Firewall / network design

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Firewall / network design

mdf

2603 posts

Uber Geek

Trusted

Subscriber

#270502 12-May-2020 20:26

I am endeavouring to (re)configure my home network. Secondary purpose to learn something new about networking. Aiming to check I've got the principles right here before actually going to attempt to set it up in practice (on an Edgerouter Lite in my case).

If it matters, access to the internet is eth0.10, PPPOE.

Local network is all on eth1 via L3 switch and WAPs that support VLAN tagging.

Aim is to have four VLANS:

- Primary, for trusted devices (and things that don't work on other VLANS - Google Home, printers, TV)
- Kids, again trusted devices, but safe browsing via DNS filtering (PiHole and Safebrowsing.org)
- IOT, non-trusted but some access required
- Guest, non-trusted

The trusted VLANS should be able to access the non-trusted, but not vice versa. And the non-trusted VLANs should not be able to access each other.

Does this sound right for firewall rules (took me a long time to get my head around local, in and out so may have things wrong):

WAN_IN
- Allow established + related
- Allow forwarded ports (OpenVPN)
- Allow ping
- Drop everything else

WAN_LOCAL
- Allow establish + related
- Drop everything else

WAN_OUT
- Allow everything (this = no firewall rules?)

Primary + kids, in, out + local
- Allow everything (i.e. no rules)

IOT + GUEST_LOCAL (i.e. non-trusted VLANS to router)
- Allow established + related
- Allow DHCP
- Allow DNS
- Drop everything else

IOT + GUEST_OUT (i.e. trusted VLANS to non-trusted VLANS. I think???)
- Allow everything

IOT + GUEST_IN (i.e. non-trusted VLANS to trusted...?)
- Allow established + related
- Drop everything else

Does that sound right?

For anyone else looking, I found this diagram *super* helpful:

ANglEAUT

1203 posts

Uber Geek

Trusted

#2482241 12-May-2020 21:22

Good thinking there.

Do you consider home / voice assistants & the likes of Google Chromecast as IoT devices? If yes, then there will be special consideration required for broadcasting (mDNS?). Your trusted phone will need to broadcast onto the network if there is a assitant / Chromecast device available.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

fe31nz

565 posts

Ultimate Geek

#2482303 13-May-2020 00:51

One other consideration is that on the IoT VLAN, you really do not want the devices to see or to be able to talk to each other. Since it is impractical to use a separate VLAN for each IoT device, as long as they are all WiFi, you should have that WiFi SSID set to force all traffic to go through the WiFi router instead of allowing packets to go directly between WiFi devices. The mechanisms for doing that are not 100% capable of stopping bad WiFi devices, but if your WiFi access point or router has those sorts of options, use them. Then the WiFi router (or the main router if you force the WiFi packets to route through it only) can stop all traffic between the devices that you do not want to happen.

mdf

2603 posts

Uber Geek

Trusted

Subscriber

#2482695 13-May-2020 12:39

Cheers guys.

Re: Google Home devices (speakers and chromecasts), I probably would have preferred to have them a bit isolated but they don't work properly that way. I'm comfortable enough with the tradeoffs for convenience. Google knows enough about me that a bit more can't be catastrophic 🤞.

Re: wireless device isolation, my WAPs (Cambium e400s) can do this. Unfortunately it makes setting up wifi devices on the IOT network a real PITA. Some of them lose connectivity every now and then and need to be reconfigured. I decided that I'm willing again to put up with a bit of loss of security for convenience.

But feel free to tell me I'm crazy and those tradeoffs aren't worthwhile.

chevrolux

4546 posts

Uber Geek

Trusted

#2482710 13-May-2020 13:13

The only devices I would stick in an IoT VLAN at home are those expose some sort of management interface, and then use UPnP to create NAT pinholes. At home, you probably want UPnP enabled for the likes of Playstation and Xbox. But if they are on their own network, then you can just do a firewall rule to stop them heading out your WAN interface - but then if they require access to a cloud service to operate, well that plan is stuffed.

I think if you are going to separate parents and kids, you are going to want mDNS routing anyway if they use the same Google/Amazon/Spotify type apps.

For me personally, I only have an "IoT" VLAN due to the sheer number of devices (every light circuit has a switch, environment sensors, cameras, relays etc) so it's just nicer from a management perspective to know that subnet "X" is the IoT network - all of my IoT stuff stays local though (except Alexa of course) so I was never concerned about security in the first place.

I guess what I'm trying to say is, as geeks, we like to use all the bells and whistles, but often the more bells and whistles you add, the more things become unusable - WAF is generally my first concern when adding a new device to the home network. So I think it makes sense to separate the kids devices so you can do stuff like content filtering, time controls, etc, but for everything else at home, a flat network is just easier and more usable.

Yoban

260 posts

Ultimate Geek

#2482714 13-May-2020 13:20

I found this https://www.youtube.com/watch?v=p3SfeQTaaxw tutorial (part 3 of 3) from "the hook up" to be very helpful for me, especially since I am relatively new to all this stuff. It is Unifi flavour, but I am sure it can be adopted to your kit.

dfnt

1166 posts

Uber Geek

Lifetime subscriber

#2482716 13-May-2020 13:22

I personally don't bother with the out interfaces, just use in and local

fe31nz

565 posts

Ultimate Geek

#2483287 14-May-2020 00:57

If you are intending to have a complex network with multiple subnets and VLANs, then you might want to consider using the zone firewall setup rather than the usual conventional per interface setup. With a zone setup, there is more configuration to be done at the start, but later adding new zones (groups of subnets and VLANs that use the same firewall) is much easier. And your firewall setup is easier to understand. For a zone setup, you assign interfaces to named zones. The firewall rules are between zones. In my setup, I currently have these zones:

Local - the router itself

Outside - the Internet

Outer - my DMZ where my guest WiFi or guest Ethernet connections go. The only access to my Inner zone is for NTP and DNS and restricted access to my TV servers. Allowed to connect to Outsize without restrictions.

Inner - the unrestricted part of my network where the trusted devices connect. Allowed to connect to any other zone without restrictions.

IoT - where my untrusted WiFi IoT devices go. Except for NTP and DNS, no access to other zones except Outside. And even there, I have some rules to make sure untrusted devices only phone home to known home bases.

So I have firewall configuration for each zone controlling how it is able to connect to each other zone. That is a lot of firewalls, although cut and paste helps when setting them up. And some of them are fairly trivial. But if I now, for example, get an IoT or untrusted device that needs an Ethernet connection (say I put a cable on my Sky box instead of using its WiFi), then all I need to do is set up the Ethernet for that to be part of the IoT zone and I do not need to change any firewall settings. So I would put an IoT VLAN on my switch port for the Sky box, and in the router I just add that VLAN to the IoT zone. All done. But with a conventional firewall setup, I would need to go around all the other interfaces and adjust their firewalls.