I would recommend putting a smart switch where there is a unmanaged switch
If you don’t want your kids reaching the admin portals of your servers then I would separate them out but, I would put the adult and kids pc in the same VLAN and create block rules specifically for the kids.
I would put the voip in its own VLAN and lock it down. Even though it’s probably a small network it’s always good from a security standpoint that the right devices are able to access only what they need.
I put all IoT devices on its own VLAN for security reasons and have granular control over what devices connect to what. Also don’t want them going rogue and phoning home.
On a side note I personally I like to put all server and management devices on it’s on VLAN. And please put the guest network on it’s own VLAN if it isn’t already lol. Also this configuration might be overkill to some but, I I’m all about security especially when it comes to my own network
It sounds like you believe vlans can do more than it can! It will just segment your network, not make it more secure, but it can help make it more secure.
Agree with @xMAXIMUSx mostly. Though I would put in place a children’s vlan for more control not security.
I’d have the cams on a vlan with access to the Internet blocked, won’t be long before they are unsupported. Do not forward those cam ports or you’ll be found on shodan.
802.1x will ensure that username / password / certificate are needed for WiFi access instead of the same password. Handy if your AP supports multiple ssids.
The printer I’d put on a vlan which can be accessed by all other vlans, so guests, children and adults can print but still be isolated.
The vlans are easy to setup once you know how, but if you want more security you need to harden pfsense… Set up openvpn to access cams etc…
As you say you have time… Your network can easily suck all that up.
Oh the other thing is you need to set up rules accordingly between vlans depending on how you want traffic to flow, or you’ll end up with basically the same setup but with vlans now.
Personally I blocked all ports then added them as I needed them to an alias. Took a while but eventually got there.
I have the odd instance where a Web page won’t work because so many things are locked down. In that case I’ll jump on the guest vlan which is completely open.
If it helps my vlans consist of:
1 - MGMT for switches, AP, routers
2 - ISP for traffic leaving via my ISP
3 - VPN for traffic leaving via my VPN
4 - CAM for for IP cams
5 - GUEST for guests
6 - IoT for tablets and phones that go out via my VPN
7 - PRINT for my printer
But once iptables exists in an unmanaged switch on a single network, nothing prevents a compromised device to access any other host on the same network. Higher security arise when firewall rules block traffic between subnets.
Also,
In my actual setup, I already have as much control over the kid as I think is possible within a single network.
All the kid’s devices are on static IPs
Schedules to manage WAN access
DNS at 1.1.1.3
I understand that since even me can click a compromised attachment though email, my desktop PC is to be considered at same risk level as the kid’s PC so no need to to segregate me and kid in different subnets.
Also, cameras are already blocked from WAN access except through my openVPN.
The thing is, like for VPN marketing picturing it as absolutely necessary, subnetting a home network by router physical NIC (if any) or VLANs does not have consensus.
Some say that with solid firewall rules, chances of beeing hacked are dim. But ransomware do exist and I can appreciate how subnets can increase protection.
But honestly, like for VPN again, I am not convinced this is necessary. But since I have much time to spend for 2 months, I am willing to fiddle with pfSense and smart swiches.
That said, if any of you want to list pros and cons of going all that way, I am all ears.
What I mean is that while vlans will segment traffic, you will still have a need to have cross vlan traffic, it depends on the rules.
If somehow access is gained on your vlan, then access to your router is possible then vlans won’t matter. Putting in rules on your IoT / Childs vlan to prevent access to the pfsense GUI is an easy solution for example.
IMHO it’s more efficient to apply rules to a network than an IP address. Just add the new machine to the vlan, nothing else to do.
You’re probably much more secure running pfsense rather than something else, it took me at least, a while to come up with a small suite of rules that worked but I could also easily follow. If you have too many rules, it can be difficult to troubleshoot.
As for ransomware, the best thing is not to allow it access to the internet and vice versa, if possible.
Best to take constant snapshots while you are tweaking pfsense, it will come in handy later.
Not sure as I haven’t used it. Instead I’ve used Limiters to address buffer bloat. There are many options for traffic shaping, some really pressing the skull, I’m only familiar with Limiters.
I just access them via the GUI. I have a rule that allows my ISP-VLAN to access the MGMT-VLAN, from a networking point of view I can see why you wouldn’t in an organisation.
So either put everything on the same network or have rules dictating what you allow across vlans. Six of one half a dozen of the other, so to speak.
Some devices will need access to services on a different network. So those services could be hosted on a machine capable of accessing multiple vlans or one vlan. So either you create rules to allow access for say your phone or you move your phone to that network.
If you want to put your phone in an IOT vlan isloated from the rest of the network, you have to decide if you then want to use that device to access your secure network.
It’s easier to create rules for the networks and then move devices between them, say like your phone.
Either way, after a few iterations you will find what works for you and then just stick with it.
As I’m using vlans, I just have the LAN configured directly on pfSense in case I need to access pfsense directly for some reason.
One thing I am implementing during my time off work in November is to move all traffic to a VLAN this allows the default VLAN to be isolated from the rest of my network, So unless a port has been given access to a VLAN it will go nowhere.
Here are the VLANs I have for my new setup:
Core Network
Server IPMI
Physical Servers
Virtual Servers
LAB
Security Cameras & Smart Home
Entertainment, Printers & Scanners
Family
Guests
I always try to think of VLANs as if I had to add physical hardware and cabling otherwise I found I got VLAN crazy and at one point in on of my previous designs had over 25 VLANs
VLANs can become a rabbit hole and an administrative burden. If somebody gets onto your network, they will pivot from VLAN to VLAN without much friction. It’s safe to assume your “adult pc” will have access to everything, since that will be from where you touch all the things. Somebody breaks that glass door and all those VLANs become a moot point.
For a home network, you would simply segment the things you trust from the things you do not trust. Personal computers and servers are both “trusted” and with or without VLANs will be able to talk to each other regardless. What’s the point of sticking the servers on a separate VLAN only to create firewall rules opening all the ports lol. You don’t run a service you don’t intend to use right?
Really you only “need” 2 segments: One for IOT (which you have little to no control over, and no insight) and one for the devices you do control and have insight (personal computers / servers).
You could establish a third segment for Cameras, plop a VPN server onto that segment and require a VPN connection (from both internal and external) for access - this is a way to add authentication before accessing the Camera VLAN - just depends on the sensitivity of what those cameras see.
The best modern defense is update your junk, put encryption + authentication in front of sensitive information, and have some type of backups + snapshots to help protect against ransomware. Always assume you’re compromised and adjust accordingly.
That’s exactly why I started this post and why, while I have time to invest in trying this, I am skeptical on the usefulness of the whole operation.
In one of his videos on YT, @LTS_Tom is showing how to use mDNS to isolate the IOT from one vlan to the other. This is the only thing, from what I gathered from different vlan segmenting videos, that may convince me that it’s worth the effort to do segmentation.
Otherwise, if I put let’s say, my Android TV box in a VLAN for unsecure IOT, only for it to pull movies or music from the NAS; my limited knowledge of network security keeps me skeptical.
I am still awaiting the delivery of the second smart switch so there is still time to make my mind from all the different comments I get here.
Not to say either is right or wrong; more like different schools. I am just too much of a noob to have a straight opinion. I just have the will to learn and time to spend…
So for movies / NAS working with IOT is tricky business. Some form of compromise has to be made when you only have the 1 silo.
Ideally the bastion server will be your Media server (in my case Plex) that ultimately has access to both networks and is ultimately the weak point. But at least it becomes a single port of entry which you can attempt to protect (hardening etc…) it to limit the attack surface. I would limit its amount of access to the NAS (no web GUI, no management access) and limit what shares it has access to. Again most of the “security” being in how you configure your storage and media server than the segment / firewall.
