Hi everyone,
I have lost myself in the networking rabbit hole… Read quite a few posts, watched YouTube videos, … So I thought I could share my plan here and get some feedback, if I am over complicating things.
I have pulled the trigger on a Unifi network and am waiting now on my delivery of my UDM SE, APs and L2 Switches. I wanted to take more control of my network and make it more secure. That being said, the most security will be reached, once I am enhancing my docker networks (which will be done at a later stage). This is setting up the basics.
Networks I want to introduce (Subnets and VLANs):
- Networking (LAN)
- Router, UDM, APs, …
- Anything network related should live in this network
- Servers (LAN)
- My NAS, Hypervisor, Pi, VMs, …
- Trusted (LAN/WLAN)
- Main home network for PCs, Laptops, Tablets, Phones, …
- Media (LAN/WLAN)
- TV, PS4, Alexa, Soundbar, …
- Reson not putting it on IOT or Trusted, I need the Guest network able to reach it and don’t want them to reach my Trusted network. IOT I want to be quite limited.
- IOT (WLAN)
- Vaccum, Photovoltaics, …
- Guests (WLAN)
- Anyone visiting
In the following diagram you can see my thoughts on how I intend to configure the Firewall. Who can talk to who…
Maybe this diagram is a little clearer:
Old diagram
Is this overkill? Am I blind and missing something?
Looking forward to your feedback and criticism.
Edit: Indication if just LAN, WLAN or both
Edit2: Second diagram, which might be a bit clearer
My advice would be to consider throttling the bandwidth on the guest network and also block ports and use a restricted dns server with that vlan.
You can’t vet everyone’s devices so you want to be proactive.
Nice thinking 😊
That being said, network vlan are gr8 for Network security. Since you plan on using L2 switch, having many vlan will require going back to router every time you initiate communication between 2 vlans.
Here’s my 2 cents:
- guest and IOT is a no-brainer. They need to be secured.
- I would have an internal vlan, 1 for internet/dmz (depending on your needs),1 for iot, and 1 for guest
- unless you want to do some serious security firewall rules, server vlan probably overkill.
- Out of band management vlan is nice, but most consumers’ network equipment don’t have a dedicated port for that. So, it’s probably overkill in your scenario.
- put as many streaming devices (media, tv) on a physical ethernet cable to reduce latency.
Happy design!
A guest vlan only has access to the internet by definition. If you want your friends to access your media, just create an additional wifi ssid in your internal network for that purpose. That way, you can have your media in your internal network and avoid apps connectivity issues (ex : soundbar app requires your phone or tablet to be in same vlan to manage it).
😊