Hi everyone,

I have lost myself in the networking rabbit hole… Read quite a few posts, watched YouTube videos, … So I thought I could share my plan here and get some feedback, if I am over complicating things.

I have pulled the trigger on a Unifi network and am waiting now on my delivery of my UDM SE, APs and L2 Switches. I wanted to take more control of my network and make it more secure. That being said, the most security will be reached, once I am enhancing my docker networks (which will be done at a later stage). This is setting up the basics.

Networks I want to introduce (Subnets and VLANs):

  • Networking (LAN)
    • Router, UDM, APs, …
    • Anything network related should live in this network
  • Servers (LAN)
    • My NAS, Hypervisor, Pi, VMs, …
  • Trusted (LAN/WLAN)
    • Main home network for PCs, Laptops, Tablets, Phones, …
  • Media (LAN/WLAN)
    • TV, PS4, Alexa, Soundbar, …
    • Reson not putting it on IOT or Trusted, I need the Guest network able to reach it and don’t want them to reach my Trusted network. IOT I want to be quite limited.
  • IOT (WLAN)
    • Vaccum, Photovoltaics, …
  • Guests (WLAN)
    • Anyone visiting

In the following diagram you can see my thoughts on how I intend to configure the Firewall. Who can talk to who…

Maybe this diagram is a little clearer:

https://preview.redd.it/siftt8ydro2c1.png?width=666&format=png&auto=webp&s=0d2e8fcd57d8ce45bcb0bc62e2bdaf71cd6d2213

Old diagram

https://preview.redd.it/qqfce2ii4o2c1.png?width=770&format=png&auto=webp&s=f99ad2bb5817386c723c3749a3418f0076783ba2

Is this overkill? Am I blind and missing something?

Looking forward to your feedback and criticism.

Edit: Indication if just LAN, WLAN or both
Edit2: Second diagram, which might be a bit clearer

2 points

My advice would be to consider throttling the bandwidth on the guest network and also block ports and use a restricted dns server with that vlan.

You can’t vet everyone’s devices so you want to be proactive.

permalink
report
reply
1 point

Nice thinking 😊

That being said, network vlan are gr8 for Network security. Since you plan on using L2 switch, having many vlan will require going back to router every time you initiate communication between 2 vlans.

Here’s my 2 cents:

  • guest and IOT is a no-brainer. They need to be secured.
  • I would have an internal vlan, 1 for internet/dmz (depending on your needs),1 for iot, and 1 for guest
  • unless you want to do some serious security firewall rules, server vlan probably overkill.
  • Out of band management vlan is nice, but most consumers’ network equipment don’t have a dedicated port for that. So, it’s probably overkill in your scenario.
  • put as many streaming devices (media, tv) on a physical ethernet cable to reduce latency.

Happy design!

permalink
report
reply
1 point

A guest vlan only has access to the internet by definition. If you want your friends to access your media, just create an additional wifi ssid in your internal network for that purpose. That way, you can have your media in your internal network and avoid apps connectivity issues (ex : soundbar app requires your phone or tablet to be in same vlan to manage it).

😊

permalink
report
reply

Home Networking

!homenetworking@selfhosted.forum

Create post

A community to help people learn, install, set up or troubleshoot their home network equipment and solutions.

Rules

  • Please stay on topic.
  • Please use the search function to look for keywords related to what you want to ask before posting since most common issues have been answered.
  • No Ads. This community is for support and discussion. Ads and self promotion are not welcome here.
  • No product reviews or announcements. If you have a question about a product, be specific about what you want to know.
  • Be civil. Don’t be a jerk. Not being a jerk is surprisingly easy.
  • No URL shorteners. URL shorteners tend to hide the real use of a link. For this reason, please use normal links, even if they’re long.
  • No affiliate links.
  • No gatekeeping. With profession shall come professionalism. Extend help without judging others for their ignorance. The same goes for downvoting of comments or posts for “stupid questions” or not being as knowledgeable as others.

Community stats

  • 1

    Monthly active users

  • 1.8K

    Posts

  • 5.1K

    Comments