Improving My Home Network - IOT Segregation/VLAN

Networking & Firewalls
1

Hello,

I currently have a relatively new home wired with Cat6 throughout and need to improve my network design to better implement security and iot segregation. I am ready to spend some cash on new hardware and thought to ask some questions here prior to purchase.

My home is a ranch style with an unfinished basement 2150 sq ft up and 2150 sq ft down with an 1150 sq ft garage. The lot I am on is over two acres. I have a ton of IOT devices, computers, lights, outlets, IP cameras, sonos, etc, all on 192.168.1.x. I know I need to get those IOT devices that are potential vectors segregated asap.

Networking gear:

ARRIS Docsis 3.1 cable modem with Comcast residential Gig service.
TrippLite 24u Cabinet
Netgate SG-2440 (pfBlockerNG and Open VPN Packages only)
2-D-Link DGS-1100-24p managed gigabit POE switches.
Various 5-8 port managed/unmanaged gigabit switches on the main floor.
Eeero Gen2 Mesh Network Access points (Going on ebay once I decide on Ubiquiti hardware)

My Goals:

  1. Segregate wired IOT devices to a separate network from my NAS and computers.
  2. Segregate wifi IOT devices to a separate SSID from my main SSID.
  3. Implement sufficient Unifi access points for home and reasonable yard coverage.
  4. Choose a LAN address that will be more or less unlikely to conflict with the local LAN IP that I remote from into my home.
  5. Have openVPN access into both my LAN and IOT devices (IP Cameras, etc)

I have learned that my Eero hardware is not going to support VLAN tagging, thus they are going to ebay to help pay for the new Unifi access points. They also do not allow one to change the wifi channel and that always disappointed me.

For the Wifi AP, I am considering the AC pro or the NanoHD. My thought is to place one on two of the farthest corners of my home. They would be mounted horizontally on a plant ledge roughly 8-9 feet on the main floor and connected to a POE switch. Since I have never used Unifi, I am hopeful this would be OK for function. Appreciate input on this decision and placement. I can always add more if coverage is an issue.

I have never worked with VLAN or subnets before. My experience has always been a simple 192.168.1.x LAN. Tom’s video on VLAN on PFsense and Unifi seem to be exactly what I need to do.

One quick question before I post though. I have two managed switches in the basement as well as switches on the other end of the wire on my main floor. For an IOT device to connect to the VLAN, the switch at the main level location would have to support the VLAN tagging to a specific physical port.

Thank you very much,

J.

2

If you create two separate networks in pfsense with one being a VLAN and you want the WiFi to do the VLAN you need to send all VLANS to the access points as they will do the splitting.

1 Like
3

I can’t comment on all aspects, but I also have eero and also wanted to make my network secure. In particular after connecting all home devices like camera, Alexa, streaming boxes etc.

I ended up having two physically separated networks LAN and WIFI, they connect to different interfaces and any device connected to WIFI does not have access to LAN (only via OpenVPN)

And I use eero in bridge mode only to as wireless access points.

Hope it helps.