Hi all,
I found this forum very recently, read a bit and I'm happy to have joined!
I have a geeky project in mind which would make me able to :
Configure VLANs and firewalls to segment unsafe IoT, guest etc
Improve security by using a recursive DNS server configured with multiple repudiation list (phishing, malwares, ads...)
Put in place DoT/DoH
Analyse DNS (still thinking about it, something like analysing FQDN or behaviours from my LAN devices)
Connect remotely to my home network to always have the same level of security (for the DNS especially) (Tailscale or other)
Manage all these things from a web interface that I would develop. I'm used to make tools that integrates with F5, Infoblox, Cisco, FortiGate etc, and as a challenge I'd like to create a small web app to deal with the VLANs easily, see DNS behaviours, black/white list etc
I'm doing it because : it's a challenge, I just want to do it, and some friends would be interested too.
My question is on a hardware point of view. I'm still unsure what to go with.
I have a small network, and don't go over 500mb/s.
I will buy a WiFi AP (Ubiquiti UniFi 6 Lite or TP Link Omada (or another recommandation ?)), a manageable switch, and of course the main hardware for routing.
Questions are:
For the manageable switch, I don't have a lot of idea. There will be very few devices connected directly to it through Ethernet, most are connected through WiFi. I checked the Ubiquiti Unified Lite 8/16 PoE, but I'm really open to your advices. If there's something less expensive that does the job well, I'll be happy with it
For the router, which is the most important part, I'm still hesitate between a ProtectCLI Vault (FW4B) with OPNSense or a NanoPI with OpenWRT.
If I post on an OpenWRT forum that's because after my research I think I would prefer OpenWRT : it runs on ARM, and it seems fitting my needs.
But both seem very good solutions, so I'd like to know your opinion.
From what I understood, the API for OpenWRT is a bit to use than OPNSense, and as I'd like to build my little web app, maybe OPNSense is a must have and I should go with a ProtectCLI Vault a little more expensive. Maybe you have another idea?
I'm really open on any recommandation you could have! In the meantime, I'll continue reading the forum.
Thanks a lot for reading, I'm happy to get your feedback, and I'll be to share with those interested all the walkthrough!
Not sure I fully understand your question but Openwrt can do all of this and already has a web interface (luci). I'm doing point 2,3 and 5 and a bit of 1 (I use the firewall but not VLAN)
For 4, I know you can log the query so it must be possible to do something with it maybe with snmp ou collectd.
for hardware, I'm using a Asus AX4200 (filogic 830) for the router, Zyxel Multy M1 for AP, both with openwrt and a simple gs108E for the switch.
Yeah, switches are always the hardest thing to decide upon. There are just so many variants (how many ports, all 1G copper or some SFP, too? do I need PoE on some or all? do the PoE ports need 2.5Gbps or is 1G good enough? etc). I have, umm (looks over at pile of flashing lights), four switches right now, none of which are running OpenWrt (soon!). Two support VLANS, two are PoE, one has PoE+ on 2.5G ports, two have SFP+ ports... Bottom line, I can't help here. Buy something that looks like it will work, and when it doesn't, buy another one.
My main AP is a Zyxel NWA50AX Pro powered via one of those 2.5G PoE+ ports. It's pretty new and has big flash/ram, so OpenWrt support is good for many years. I like it a lot, flash it with OpenWrt, set it up and forget about it.
My edge router is an ancient x86, no longer made, but better ones exist to replace it if it ever dies. It's a PC Engines APU2, handles my 500/60 ISP connection without breaking a sweat. Almost never sees north of 10W power draw, idles at about 6W or so. It has three NICs, one to WAN, other two to the switches. (I've got a 2-year-old N5105 miniPC I use for testing code, similar power draw but much more CPU throughput and it cost about the same, both were on the order of $150 all-up.)
avoid the entry level range of devices, as their OEM firmware often is …BAD™ (management access on all VLANs or other quirks), the small business devices tend to be better behaved (and aren't necessarily expensive on the second hand markets).
cloud based configuration (which is increasingly becoming a thing) might not be the smartest choice for an infrastructure device, like a switch
avoid anything under 1 GBit/s, there's (almost) no excuse for those anymore (unless you have a fleet of PoE powered surveillance cameras or maybe a physically distinct network for a fleet of PoE powered SIP phones)
above 1 GBit/s, prices are significantly higher - an interim device with 1 GBit/s that will serve you for the next couple of years might be more sensible than overspending now (and 2.5GBASE-T/ 5 GBASE-T aren't reeaaaallllly a standard)
in a home environment, avoid active cooling (fans) at all cost
if you run your WAN (or other sensitive/ public networks) over the switch, active security support is required for the switch as well - behind your router, in a private environment, there is a little more leeway
What is the difference running the wan network on a dedicated VLAN through the big external switch and then to the router wan vlan with a trunk ethernet cable and the lan in the same trunk ethernet cable.
