First of all, thank you for being able to ask my question here.
I'm excited to soon move into my first own 4 walls, and felt like it's the right time to tackle network security and isolation. As always, it's probably best and easiest to do it right from the beginning.
Resources I checked so far:
- takeaway:VLANS operate on layer 2, to add security something on layer 3 is needed
- high level overview over wireless vlan
- how to configure a switch for VLAN
- Think of VLAN as virtual switches
- dont get too complicated
There are other resources, for example an online course, I checked, but they didn't yield any quickly summarisable results.
Setup and Problem:
I'll have several IoT devices in my apartment – Philips Hue lightbulbs, a Raspberry Pi [ethernet connected probably], smart outlets, amazon fire tv stick, etc. [these will all be connected wirelessly], as well as two Laptops [also wirelessly],
and at some point in the future maybe a home server to store pictures, movies, or big data [ethernet if possible] that is being analyzed.
What I'd like to do is put the laptops on their own separate VLAN, the IoT devices on another one, the server on yet another one, and probably the Raspberry Pi on a fourth one – it will be used to torify traffick.
I want to do so, especially for the IoT devices, out of security concerns. Therefore, I will need to configure my firewall correctly – any resources especially on that are highly appreciated.
What I am looking for with this question
I am looking for two things:
– I'd like to have router, switch and modem (as well as Wireless access point) in one device – the router I will use. Is there a (reasonably priced device) that is able to setup VLANs, also in a wireless way? Do most modern routers in general support this?
– How do I read out of the product specification whether a device is able to do this or not? Which standards need to be supported? 802.1Q?
Additional Question(s)
- As far as I know, most IoT devices communicate locally – is that true? In other words, if I want to switch off a smart outlet, do I have to be on the same network (I'd try it myself, but I do not yet have these devices…)
- The firewall will have simple rules: I.e. IotDevice.VLAN – not allowed to initiate outbound connections.
However, it would be perfect if some VLANs could do so. For example, privateLaptop.VLAN should be able to connect to the storageServer.VLAN and raspberryPi.VLAN. In this context, is it advisable to simply discard the idea of VLANs and think of firewall rules to implement? Or are VLANs together with firewall rules a better idea?
I am willing to install custom firmware on the router, if doing so helps me achieve these goals.
Any other resources that I can use to read up on this topic are also highly appreciated.
Thanks!
Best Answer
I'm going to describe your general hardware options for such a setup at home. Getting into the detailed configuration is better left for more specific questions or even chat, especially since it will vary depending on what hardware you pick.
Some notes on speed
I'm also kinda ignoring overall network throughput. You should generally achieve full switch speed within one VLAN. Across VLANs you will be limited by your router (depending on the router CPU and hardware offloading). To the internet you will again be limited by your router (CPU and offloading, including NAT this time). With sub-$100 routers, it is not unusual to see a limit of about 100-300Mbps through NAT to the internet. You will need more powerful hardware if you have a faster internet connection.
Product types
I'll go through a few cases in order of increasing complexity.
Wired network with separate network devices
This is fairly straightfoward, as far as VLAN networking goes.
You need:
This is fairly simple. You tag the frames as they enter the switch, which prevents the VLANs from talking directly to each other. You can then route between VLANs (as if they were entirely separate networks - your router will probably show them as separate (virtual) interfaces). You can, depending on your router, set up firewall rules to only allow specific VLANs to access the internet and only allow one VLAN to initiate connections to another (i.e. one-way).
As an aside, don't forget to prevent VLANs from accessing your networking equipment's management interface!
Wireless network with separate network devices
What do you add to a wired network to make it wireless? Wireless Access Points! Unfortunately, this is a bit of an obscure requirement for home use, so you'll have to stick to business equipment - or browse through manuals and forum posts. Custom firmware could also work here.
There is also the poor man's solution of having physically separate APs that simply connect to different ports on the switch, and let the switch handle the tagging.
With an AP that supports VLAN tagging, the simplest method is to tag by network (SSID). The ability to have multiple wireless networks on one AP is sometimes known as virtual access points.
Wired network in a single network device
There are some business/enterprise routers with multiple ports that can act as a pseudo-switch (via bridging). Custom firmware can also work, with the caveat mentioned above (your hardware needs to expose the ports as independent NICs to the software). If you have many wired devices you may also need to add an additional managed switch.
Wireless network in a single device
I am not aware of any business/enterprise routers that also integrate an access point, so you are stuck with consumer hardware. Such a setup might be possible with custom firmware. Finding hardware that works with custom firmware for every function at once may be difficult.
A quick recommendation
I would suggest looking at the multi-device Ubiquiti Unifi range for something simple relatively simple to set up and reliable. This is, of course, not the cheapest option. However, it does let you manage the multiple devices from one central location.
Failing that, you can consider a manual multi-device setup. For example, I am running (as a reliable/cheap middle ground) a Ubiquiti ER-X (non-Unifi) router, TP-Link managed switch ("Smart Switch", not "Easy Smart Switch") and Unifi APs, all independently managed. Cheaper, but somewhat more complex.
The cheapest option is to go with consumer equipment and flash it with custom firmware. dd-wrt and OpenWrt are both options, and this does allow you to realise your single-device goal, but is also the most fiddly and likely most failure-prone method. Again, keep in mind the independent NIC requirement, and the possibility of an additional switch if you're lacking ports.