Correctly organize and manage security in home vlans

Hello,

I wanted to ask you for advice to correctly configure my homelab at home and the entire network along with vlans in it.

I currently have the following devices:

Main router: GLINET MT6000 (manages internet connection, DHCP, DNS, ADGUARD, main Wifi, etc...) It is located in the living room, last available openwrt snapshot installed.

Secondary router: GLINET MT6000 configured as APDUMB, last available openwrt snapshot installed.

From the main router in the living room, I have a CAT6 network cable, to office/beedroom2, connected to a switch (the switch is 1gb, TL-SG108E managed, although I intend to upgrade to 2.5g) from the switch, several cables come out cat6 network, in the same room, one to the desktop computer, another for the laptop, another for the MT6000 APDUMB, etc...

In a few days I will receive the new homelab mini pc server, which will replace the current homelab raspberry pi (Homeassistant and a few containers in docker) to be used in PROXMOX with the new server, still deciding if I will connect in the living room or in the office/ beedroom2.
Currently I only have my desktop computer and the new mini pc server that use 2.5G and I want to take advantage of them throughout the network, so since the MT6000 only have 2 2.5G ports each, I need to replace the switch to increase to 2.5 g.

The point is that apart from configuring and redesigning the network in the best way, I want to increase its security and create vlans, among other things, I have home automation devices (smart plugs, sensors and more things via Wi-Fi, which do not really need to have internet outside the home. , only locally)

I would like to create several vlans, for IOT (with internet outside the home), IOT (without internet), guest Wifi, LAN, etc... and for this I need help since I do not know how to structure it nor do I know how to create them on these routers.

Small bad design of how the routers and switches are placed (missing minipc server and some other things to decide location)

Any recommendation will be welcome

Thanks for reading, I think I haven't forgotten anything, otherwise I'll update.

I stopped reading here
it is brick, unusable peace of electronics ..
please stay away from "easy" "web smart" and similar devices

one of tp-link switch to recommend is TL-SG3210X
2.5 + 10G + snmp + lldp + you could run away from (god damn) vlan1 management ...

after you dispose your SG108E, things will be much much better

If you had read everything, then you would have read that change is pending in the exchange structure, unfortunately we are not rich at the moment, but we will try.

With increased security comes increased complexity. It sounds like you're OK with that.

How do you plan to assign vlans? Will it be assigned at the switch port and/or which wifi network devices attach to?

When I was a corporate world, we'd assign VLAN based on MAC address. Which I knew was a really poor way to do it since MACs are so easily changed. The thought was that we'd eventually move to certificate services for assignment. Thankfully I retired before I had to tackle that project.

It was really complicated but it was fairly well-designed. In that our servers and NAS were separated from the rest of the world with access controlled by lists. If I were to attack this at home, I'd probably just do two vlans for devices. One for my devices I trust. and one for devices I'd just put on my guest network.

But unfortunately I don't really trust any of my devices We've seen backdoors planted in plain sight (CVE-2024-3094). Nation-state backdoors in Cisco devices that should scare the daylights out of anyone managing an ASA (CVE-2024-20353 and CVE-2024-20359).

Would your IOT devices be fine on a guest network? Would your entire Home Assistant stuff go onto the guest network?

If it helps, it might be good to describe what you'd like to design your network to protect against. And then surrender to the fact that if someone or some nation is determined enough, and you're high profile enough, that all your base will belong to them.

Personally, if it were me, I'd start by adding a Guest network and build it slowly and incrementally as it make sense.

whole point of my writing was that SG108E will break your mind and nerves
you are starting new project with vlans, it is not so easy to learn & configure at the same time ... every piece of junk will make things harder and on the end, SG108E will decide how your management vlan will work
this is not a correct way to start a new project from scratch

rest of devices are OK, typical home lab / advanced networking at home

Other than the management interface listening on all vlans (I believe that's the primary issue with the sg108e), what else about it will break minds and nerves?

some version of this device will pass LLDP packets, some don't
some will freeze with BPDU packets, in some version there is no chance to "turn off" vlan 1 on port and similar "nice" things
and yes, lack of SNMP, lack of LLDP ...