Vs.
A normal home plastic router with a built in switch and SoC that run the wan and lan VLAN trunk between the switch and SoC on the PCB?
If the switch doesn't allow disabling the management interface on particular VLANs (hello TP-Link entry level) or has other security issues (jumbo frames of a certain length, malformed packets, QoS markers, etc.) there are quite some problems imaginable. A managed switch isn't just a passive piece of wire, nor a relais forming a hard connection - and most managed switches are neither 'pure' L2 switches, but offer some selected (L2+) features, from packet counters/ statistics to crude QoS packet priorization or other packet introspection, all of these can be potential security issues.
Your OpenWrt router with its integrated switch will get security fixes for any issues found and fixed via mainline and the next OpenWrt upgrade, including updates to the switch driver. If you run an OEM firmware on your managed switches (especially those carrying unfiltered and untrusted packets), you have to trust that the respective vendor does its job (kernel 2.6.32...) and that the device is not EoL.
Managed switches regularly receive CVEs, most of them related to the management interface, privilege escalation or auth problems, some inherited from the chipset SDK, some of the vendor's own making.
--
I am not claiming that OpenWrt's development status for the realtek target would be perfect, but it's not EoL.
Yes, some of these potential causes for security issues may also be unfixable within the switch fabric hardware, there is no reason why managed switches can't have bugs like spectre or meltdown for the switch fabric or the VLAN separation.
First, I would like to thank you all for your fast replies!
Following @Mjules answer, maybe I should rephrase my first message because it was unclear.
What I am trying to achieve is to make my little home network in order to improve security/privacy. My main goals are :
To deploy a cache DNS (BIND probably because it has RPZ and I'm familiar with this) to filter some domains (phishing, malware, tracking etc) and make some DNS analysis.
To have the ability to segment my network so my SmartTV doesn't spy on me, my speakers don't ARP scan my whole network etc etc (so firewaling and VLANs).
To do all this because it's a good project I'd like to do.
and if possible, to have something "mostly" generic because I know some friends / family who would be very interested in having the same kind of solution. That's also why I'd like to develop a very easy-to-use web app, for my friends who are not familiar with network. (This part is maybe too complicated, so I just take it as a step to go further).
I have my ISP box with fiber connection (500mb/s), and then I have like 10-15 pure IoT devices (speakers, cameras, SmartTV, printers...), 3 laptops, 3 smartphones.
I know that to achieve my project, I must use my own DHCP to deliver correct DNS server and other config (my ISP box does not enable me to modify the DHCP options), I must use another WiFi AP than the one included in my ISP box, a router/firewall, and the manageable switch.
I hope I explained in a better way, let me know if anything needs to be clarified!
I will take a look at all the switches, WiFi AP and edge routers indicated by efahl and Mjules. Thanks!
@slh thanks for the very useful advices. What I can already answer :
As I'm not familiar with hardwares in general, I'm not sure what the entry level range devices are/aren't.
I try as best as possible to avoid cloud based solutions when it's not necessary. We are aligned.
I was thinking about going to a 1GBit/s. No less. And I don't think I need some SPF ports, I'm not planning to use fiber connections between my equipments.
I'm looking for something very silent, low-power consumption. So I will go for fan-less cooling.
For the last part, I don't think I'm concerned except if I misunderstood. This is roughly what I imagine (with no mention of the VLANs)
I was talking about Protecli vault, Ubiquiti Wifi AP, NanoPI because these are the I saw the most in various forums. But maybe I can find better things at a lower cost! The Switch GS108Ev4 seems a very good option for the switch part. I still need to think about Wifi AP and the router, and still decide whether I go ARM or x86...
Buy something that looks like it will work, and when it doesn't, buy another one.
