Advice on new home network design

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Advice on new home network design

nofam

1094 posts

Uber Geek

#217996 21-Jul-2017 16:57

Hi guys,

I've put the following together based on the little knowledge I have of networking (it was a few years ago so I've forgotten a fair bit!), so keen to see if it holds water in principle.

Essentially, I want a primary LAN for trusted devices, with the two AP's on a single SSID (effectively zero hand-off or whatever they're calling it these days). This will be for devices that I administrate, so I know are patched etc. I'll apply a moderate degree of firewall restriction, but devices on this LAN will have pretty much unrestricted access to the internet and other devices on their subnet (a printer, and maybe a NAS down the line).

The VLAN is for higher-risk devices - family, friends etc, and IoT-like devices, which could be unpatched/have weird connectivity requirements. In other words I'm trying to achieve protection for clients on the primary LAN by reducing/removing the ability for insecure devices to ingress should they be compromised.

If this all looks ok, I'll ask some more specific questions!!

chevrolux

4962 posts

Uber Geek
Inactive user

#1826699 21-Jul-2017 17:29

Looks like you have the right idea! Sufficiently techo for a geeks home network haha.

Have you already got the USG and cloud key? If not, and you want to be able to tinker a bit more maybe consider the EdgeRouter and a Edgeswitch - if you want to stick with UBNT. Otherwise a Mikrotik router. Unifi software is great but I personally think the routing/firewall and VLAN options are a little left to be desired for proper geekery - there are plenty who disagree and are happy with how unifi does it

davidcole

6041 posts

Uber Geek

Trusted

#1826706 21-Jul-2017 17:56

Depends if you need access to the IOT devices from your main network. I've just been through this.

I have a main network (corporate in unifi speak), a guest network for wireless devices with an easy password. Has no access to my main lan,

I've just made an IOT network. It was guest, but then I couldn't allow access to it easily from my main lan (incoming only). So I made it also a corporate network, and put in firewall rules that blocks it from accessing my main lan, but my main lan can access it.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight