Networking – Home Network Separation | Guidelines and Example

firewallnetworkingroutervlanwireless-networking

First of all, thank you for being able to ask my question here.
I'm excited to soon move into my first own 4 walls, and felt like it's the right time to tackle network security and isolation. As always, it's probably best and easiest to do it right from the beginning.

Resources I checked so far:

There are other resources, for example an online course, I checked, but they didn't yield any quickly summarisable results.

Setup and Problem:

I'll have several IoT devices in my apartment – Philips Hue lightbulbs, a Raspberry Pi [ethernet connected probably], smart outlets, amazon fire tv stick, etc. [these will all be connected wirelessly], as well as two Laptops [also wirelessly],
and at some point in the future maybe a home server to store pictures, movies, or big data [ethernet if possible] that is being analyzed.

What I'd like to do is put the laptops on their own separate VLAN, the IoT devices on another one, the server on yet another one, and probably the Raspberry Pi on a fourth one – it will be used to torify traffick.
I want to do so, especially for the IoT devices, out of security concerns. Therefore, I will need to configure my firewall correctly – any resources especially on that are highly appreciated.

What I am looking for with this question

I am looking for two things:
– I'd like to have router, switch and modem (as well as Wireless access point) in one device – the router I will use. Is there a (reasonably priced device) that is able to setup VLANs, also in a wireless way? Do most modern routers in general support this?
– How do I read out of the product specification whether a device is able to do this or not? Which standards need to be supported? 802.1Q?

Additional Question(s)

  • As far as I know, most IoT devices communicate locally – is that true? In other words, if I want to switch off a smart outlet, do I have to be on the same network (I'd try it myself, but I do not yet have these devices…)
  • The firewall will have simple rules: I.e. IotDevice.VLAN – not allowed to initiate outbound connections.
    However, it would be perfect if some VLANs could do so. For example, privateLaptop.VLAN should be able to connect to the storageServer.VLAN and raspberryPi.VLAN. In this context, is it advisable to simply discard the idea of VLANs and think of firewall rules to implement? Or are VLANs together with firewall rules a better idea?

I am willing to install custom firmware on the router, if doing so helps me achieve these goals.
Any other resources that I can use to read up on this topic are also highly appreciated.

Thanks!

P.S: This is what I imagine the network to be: I added an image of how I imagine my setup to be, to further understanding in case anything was unclear

Best Answer

I'm going to describe your general hardware options for such a setup at home. Getting into the detailed configuration is better left for more specific questions or even chat, especially since it will vary depending on what hardware you pick.

Some notes on speed

I'm also kinda ignoring overall network throughput. You should generally achieve full switch speed within one VLAN. Across VLANs you will be limited by your router (depending on the router CPU and hardware offloading). To the internet you will again be limited by your router (CPU and offloading, including NAT this time). With sub-$100 routers, it is not unusual to see a limit of about 100-300Mbps through NAT to the internet. You will need more powerful hardware if you have a faster internet connection.


Product types

  • VLANs are fairly standard among business/enterprise networking equipment. While these usually come as separate devices, not all in one box, they will usually do what you want. Your best bet is not just looking at specification tables but also taking a look at the manual for available configuration options.
  • Custom firmware for consumer equipment also often supports VLANs, but can be lacking, usually depending on the hardware that you reflash. There is, of course, the usual caveat of no support and potential for instability with custom firmware. You will need to do a fair bit of research, reading dev notes and forum topics, to find the appropriate hardware to flash.
    • The purely software routing usually works, though configuration can be difficult, depending on which firmware you flash.
    • The switch may or may not work, depending on the hardware. Some consumer routers expose each port individually to software (so you see eth0 through to eth4 in software), allowing you to apply port-based VLAN tags. Others will use a hardware switch (so you might see eth0 for the WAN port and an aggregated eth1 for all the LAN ports), which means you cannot distinguish between ports in custom firmware, and will need a separate (managed) switch to apply the tags before it reaches the router.
    • The wireless functionality again varies by hardware, and ranges from unstable to stable but no virtual AP support to stable with virtual AP (and VLAN tagging) support.
    • Any built-in modem functionality may not work. This is assuming you do not have a separate modem.
  • You can pretty much forget about consumer routers supporting VLANs in stock firmware. The few that do it will make your life hell and likely won't support the advanced setup you're envisioning (the best I've seen is on Billion devices that sometimes let you "group" ports into VLANs).
  • One (considerably more involved) option is building your own box. It's possible to buy an x86 or ARM mini-server (similar to a NUC) with multiple NICs which you can then load a router OS (e.g. pfSense; you could even do this with plain Linux) and configure. You could also install multiple NICs in a standard ATX PC, add WLAN cards, etc. This is the most flexible option, but requires a lot of work and research - and won't be cheap, either. This Coding Horror blog post is a good place to start.

I'll go through a few cases in order of increasing complexity.

Wired network with separate network devices

This is fairly straightfoward, as far as VLAN networking goes.

You need:

  • A router. A proper router, not just a consumer gateway. You're looking at either business/enterprise equipment or custom firmware. It needs to support VLANs, routing between VLANs, and a NAT gateway to the open internet.
  • A managed switch, which will allow you to assign a VLAN (tag) the ports. While you do need 802.1Q support, you also must have a management interface! Be careful with "smart switches" - most will work, but e.g. TP-Link's Easy Smart Switch range does not have a web UI and requires a Windows program to control them.

This is fairly simple. You tag the frames as they enter the switch, which prevents the VLANs from talking directly to each other. You can then route between VLANs (as if they were entirely separate networks - your router will probably show them as separate (virtual) interfaces). You can, depending on your router, set up firewall rules to only allow specific VLANs to access the internet and only allow one VLAN to initiate connections to another (i.e. one-way).

As an aside, don't forget to prevent VLANs from accessing your networking equipment's management interface!

Wireless network with separate network devices

What do you add to a wired network to make it wireless? Wireless Access Points! Unfortunately, this is a bit of an obscure requirement for home use, so you'll have to stick to business equipment - or browse through manuals and forum posts. Custom firmware could also work here.

There is also the poor man's solution of having physically separate APs that simply connect to different ports on the switch, and let the switch handle the tagging.

With an AP that supports VLAN tagging, the simplest method is to tag by network (SSID). The ability to have multiple wireless networks on one AP is sometimes known as virtual access points.

Wired network in a single network device

There are some business/enterprise routers with multiple ports that can act as a pseudo-switch (via bridging). Custom firmware can also work, with the caveat mentioned above (your hardware needs to expose the ports as independent NICs to the software). If you have many wired devices you may also need to add an additional managed switch.

Wireless network in a single device

I am not aware of any business/enterprise routers that also integrate an access point, so you are stuck with consumer hardware. Such a setup might be possible with custom firmware. Finding hardware that works with custom firmware for every function at once may be difficult.


A quick recommendation

I would suggest looking at the multi-device Ubiquiti Unifi range for something simple relatively simple to set up and reliable. This is, of course, not the cheapest option. However, it does let you manage the multiple devices from one central location.

Failing that, you can consider a manual multi-device setup. For example, I am running (as a reliable/cheap middle ground) a Ubiquiti ER-X (non-Unifi) router, TP-Link managed switch ("Smart Switch", not "Easy Smart Switch") and Unifi APs, all independently managed. Cheaper, but somewhat more complex.

The cheapest option is to go with consumer equipment and flash it with custom firmware. dd-wrt and OpenWrt are both options, and this does allow you to realise your single-device goal, but is also the most fiddly and likely most failure-prone method. Again, keep in mind the independent NIC requirement, and the possibility of an additional switch if you're lacking ports.

Related Question