Thank you for your response, I'm still not sure how to address this, which is why I wrote this post.

I have never created vlans (only for wan before) in Openwrt.

The guest network will be only for Wi-Fi guests only and maybe only 2.4g or 5g, one of the two bands (yet to be decided) the SSID will be hidden and I will have a QR to log in guests as I want (maybe the Wi-Fi on/off will also be programmed by schedule)

Outside of this, I have nothing clear or decided, which is why I asked for help.

I have the latest version of hardware, but I do know that it is not very good, that is why I plan to change it for a 2.5g, but it is not easy to find something at a good price and reliable managed

thanks!

I'd start small and work your way up incrementally.

The guest network is a great place to start. I'd question everything as you go along that path. For instance, why would you want to hide your SSID? Depending on how populated your wireless bands are, it might make sense to advertise your SSID so others can play nice.

I don't think that hiding your SSID is going to increase security. At least I've never heard of that being useful measure. I could be wrong.

Again, question everything so you understand why you're doing it. Are you protecting millions of dollars in hot wallet storage? Or are you protecting family photos that are backed up and off-line? If you have a hot wallet, maybe it makes sense to make it a cold wallet and forgo the increased complexity. I don't expect answers here but I think you should have good reasons behind your decisions. But depending on how many other humans outside of yourself that use your network, increased complexity for the sake of increased complexity will only add to end-user frustration and suck up more of your time fixing things.

I don't know that there is really a "correct" way to design your network. Security is always a compromise. Usually a compromise with frustration-levels.

Start with a guest network. Kick out all your untrusted IOT devices to it and see what breaks.

Thank you for your answer although it is not exactly what I am looking for, if not separate everything by vlan in order to have a structure, when I talk about security and increase, vlans come into play since they separate networks and thus increase their security, I am not talking To be stronger, I'm talking about giving each device exactly what it needs, nothing more and nothing less.

My IOT devices have two scenarios, some type but I don't want it to be the main one since the Xiaomi firmware and similar don't give me security at all.

I know that @psherman knows a lot about vlans and has helped with these approaches before, I have been reading several dozen messages and posts about it.

vlans separate networks virtually. You'll still be sharing the same physical infra. That was always my worry with adding a guest network. It still touches the same switch fabric. If there's a way to traverse that I'm sure it's been done.

Giving a device exactly what it needs nothing more nothing less sounds like a nice thought. I'm sure you'll get it figured out

well theres also netgear with their gs10x line or zyxel gs190x a bit more expensive, for non 2.5gb.

Ive had both a tp-link sg1024DE and a sg108E, but like @NPeca75 has said, these switches can cause stability issues, in my case it often happened that a switch started to sent vlan bidirectional when one of them was disconnected or restarted.

I think with one switch you might be okay hence the strange issues it can have (?), but if you introduce another one then you can get very strange issues and stability issues, for a beginner i won't recommend them for this reason

Though for vlans i used videos from marcfifty to learn how to do it:

Though one thing which I wished before was that it is better not advised to create multiple bridges and then mix other concurent bridge devices in it, it may work but still tricky, instead in such scenario its easier to add a gretap device or vxlan device inside the br-lan bridge and tag there the vlan , but this is a story for a other time not necessarily in your use case, just concentrate on vlans

That was one of the videos I saw, too confusing as it was another version and it didn't help at all, it just generated more doubts hahaha.

thaanks!

Maybe first try to set up VLANs without that contentious switch in between. You have two devices running OpenWrt, so you got the hardware to test.

This script will help you set up basic VLANs, can help you on your way:

I would start by setting up a guest network on your main router. If you use the guest wifi tutorial as a starting point, you can make some small modifications to make it work with ethernet via VLANs after the initial setup is complete.

