Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Firewall / network design

mdf

mdf

3512 posts

Uber Geek

Trusted

#270502 12-May-2020 20:26
Send private message

I am endeavouring to (re)configure my home network. Secondary purpose to learn something new about networking. Aiming to check I've got the principles right here before actually going to attempt to set it up in practice (on an Edgerouter Lite in my case).

 

If it matters, access to the internet is eth0.10, PPPOE.

 

Local network is all on eth1 via L3 switch and WAPs that support VLAN tagging.

 

Aim is to have four VLANS:

 

- Primary, for trusted devices (and things that don't work on other VLANS - Google Home, printers, TV)
- Kids, again trusted devices, but safe browsing via DNS filtering (PiHole and Safebrowsing.org)
- IOT, non-trusted but some access required
- Guest, non-trusted

 

The trusted VLANS should be able to access the non-trusted, but not vice versa. And the non-trusted VLANs should not be able to access each other.

 

Does this sound right for firewall rules (took me a long time to get my head around local, in and out so may have things wrong):

 

WAN_IN
- Allow established + related
- Allow forwarded ports (OpenVPN)
- Allow ping
- Drop everything else

 

WAN_LOCAL
- Allow establish + related
- Drop everything else

 

WAN_OUT
- Allow everything (this = no firewall rules?)

 

Primary + kids, in, out + local
- Allow everything (i.e. no rules)

 

IOT + GUEST_LOCAL (i.e. non-trusted VLANS to router)
- Allow established + related
- Allow DHCP
- Allow DNS
- Drop everything else

 

IOT + GUEST_OUT (i.e. trusted VLANS to non-trusted VLANS. I think???)
- Allow everything

 

IOT + GUEST_IN (i.e. non-trusted VLANS to trusted...?)
- Allow established + related
- Drop everything else

 

Does that sound right?

 

For anyone else looking, I found this diagram *super* helpful:

 

Create new topic
ANglEAUT
2320 posts

Uber Geek

Trusted
Lifetime subscriber

  #2482241 12-May-2020 21:22
Send private message

Good thinking there.

 

Do you consider home / voice assistants & the likes of Google Chromecast as IoT devices? If yes, then there will be special consideration required for broadcasting (mDNS?). Your trusted phone will need to broadcast onto the network if there is a assitant / Chromecast device available.

 

 




Please keep this GZ community vibrant by contributing in a constructive & respectful manner.



fe31nz
1228 posts

Uber Geek


  #2482303 13-May-2020 00:51
Send private message

One other consideration is that on the IoT VLAN, you really do not want the devices to see or to be able to talk to each other.  Since it is impractical to use a separate VLAN for each IoT device, as long as they are all WiFi, you should have that WiFi SSID set to force all traffic to go through the WiFi router instead of allowing packets to go directly between WiFi devices.  The mechanisms for doing that are not 100% capable of stopping bad WiFi devices, but if your WiFi access point or router has those sorts of options, use them.  Then the WiFi router (or the main router if you force the WiFi packets to route through it only) can stop all traffic between the devices that you do not want to happen.

mdf

mdf

3512 posts

Uber Geek

Trusted

  #2482695 13-May-2020 12:39
Send private message

Cheers guys.

 

Re: Google Home devices (speakers and chromecasts), I probably would have preferred to have them a bit isolated but they don't work properly that way. I'm comfortable enough with the tradeoffs for convenience. Google knows enough about me that a bit more can't be catastrophic 🤞.

 

Re: wireless device isolation, my WAPs (Cambium e400s) can do this. Unfortunately it makes setting up wifi devices on the IOT network a real PITA. Some of them lose connectivity every now and then and need to be reconfigured. I decided that I'm willing again to put up with a bit of loss of security for convenience.

 

But feel free to tell me I'm crazy and those tradeoffs aren't worthwhile.



chevrolux
4962 posts

Uber Geek
Inactive user


  #2482710 13-May-2020 13:13
Send private message

The only devices I would stick in an IoT VLAN at home are those expose some sort of management interface, and then use UPnP to create NAT pinholes. At home, you probably want UPnP enabled for the likes of Playstation and Xbox. But if they are on their own network, then you can just do a firewall rule to stop them heading out your WAN interface - but then if they require access to a cloud service to operate, well that plan is stuffed.

 

I think if you are going to separate parents and kids, you are going to want mDNS routing anyway if they use the same Google/Amazon/Spotify type apps.

 

For me personally, I only have an "IoT" VLAN due to the sheer number of devices (every light circuit has a switch, environment sensors, cameras, relays etc) so it's just nicer from a management perspective to know that subnet "X" is the IoT network - all of my IoT stuff stays local though (except Alexa of course) so I was never concerned about security in the first place.

 

I guess what I'm trying to say is, as geeks, we like to use all the bells and whistles, but often the more bells and whistles you add, the more things become unusable - WAF is generally my first concern when adding a new device to the home network. So I think it makes sense to separate the kids devices so you can do stuff like content filtering, time controls, etc, but for everything else at home, a flat network is just easier and more usable.

Yoban
447 posts

Ultimate Geek


  #2482714 13-May-2020 13:20
Send private message

I found this https://www.youtube.com/watch?v=p3SfeQTaaxw tutorial (part 3 of 3) from "the hook up" to be very helpful for me, especially since I am relatively new to all this stuff. It is Unifi flavour, but I am sure it can be adopted to your kit.

dfnt
1511 posts

Uber Geek

Lifetime subscriber

  #2482716 13-May-2020 13:22
Send private message

I personally don't bother with the out interfaces, just use in and local

 

 

fe31nz
1228 posts

Uber Geek


  #2483287 14-May-2020 00:57
Send private message

If you are intending to have a complex network with multiple subnets and VLANs, then you might want to consider using the zone firewall setup rather than the usual conventional per interface setup.  With a zone setup, there is more configuration to be done at the start, but later adding new zones (groups of subnets and VLANs that use the same firewall) is much easier.  And your firewall setup is easier to understand.  For a zone setup, you assign interfaces to named zones.  The firewall rules are between zones.  In my setup, I currently have these zones:

 

Local - the router itself

 

Outside - the Internet

 

Outer - my DMZ where my guest WiFi or guest Ethernet connections go.  The only access to my Inner zone is for NTP and DNS and restricted access to my TV servers.  Allowed to connect to Outsize without restrictions.

 

Inner - the unrestricted part of my network where the trusted devices connect.  Allowed to connect to any other zone without restrictions.

 

IoT - where my untrusted WiFi IoT devices go.  Except for NTP and DNS, no access to other zones except Outside.  And even there, I have some rules to make sure untrusted devices only phone home to known home bases.

 

So I have firewall configuration for each zone controlling how it is able to connect to each other zone.  That is a lot of firewalls, although cut and paste helps when setting them up.  And some of them are fairly trivial.  But if I now, for example, get an IoT or untrusted device that needs an Ethernet connection (say I put a cable on my Sky box instead of using its WiFi), then all I need to do is set up the Ethernet for that to be part of the IoT zone and I do not need to change any firewall settings.  So I would put an IoT VLAN on my switch port for the Sky box, and in the router I just add that VLAN to the IoT zone.  All done.  But with a conventional firewall setup, I would need to go around all the other interfaces and adjust their firewalls.

 

 

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright