Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


2603 posts

Uber Geek


#270502 12-May-2020 20:26
Send private message quote this post

I am endeavouring to (re)configure my home network. Secondary purpose to learn something new about networking. Aiming to check I've got the principles right here before actually going to attempt to set it up in practice (on an Edgerouter Lite in my case).


If it matters, access to the internet is eth0.10, PPPOE.


Local network is all on eth1 via L3 switch and WAPs that support VLAN tagging.


Aim is to have four VLANS:


- Primary, for trusted devices (and things that don't work on other VLANS - Google Home, printers, TV)
- Kids, again trusted devices, but safe browsing via DNS filtering (PiHole and
- IOT, non-trusted but some access required
- Guest, non-trusted


The trusted VLANS should be able to access the non-trusted, but not vice versa. And the non-trusted VLANs should not be able to access each other.


Does this sound right for firewall rules (took me a long time to get my head around local, in and out so may have things wrong):


- Allow established + related
- Allow forwarded ports (OpenVPN)
- Allow ping
- Drop everything else


- Allow establish + related
- Drop everything else


- Allow everything (this = no firewall rules?)


Primary + kids, in, out + local
- Allow everything (i.e. no rules)


IOT + GUEST_LOCAL (i.e. non-trusted VLANS to router)
- Allow established + related
- Allow DHCP
- Allow DNS
- Drop everything else


IOT + GUEST_OUT (i.e. trusted VLANS to non-trusted VLANS. I think???)
- Allow everything


IOT + GUEST_IN (i.e. non-trusted VLANS to trusted...?)
- Allow established + related
- Drop everything else


Does that sound right?


For anyone else looking, I found this diagram *super* helpful:


Create new topic
1203 posts

Uber Geek


  #2482241 12-May-2020 21:22
Send private message quote this post

Good thinking there.


Do you consider home / voice assistants & the likes of Google Chromecast as IoT devices? If yes, then there will be special consideration required for broadcasting (mDNS?). Your trusted phone will need to broadcast onto the network if there is a assitant / Chromecast device available.



Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

565 posts

Ultimate Geek

  #2482303 13-May-2020 00:51
Send private message quote this post

One other consideration is that on the IoT VLAN, you really do not want the devices to see or to be able to talk to each other.  Since it is impractical to use a separate VLAN for each IoT device, as long as they are all WiFi, you should have that WiFi SSID set to force all traffic to go through the WiFi router instead of allowing packets to go directly between WiFi devices.  The mechanisms for doing that are not 100% capable of stopping bad WiFi devices, but if your WiFi access point or router has those sorts of options, use them.  Then the WiFi router (or the main router if you force the WiFi packets to route through it only) can stop all traffic between the devices that you do not want to happen.



2603 posts

Uber Geek


  #2482695 13-May-2020 12:39
Send private message quote this post

Cheers guys.


Re: Google Home devices (speakers and chromecasts), I probably would have preferred to have them a bit isolated but they don't work properly that way. I'm comfortable enough with the tradeoffs for convenience. Google knows enough about me that a bit more can't be catastrophic 🤞.


Re: wireless device isolation, my WAPs (Cambium e400s) can do this. Unfortunately it makes setting up wifi devices on the IOT network a real PITA. Some of them lose connectivity every now and then and need to be reconfigured. I decided that I'm willing again to put up with a bit of loss of security for convenience.


But feel free to tell me I'm crazy and those tradeoffs aren't worthwhile.

4546 posts

Uber Geek


  #2482710 13-May-2020 13:13
Send private message quote this post

The only devices I would stick in an IoT VLAN at home are those expose some sort of management interface, and then use UPnP to create NAT pinholes. At home, you probably want UPnP enabled for the likes of Playstation and Xbox. But if they are on their own network, then you can just do a firewall rule to stop them heading out your WAN interface - but then if they require access to a cloud service to operate, well that plan is stuffed.


I think if you are going to separate parents and kids, you are going to want mDNS routing anyway if they use the same Google/Amazon/Spotify type apps.


For me personally, I only have an "IoT" VLAN due to the sheer number of devices (every light circuit has a switch, environment sensors, cameras, relays etc) so it's just nicer from a management perspective to know that subnet "X" is the IoT network - all of my IoT stuff stays local though (except Alexa of course) so I was never concerned about security in the first place.


I guess what I'm trying to say is, as geeks, we like to use all the bells and whistles, but often the more bells and whistles you add, the more things become unusable - WAF is generally my first concern when adding a new device to the home network. So I think it makes sense to separate the kids devices so you can do stuff like content filtering, time controls, etc, but for everything else at home, a flat network is just easier and more usable.

260 posts

Ultimate Geek

  #2482714 13-May-2020 13:20
Send private message quote this post

I found this tutorial (part 3 of 3) from "the hook up" to be very helpful for me, especially since I am relatively new to all this stuff. It is Unifi flavour, but I am sure it can be adopted to your kit.

1166 posts

Uber Geek

Lifetime subscriber

  #2482716 13-May-2020 13:22
Send private message quote this post

I personally don't bother with the out interfaces, just use in and local



565 posts

Ultimate Geek

  #2483287 14-May-2020 00:57
Send private message quote this post

If you are intending to have a complex network with multiple subnets and VLANs, then you might want to consider using the zone firewall setup rather than the usual conventional per interface setup.  With a zone setup, there is more configuration to be done at the start, but later adding new zones (groups of subnets and VLANs that use the same firewall) is much easier.  And your firewall setup is easier to understand.  For a zone setup, you assign interfaces to named zones.  The firewall rules are between zones.  In my setup, I currently have these zones:


Local - the router itself


Outside - the Internet


Outer - my DMZ where my guest WiFi or guest Ethernet connections go.  The only access to my Inner zone is for NTP and DNS and restricted access to my TV servers.  Allowed to connect to Outsize without restrictions.


Inner - the unrestricted part of my network where the trusted devices connect.  Allowed to connect to any other zone without restrictions.


IoT - where my untrusted WiFi IoT devices go.  Except for NTP and DNS, no access to other zones except Outside.  And even there, I have some rules to make sure untrusted devices only phone home to known home bases.


So I have firewall configuration for each zone controlling how it is able to connect to each other zone.  That is a lot of firewalls, although cut and paste helps when setting them up.  And some of them are fairly trivial.  But if I now, for example, get an IoT or untrusted device that needs an Ethernet connection (say I put a cable on my Sky box instead of using its WiFi), then all I need to do is set up the Ethernet for that to be part of the IoT zone and I do not need to change any firewall settings.  So I would put an IoT VLAN on my switch port for the Sky box, and in the router I just add that VLAN to the IoT zone.  All done.  But with a conventional firewall setup, I would need to go around all the other interfaces and adjust their firewalls.



Create new topic

Twitter and LinkedIn »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

Soul Machines joins forces with the World Health Organization
Posted 13-Jul-2020 18:00

Chorus completes the build and commissioning of two new core Ethernet switches
Posted 8-Jul-2020 09:48

National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25

Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30

Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53

Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48

Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44

Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41

Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07

New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58

Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10

Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30

Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14

Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17

Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.