VLAN Setup Smarthome, Security vs. Convenience

Dears!

I am planning a setup for my smart home. I am looking for a “secure” but still practical VLAN setup.
How would you setup the VLANs?

HW Infrastructure:

  • FW: Netgate 6100
  • Switch: Unify 48 Port POE, Gen3
  • Homeserver: Truenas Core with several docker containers and a few VMs

General Classes of Clients

  • Network infrastructure clients
  • Smart Home Server (Loxone)
  • several office devices such as Windows and Android clients
  • IOT devices, such as: Inverter for PV, TVs, vacuum cleaner
  • Cameras and NVRs
  • several docker containers and VMs such as: Portainer, Pi-Hole, Grafana, Syncthing, …

Requirements:

  • i want to minimize damage if a device is being compromised
  • I want to minimize “phoning home”-traffic
  • still I want to be able to admin the network with reasonable effort

Questions

  • Do you have any suggestions of “VLAN-Classes” ?
  • Is Tom’s layout as in his YT video "Basic Setup and Configuring pfsense Firewall Rules For Home" applicable here as well? Maybe a more sophisticated approach would make sense?
  • How should docker container and VMs being treated generally? Just put them into one VLAN and open ports to other VLANs accordingly?
  • Is it reasonable to be totally restrictive with FW rules and just punch holes in the FW in opening specific ports to other VLANs, or create as few VLANs as possible with more devices in each of those?

tnx for your input & greetings from Austria!

Welcome to the forums and I am fine with my “Basic Setup and Configuring pfsense Firewall Rules For Home” :slight_smile:

1 Like

hi!
How do you treat docker applications? would you put them into the “NSFW LAN”?
br
Stefan

Well for what it’s worth my setup is the following:
Screenshot from 2022-09-18 11-43-24

Management - stick all my switches and APs on, it can see ALL.
ISP - my “main” network with ad blockers, traffic shaping, it can see ALL.
VPN - all traffic exits via VPN, if their server goes down, no traffic can exit the WAN, it can see ALL.
CAM - no traffic can leave the WAN, it cannot access other vlans.
GUEST - all traffic exits the ISP, no ad blocker, no traffic shaping, cannot see other vlans, cannot see pfSense GUI - also use this for testing if a web page doesn’t render properly.
IOT - traffic exits via VPN, it cannot see other vlans.
DEUS - a work VPN, it cannot see anything and exits via the ISP without any ad blockers, traffic shaping.
PRINT - where my printer sits, that can be accessed by Guests and ISP vlans.

It took me a while to get to grips with pfSense, so I thought it was better to have the vlans in place and if I didn’t use them then no harm done.

My advice is to have at least one vlan where you haven’t modified the line to internet, I block so much stuff that sometimes pages don’t render properly, so I pop onto the GUEST vlan and quickly check if it might be blocker stopping something.

I don’t think the vlans are the issue per se, but you need to test your rules to make sure the vlans work as intended. I do have multiple network devices with quad nics which allow me to access more than one vlan so to speak.

1 Like