What's bad about this setup?

The following setup is for home network. It’s just a theoretical one, a case study I create myself for my (near) future home network upgrade. I’m a noob in term of networking, but I have some amount of knowledge in this field due to my background in software engineering.
For now, I will not go into detail of my goals and reasons for the setup, but in general, I want it to be as secure/private as possible, and devices/clients must be accessible to each other with some exception mentioned in the picture.
I intentionally give vague information to ask the following question. In your view, even without knowing the detail of the network and just by looking at the diagram, what can make you scream something like “God, please don’t, just don’t” right away? To me, it’s single point of failure and somewhat flat, which are generally acceptable for a home network I think.

I did not google the model numbers but make sure all the switches you are using support VLAN’s

1 Like

Thanks for the response Tom, they all support VLAN. Do you have any other comments on this conceptual design?

Not that it is wrong necessarily, but why 3 switches? unless there are logistical reasons, such as not all your wired connections terminating at the same spot.

Technically we can reduce back to only 1 switch, but for my location, the best I can get is 16 port POE+ so I need 2 L2 “smart” switches as in the picture (16+16). The original idea is to connect both of them directly to pfSense. However, I want the devices on 2 switches able to connect to each other. I’m not sure if pfSense can perform that kind of routing, so I put another L3 switch there (with question mark). If possible, I want to take out that L3 to reduce the cost.

If your IPTV is multicast based make sure you have IGMP support on your switches. Enable snooping for your IPTV VLAN and disable immediate leave.

I’m assuming in your house you’re not running a vBrick or other actual IPTV system. So just making sure when you say IPTV, are you really just talking about a smart television connected to the internet?

I am personally a fan of isolating IoT devices from personal devices and some even further isolating from other IoT devices.

For example, my IP security cameras are in their own VLAN with no internet and inaccessible from any device outside that VLAN except where I’ve specifically made a rule to allow specific devices to reach them. Other IOT devices like Smart TVs, Alexa devices, smart home devices, etc are in a VLAN with internet access but still isolated from my personal devices.

So basically my IOT devices can talk to each other and can talk to the internet. But my IOT devices have no access to my personal devices. And since the cameras are in yet another VLAN, my IOT devices cannot reach my security cameras and start sending live video of my house back to China. and the cameras have no access to the internet and no access to anything anywhere. The cameras can talk to each other and basically do nothing else, again much to the dismay of the Chinese government.

It was obviously more work setting up the VLANs and the firewall rules to make everything work happily the way I wanted to. But I feel I am better off security wise.