Best way to segment the network
I am looking to redo my network and divide it into multiple networks for specific devices. Right now, I just have one network and all devices are connected to it. I have switches and APs that can manage VLANs so figured that I might start using that. FWG acts as the main router to power it all.
My network has the following devices:
1) Computers (Macs, PCs), iPads and Phones (iPhones, Android) as primary devices used by my family
2) Philips Hue and IKEA lightbulbs (with hubs) that are mostly automated to turn on and off. Thinking of adding Hubitat at some point and also looking at smart locks and switches.
3) Ring cameras and security system
4) HomePods, AppleTV, Alexa and Google hubs and Sony Android TV.
5) All the networking switches and APs as well as the NAS
How many networks should I define and how should they be isolated? Each network will also likely have a WiFi and I’m guessing some of these can be restricted to 2.4GHz only. Would appreciate thoughts on best way to segment these.
-
This is the artistic side of networking :)
I have following
1. Guest network ... block adult content / ... video
2. IoT network ... nest, cameras ... all devices that don't require LAN to LAN, and not complex devices (iPhone is complex, and a Nest thermostat is not). This way I can easily apply any policy over them.
3. Main network ... for everything else
-
As Firewalla said, the art rather than science of networking. Our division is this:
1. All personal [i]devices and associated things like Apple TV, wireless DAC, NAS.
2. Rudimentary household things without particular agency, e.g. air purifiers, switches.
3. Security, aka intelligent systems with cameras :)
Category 2 is limited to 2.4GHz wireless (separate AP) not shared with anything in category 1, while category 3 is wired only. Placement of network switches and APs derives from that design. We have no guest network. Either you are family and trusted on 1, or use your own 4G/5G mobile data just the way I expect to use mine if I visit you.
The whole is a set of trade-offs between perceived/actual risk and utility/convenience.
-
Thanks for both. I am getting ready to do this and will try 1 VLAN at a time. I will start by moving all the Ring cameras and devices to their own VLAN. Consiering that Ring uploads data to the cloud, I will need to allow Internet traffic. I am assuming it will also need access to LAN so ithe security devices can ping each other (motion sensors etc.) Not sure if it uses local network or cloud when I access a camera from my phone.
So for Ring, do I create an all access network? And if yes, then the question is why should it be on a different VLAN if it can access my network and the internet?
-
I have split my network as done above.
1. Main network for all of mine and spouse's devices
2. Kids network for kids with porn, vpn, shoping etc blocked, set to low priority in smart queue
3. IOT for all the switches, bulbs, Google Homes etcI also have smart queues to set Zoom, Teams and WebEx to highest priority.
-
My network is currently segmented as follows;
- Mgmt network for switches, access points, security system, home automation server, and NAS (No wireless, default block, egress is very tightly controlled)
- User Wireless for devices that need to communicate with each other (phone or laptop to roku, chromecast, or connected speakers)
- Guest Wireless with full-client isolation for guests, kids, and any IoT device that only needs Internet Access
- DMZ1 contains a single server that forward a port into (if it were compromised, it cannot reach any other networks, and cannot egress to the internet)
- DMZ2 for a point-to-point wireless connection to another location
I have Smart Queues enabled for Google Meet, Zoom, Teams, and Webex.
Please sign in to leave a comment.
Comments
5 comments