should I set ‘Allow all clients’?

My thought is that after the line into the house from my ISP, I should be:

1. Netgate with firewall
	a. NAS
	b. Switch A with multiple VLANs
		i. Wifi A with access for guests,       mobile devices, IOT (for sharing), Chromecasts, Sonos, and printer
		ii. Wifi B without access for guests, only access from my and few others' phones, private IOT devices
		iii. Own computer and admin access to network, NAS etc.
		iv. Cameras that I would like to be able to access from the outside
		v. Wifi C for testing, but which must not have access to the other networks
		vi. Work computer for working from home, which should only have internet access and not access to other networks

Guests must have access to printers, Chromecasts, etc. but I have some devices I only want to be able to access from my own phone, hence my idea of Wifi B. Should the access for my own phone be set up with port Aliases?

Would it be better to have my Wifi C directly in the Netgate, in a dedicated port?
Or will VLAN rules be able to shield just as well as in my proposal under point 1.b.v?

The next area I want to look at is OpenVPN, which is also completely new to me.
I have tried to read about the subject, and understand the principle of it, but have doubts about the following:

I can see in my Synology NAS this can be set up.
Should I set up OpenVPN on both the Netgate and, for example, my PC, mobile and NAS?
Or is it set up as a server on the Netgate and clients on the above mentioned devices?
And will this VPN replace the access to my NAS, which so far has been running over Synology’s QuickConnect function, or does it just provide an extra layer of security?

5

Thanks, it’s great videos you make​:+1::+1::+1::+1:

In the 3rd Network ‘Cams’ it says that you have access to the Synology interface. But is it complete access to the NAS, or only to a part around cameras you open up on that network?
And where else on the network do you place the NAS on the network?

And I have a hard time understanding something about firewalls.

If, for example, vlan 10 needs access to something on vlan 20, you only open one way. But most communication is two-way. Wouldn’t that mean that you don’t get answers to your queries? Or does the firewall take care of that part?

6

Sounds like you might be conflating a couple of things. You just need to configure the port on the switch to be on a particular vlan, whatever you connect to that port will be on that vlan. You can either use DHCP or fixed IP on the device. This would be the easiest approach for a home network.

Not sure about about your tag 101.

Don’t use IPv6 myself.

I have. It looks like the other choices allow finer controls.

Not totally sure what you mean, however, you can control this type of activity by rules.

If you only have one wifi AP I would plug this into a Trunk port on the switch, this will then pass all your vlans which you just map to your individual SSiDs. I’d guess you could plug into the router however that might take some additional effort to configure. Vlans block all access by default, you need to configure the rules to do what you need.

Yeah you could use that, personally I have a QNAP which also has a OpenVPN solution, while I have set this up, it’s just a backup to the 6 OpenVPN instances I have running on pfSense.

You can setup the OpenVPN Remote Access Server on pfSense and issue certificates to clients to access the RAS. You need to have some kind of OpenVPN client on your devices.

Personally I use OpenVPN on pfSense as there are better options, I believe the password access will be phased out in future releases of pfSense so it would make sense to understand how the Certificate option works now while you are getting the hang of it. Besides it’s just much easier, if you lose your phone, you can just revoke the cert on the phone without affecting any other clients.