Hi everyone,
with the great help of the forum here I created 4 additional VLANs and the corresponding Wi-Fis and got all of it connected to the internet:
1 - Management
5 - Home
10 - IOT
15 - Kids
20 - Guests
I am in the process of separating them all from another and try to follow the instructions from @psherman to restrict the access of the IOT VLAN to anything. I also run AdGuard Home based on this thread. Thanks to @mercygroundabyss at this point for helping me there.
Target scenario:
In the Management I have my router, my switch and the two APs
Home should house all devices except IOT, so laptops, iPads, phones etc. They should see the Kids VLAN as well as the internet.
IOT should house all IOT devices. They should not be able to see anything in the other VLANs (exception see my questions) and should not be able to connect to the internet.
Guests should only have access to the internet and NOTHING else
Kids should see the Home VLAN, but have a more tightened parental control setup for the internet. That is a next step though, after I got everything else set up.
I still have some open conceptual questions before diving into implementation:
Does it make sense to give APs static IPs or not?
Should I use WPA2 or WPA3 encryption for the Wi-Fis?
I have a QNAP that I use as file server, backup server and multimedia "station". My plan was to put this into the HOME VLAN. On the QNAP I also run homebridge within a Container Station to connect to my Apple Homekit environment. My idea was to give this container an IP within the IOT VLAN. Does it make sense? How can I provide access to the QNAP only to the Kids VLAN? Firewall?
We use exclusively Apple Homekit for our home automation efforts. Our Apple TV serves as the hub for that. My plan was to put this into the Home VLAN as well and then use Bonjour/mDNS/Avahi reflector to ensure the Homekit itself still works. Does this make sense or does this open up the Home VLAN for vulnerability from the IOT VLAN?
You can. Or you can provide them DHCP static assignments from the router. Certainly laying out your IP space in a logical fashion is certainly better planning. For instance your servers and APs live between 1-20 and your clients live in the 100-200 zone. It makes quick identification of ip addresses easier. Its how many Enterprise environments work.
This will depend on your equipment. Some will be fine with WPA3. Others have issues with WPA3 and may not connect properly. (i think notably Nintendo Switch doesn't like it)
Either DMZ it or set up segmented VLAN access and dedicated port rules (eg while the IOT Vlan can talk to the server it can only talk on certain ports.) An easier method is to give the QNAP multiple IPs in each VLAN.
Again. Firewall rules. Deny by default and only open ports as required.
You might find Enterprise planning documents a handy source.
You are correctly applying layered defence for your internal Lan and properly segmenting it.
Isolation for IOT should always be a consideration giving the utter lack of security built into these devices and the ease of exploitation for these devices.
I'd advise reading this article however. What I’ve learned from nearly three years of enterprise Wi-Fi at home | Ars Technica Jim's forays with enterprise class equipment in the home and how he set it up and then arranged his home network may give you some ideas for yourself. Its also a good read into the pitfalls of going too far down the rabbit hole. While security is good. Do you need DOD levels of security or do you just want to stop the IOT house controls from being turned on and off by some nefarious naerdowell from across the world.
As with any deployment? Plan carefully and map it. Then troubleshooting will be much easier.
:edit: and one last point. Backups Backups Backups. Also an offline copy on a hard drive stored in a safe is impossible for ransomware to encrypt. This is why Enterprise environments always have offline storage. Or as a old UseNet post once quoted... "Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway."
I think it is like in the wildlife. If you are a Gazelle, you just need to be faster than a few others, but not the fastest My setup just needs to be good enough, so that someone else's is easier to attack.
Seems like I am on the right track. @jeff posted his guidelines somewhere in the forum and I will orient myself alongside those as well.
At least my ideas of where to put stuff have not been nonsense, so there is at least some learning curve :).
Security is just the method in which you make yourself a less attractive target.
If your facility has triple fences with razor wire and a 9KV electric fence... Then most people will go elsewhere to break in. Even a locked door is simple enough for some places.
Some of my friends in other countries don't lock their doors. Maybe its nicer place there... but here i would never leave my door unlocked.
“I want to set up a bunch of VLANs” is a great weekend project to dream about. It’s nowhere near as great when it’s 3am and you’ve broken everything and you can’t go to bed until you at least get the Internet working again (relevant xkcd).
My setup just needs to be good enough, so that someone else's is easier to attack.