I think it’s time to create separate networks at my house.
I have UniFi gear… USG, Cloud Key Gen2 Plus, Switch, and AP.
This is prompted by several things.
- We’re having more and more neighbors over for get-togethers in our driveway. I’ve given my password to more people than I’d like to admit.
- I just got another streaming device in the mail today (the new Google Chromecast)
It is recommended to have a separate network for your streaming devices isn’t it?.. same for guests?
I know for IoT it is recommended to have separate networks (I don’t currently have any IoT devices), but is it recommended for streaming?
Could those be the same network or should I have 3 networks (main, steaming, guests)?
What if I want to control the steaming devices from my phone does my phone need to be on that same network?
Our network currently has:
- Unraid server (file server, Plex, Nextcloud, etc)
- 3 personal laptops
- 2 work laptops
- 1 printer
- 3 phones
- 3 tablets
- 5 Google Home speakers
- 2 Chromecasts
- 1 Fire Stick
- 1 Apple TV
- 1 Nintendo Switch
- 2 UniFi Protect cameras
Which devices belong where?
Don’t know the answer but I can give you a view of my network running pfsense with vlans.
vlan10 - Management - router, switches and access point goes on this. It can see all vlans.
vlan20 - ISP - basically some of my devices go out on this, with traffic leaving via my ISP. Used mainly for banking, email access. It can see all other vlans.
vlan30 - VPN - most other devices go out via VPN WAN where they are not blocked like banking etc. It can see other vlans.
vlan40 - CAMs - My IP cams are on this, no traffic leaves the vlan or WAN. I have a QNAP with an ethernet port on the same vlan so I can record.
vlan50 - Guest - users need a generic password to login over say a phone then need to enter a unique time limited code. This vlan cannot see the other vlans and goes out via the ISP on a different DNS.
vlan60 - IOT - For my dodgy android tv boxes, TVs, blurays goes out via my VPN WAN. It cannot see other vlans.
Once you setup your devices then the rules you need to see the devices from various vlans become clear.
I’ve also setup 802.1x for my cameras as they are both out of support and there are external cables.
If your AP supports multiple SSIDs then just mirror your vlans on them.
What is this vlan30 - VPN? It’s a transparent VPN where any device on it automagically is using a VPN of some sort? How is that set up?
I use AirVPN, it’s setup on an interface in pfsense, then any device that connects to vlan30 exits via the VPN. Most providers will have a guide on how to setup their VPN service on various routers.
If you also setup OpenVPN then you can exit via your VPN from your phone when you dial home from the pub it circumvents the connection limit most providers have.
BTW it’s much easier to setup more vlans then you need the first time round, unless you document your steps very well, it took me a while to fully remember how to do when I later added the IOT vlan.
I feel like a luddite! My home network just goes out the consumer router to the ISP. My home lab does go through a pfsense box (still connected to home ISP) which also has the site to site to my work pfsense box. For normal stuff I’m on the regular home wifi, for work at home stuff I’m on my lab network (cable or wifi).
My excuse is that I need to keep things simple for the other user in the house.
There’s a lot to be said for keeping things simple. Every time I think about doing something ‘clever’ on the home network I think about the trouble it would cause for my non-techie More Significant Other. I have a life-threatening condition (low but non-zero risk) and I wouldn’t want her to have to deal with my quirky networking ideas just to get on the Internet. So I’m making sure there’s a simple, direct way on to the net (albeit via a NAT router) and the rest of the stuff is separate and can be just unplugged if, erm, I’m unplugged.
Apparently we are in the Information Age ! Evidently it will leave a lot of the population behind. Personally I’m not one for keeping it simple, almost never is it the best solution but the lowest common denominator. Though I can understand most just want to do things as easy as possible, when it goes wrong well they will be stranded.
However, Apple have cracked the code, their stuff just works and people want it !
Pays your money takes your pick
Until you sneeze on the keyboard and get liquid damage and the whole thing fails. But that’s another youtube channel.