I have a burgeoning home network infrastructure, including multiple unifi switches, CKG2, AP’s, Protect Cameras, Proxmox Compute Server (Plex, HA), Synology (Media shares for plex, VM proxmox backup server), Sonos, robot vac, multiple IoT home devices etc…, but I just installed pfsense and I’m dipping my toe into network segmentation for the first time with trepidation. I’ve set up a default LAN 10.52.10.1 and successfully deployed a gated Guest VLAN (199) 10.52.199.1 and corresponding SSID.
One additional complexity is that I have a single unifi flex-xg switch currently switching my Desktop, Synology and Proxmox machine, and I want to keep that 10G connection open if possible to avoid running traffic back through the 1G router.
My main question is where do I put everything else?
My current though is to
- 10.52.10.1 - leave the unifi devices on the default LAN (possibly move cams later)
- 10.52.20.1 - a trusted VLAN for the synology, pve, and desktop
- 10.52.30.1 - IoT VLAN for most other stuff ( including phones )
My concerns are
- the desktop talks to SONOS as a controller and to host media on Synology, given posted SONOS issues this could kill the ability to control the SONOS from the desktop or use local media
- the plex VM on pve needs to talk to all the roku’s around the house if it’s on trusted is that an issue
- HA ( I’m new to HA) needs to talk to the IoT devices
If I put the pve VM’s (plex, HA) on the IoT network, won’t I lose the ability to use the 10G connection back to the synology server? Would a storage VLAN work somehow that could connect my synology samba+nfs network shares? Is it possible to use dual NIC’s on my desktop for both the IoT and trusted LAN to allow communication with SONOS?
I apologize for the long-winded post, but any help would be appreciated.
You can setup firewall rules so only the devices that need to have access to a specific device/ip/port are allowed to talk over the two vlans.
You could use a dual-nic on the desktop but that would break the model of keeping trusted devices on the trusted vlan.
Tom has some great videos on this. I have 6 VLANs and it may be overkill. My network is simpler than yours. My cable model feeds the pfsense device (Qotom), the pfsense box feeds a managed 2.5gbe switch, and the switch feeds everything else, including my synology, my proxmox server, my raspberry pi NAS, my Pi-Star DMR hotspot (Ham radio stuff) and a WAP. My VLANs are: trusted, internet facing, IOT, televisions, guest, and management. Trusted is limited to my wife’s PC, my PC, printer, Pi-Star, Synology, second NAS, and VMs & containers that are not exposed to the internet at all. Internet facing includes the VMs &containers that face the internet like Wordpress, Nextcloud, and Grocy. They are all exposed via Cloudflare tunnels, so the connector containers are also in that VLAN. Television is as you would expect, the smart TVs, IOT is the container I have running homeassistant as well as all the Ring cameras, Alexas etc. Guest is for my children and any actual guests. Management is for the web interface of my proxmox server and my switch, WAP, etc.
I have firewall rules such that anything on the trusted network can see and fully manage everything else. All the other networks cannot reach each other at all. Television is broken out from IOT so I can use a VPN when I need to in order to see stuff on Netflix not offered locally if I choose. I also use firewall rules to limit access to management interfaces to two specific IP addresses, my PC and my wife’s.
Long story short, I have no problem controlling anything from the trusted VLAN