I am planning a setup for my smart home. I am looking for a “secure” but still practical VLAN setup.
How would you setup the VLANs?
HW Infrastructure:
FW: Netgate 6100
Switch: Unify 48 Port POE, Gen3
Homeserver: Truenas Core with several docker containers and a few VMs
General Classes of Clients
Network infrastructure clients
Smart Home Server (Loxone)
several office devices such as Windows and Android clients
IOT devices, such as: Inverter for PV, TVs, vacuum cleaner
Cameras and NVRs
several docker containers and VMs such as: Portainer, Pi-Hole, Grafana, Syncthing, …
Requirements:
i want to minimize damage if a device is being compromised
I want to minimize “phoning home”-traffic
still I want to be able to admin the network with reasonable effort
Questions
Do you have any suggestions of “VLAN-Classes” ?
Is Tom’s layout as in his YT video "Basic Setup and Configuring pfsense Firewall Rules For Home" applicable here as well? Maybe a more sophisticated approach would make sense?
How should docker container and VMs being treated generally? Just put them into one VLAN and open ports to other VLANs accordingly?
Is it reasonable to be totally restrictive with FW rules and just punch holes in the FW in opening specific ports to other VLANs, or create as few VLANs as possible with more devices in each of those?
Well for what it’s worth my setup is the following:
Management - stick all my switches and APs on, it can see ALL.
ISP - my “main” network with ad blockers, traffic shaping, it can see ALL.
VPN - all traffic exits via VPN, if their server goes down, no traffic can exit the WAN, it can see ALL.
CAM - no traffic can leave the WAN, it cannot access other vlans.
GUEST - all traffic exits the ISP, no ad blocker, no traffic shaping, cannot see other vlans, cannot see pfSense GUI - also use this for testing if a web page doesn’t render properly.
IOT - traffic exits via VPN, it cannot see other vlans.
DEUS - a work VPN, it cannot see anything and exits via the ISP without any ad blockers, traffic shaping.
PRINT - where my printer sits, that can be accessed by Guests and ISP vlans.
It took me a while to get to grips with pfSense, so I thought it was better to have the vlans in place and if I didn’t use them then no harm done.
My advice is to have at least one vlan where you haven’t modified the line to internet, I block so much stuff that sometimes pages don’t render properly, so I pop onto the GUEST vlan and quickly check if it might be blocker stopping something.
I don’t think the vlans are the issue per se, but you need to test your rules to make sure the vlans work as intended. I do have multiple network devices with quad nics which allow me to access more than one vlan so to speak.
Thanks. Funnily enough I recently needed to completely rebuild pfsense and my main network switch. The rules and vlans were essentially unchanged, so I think they have stood the test of some time. What was super handy was having Proxmox running with vms running on each vlan so I could troubleshoot on the fly.
What I have omitted to say above is that I also block all ports by default, then use an alias to allow that traffic to exit either the vlan or WAN, was painful at the beginning but has settled down, now.
The thing that came in handy was keeping the LAN port on the router free (I don’t use it), the other ports are in a LAGG to pfsense passing all the vlan traffic. When things failed just plugging into the LAN port with my laptop was handy to troubleshoot.