With additional subnets/VLANs, the security between networks is handled by the firewall. The guest network tutorial does indeed setup the correct firewall rules to isolate the networks from each other while still allowing internet access. The formula can be tweaked to block internet access and/or to allow networks to communicate with each other (including the ability to allow hosts on one network to initiate connections to the other but not vice versa).

Permissions to join a given network can be handled in a few different ways (I'll omit MAC address based allowances):

• physical connectivity via an ethernet access port or a given SSID+password is the easiest.
• It is possible to have a single SSID with different passwords; the password used will determine which subnet is joined.
• 802.1x authentication is the most complex and usually overkill for home and small business type environments and it involves client side credentials and a RADIUS server.

Generally speaking, when working in a home environment, the first option is totally fine from a security standpoint unless you happen to have adversarial (and determined) attackers within physical range of your network (and usually you'd still need to be a high value target for them to spend any real time hacking at your network).

As far as the switch -- yes, the TL-SG1xxE switches are really terrible. But it will work for this purpose until the OP can replace with something better.

Finally, hiding SSIDs will obviously stop the average (non-tech) person with a phone/computer from attempting to connect to the hidden network. But it is not beneficial from a security standpoint. While it's not necessarily detrimental in general, it is easy to scan for it if any clients are connected; this may make adversaries more interested in the network since it's "hidden." Put another way, hiding the SSID only very marginally increases security from the casual person looking to use wifi, but conversely may make it a more attractive target for those who are more knowledgable as a "forbidden fruit" type of situation. It can, therefore, be considered a net-negative.

Strong encryption and passwords for your wifi networks is the best option, and proper isolation of your networks (via the firewall) is the other important factor.

Back to the main thing, though -- start with the guest wifi network and get that working. From there we can review and help you add ethernet to the mix.

It's like the Streisand Effect for wireless networks.

Maybe the OP should consider naming the wifi network something uninteresting like HP_JETDIRECT or BORING_CO. SMITHFAM. Security through obscurity.

Great response.

I will say that from a security standpoint, OpenWRT even in debug mode is pretty quiet when it comes to logs.

When I was running my ASA-5506 I'd log every setup/teardown to my log collection box. Run alerts on certain activity. I'm still collecting my OpenWRT logs but they aren't nearly as useful or interesting.

Personally I think the OpenWrt video series by OneMarkFify is great. You may not get it all after the first watch but as you play around it’ll make sense.

I can’t speak to the switch but this post might help you wrap your head around things.

Hello, so follow the manual to create the guest network as if it were IOT and it is working, correctly, although my IOT devices there are 2 types, ones that must work only locally and must see the main network server they do not need internet, others that it is not necessary to see the main server but to have internet, this in the 2.4G network, in the 5G network practically everyone should not have access to the main server LAN but to the internet, I think I have not forgotten anything, Then everything wired via Ethernet would also be missing.

Now I have a question, the Wi-Fi network is created on the main router, but it should do the same for the secondary one, correct? Only the Wifi / Interface part.

To be clear, unless the wifi SSIDs are connected with different network interfaces, there is no way to distinguish devices connected via 5GHz vs 2.4GHz bands.

I'd have to see where you landed with your configuration to understand your current situation.

I'm not following what you want to happen with your ethernet ports... what network they should be part of and what their access should be. Again, if they are connected to the same network, the ports themselves cannot be distinguished.

Depending on the context, though, and how you've configured your network, you can use the firewall to allow or block devices by their IP address (to the internet or inter-vlan routing; you generally cannot control connections between two or more devices on the same network). In some cases, firewall rules are the right way to approach the restrictions/allowances, other times it's best to have dedicated networks for each subset of devices based on a common connectivity requirement.

Yes, in general. There are some nuances in setting it up. But, first, the main router may need to be tweaked a bit in order to make sure you've got ethernet connectivity to the new network.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall