TL;DR : If you want to grant access to a central resource (e.g. NAS) to multiple devices in a home / small office environment… Do you prefer clumping all the devices together in one subnet, letting the router sort the traffic between different subnets, delegate that job to an L3 switch or put multiple interfaces on the resource and then join it to each of the subnets containing the devices that need it?
I’m pretty sure I’m going to get struck down because I know this is the type of question people hate.
- It’s predicated somewhat on opinion over fact.
- It’s a typical home user asking “do I need this expensive enterprise solution” to which the answer is almost always: “of course not”.
- It references performance which is largely un-guessable, and is the responsibility of the poster to test for.
That said, you don’t ask, you don’t learn, and some of my questions don’t fall into any of those buckets.
Looking at various strategies of network segmentation, especially in enthusiast space (and perhaps enterprise), I think a common scenario is to have some sort of centralized resource, say a NAS, that you basically want most of your devices to be able to access. However your security policy for those devices is wildly different. You trust your computer (mostly), your laptop a little bit, and your smart TV not at all. So each class of device(s) gets put on a different VLAN making the ability for them all to find and access the NAS difficult.
Your actually quite dumb TV and other streaming devices are going to use broadcast for discovery of media sources, as is your computer for network shares, so you have to set up relays or active directories or hardcoded IPs (when the client device supports them). When I saw someone raise this point one response was to suggest that network topology was never really designed with the intent to segment via separation of concerns. If workstation A is supposed to access Resource B, then that’s logic of how to layout your layer 3, as opposed to saying this is the services VLAN, this is the workstations VLAN etc. That answer made complete sense to me, but then the implication is now the home user ends up with one monolithic subnet of precious PCs, kids tablets and cheap streaming sticks just so they can all use the printer and listen to music. If you however put them back in to VLANs and setup all the rules and relays to get them talking then you’re potentially piping a lot of heavy traffic (dare I say needlessly?) through your firewall/router.
An L3 switch seems to address this last point, and the fact that TP-Link sells one for just $20 more than the L2 variety caught my eye. Sadly that was back before chip shortages so the TL-SG2008 now goes for about $70; over double the price of the $30 TL-SG108E.
Questions.
-
For the average amount of traffic the home user or small business generates is leaving your home-built, ebay-auction pfsense box as the sole layer 3 device in your network likely to be much of a problem? Imagine what I think is a common use case: 1-2 PCs are sharing large DCC files back and forth from the NAS while maybe one or two users are watching a movie from your video library, and the security camera is backing up a stream of footage… I built my pfsense around a humble AMD 5350 Quad-Core 2.05 Ghz and under my current layout almost all of the traffic in the network would be negotiating through it.
-
I think it’s possible to add interfaces to any central resources like a NAS and just have it join all the subnets that access it? Are there security or performance implications to this that I’m not appreciating?
-
I thought of mixed segmentation. You could put the NAS in the same subnet as devices needing high bandwidth / critical access (like your PC) and have other devices like smart phones and streaming sticks in their own VLANs access through the firewall/router. But that means WAN access to the NAS (which you just didn’t allow when it was in it’s own VLAN) and that the streaming stick is now reaching into the subnet of the PCs. I think you can set up firewall rules to mitigate these problems, because you can specify the NAS IP has no WAN access, the stick can only access the NAS IP etc… But once again, any performance or security implications I’m not appreciating?
-
You get lucky, grab a L3 switch at a reasonable premium over an L2. What’s the general mechanism they use to connect VLAN’s. In the manual of the TP-Link model I mentioned they refer to
ACLwhich looks much like a firewall rule, specifying policies that allow particular IPs to reach other IPs via particular ports. Is this similar or synonymous to a firewall rule in something like pfsense? And if the chip in the switch is doing that work, is it really more performant or efficient than your router?