Networking Consultants for home network?
I thought Firewalla GOLD would be a great tool to help protect my home network. Turns out I know WAY less than I thought about networks. Even with the easy GUI, there's still just to much 'design' knowledge I lack. And, with the kids, don't have time to learn.
I'm looking for a qualified person to help me re-design my home network (Iot, separate gaming, work and general use traffic isolated, with Unifi access points). Would also be nice to get the Unifi controller running in a container on Firewalla GOLD.
Are there any ways to find affordable (yet qualified) help for this sort of thing?
Thanks,
David
-
Configuration is: ISP (COX 1Gbit Cable) -> MB8600 modem -> FWG -> Unify US8-60-W Switch.
Unify US8-60-W Switch port connections
Port 1: To Wall connection which runs thru attic to son's room -> 8 port Netgear Switch (port 1 uplink) - Port 2 - Son's gaming PC - Port 3 Laptop
Port 2: DS200+ NAS
Port 3: FWG
Port 4: iMac
Port 5: Roku
Port 6: Work Laptop
Port 7: POE turned on - To wall outlet running thru attic to Unifi U6 LR access point in Home
Port 8: POE turned on - To wall outlet running thru attic to Unifi U6 LR access point in garage/home theater
Modem+FWG+8 port Unifi switch all located near each other. Yes, I believe my Unifi switch and AP's allow VLANS
FWG ports 1-3 configured as LAN, 192.168.202.1/24 with DHCP server turned on, with IPv6 turned off.
FWG port 4 configured as WAN, connection type DHCP, IPv6 turned off.
Request:
1) Should I create separate 2.4Ghz networks for iOT, and if so, how do I isolate them from everything else?
2) Want Work PC to be totally isolated and unable to connect to anything else in my network (and nothing in my network to get to it)... basically internet access only
3) Want two devices in Son's room (laptop and gaming PC) with internet access only
4) Want a 5 Ghz guest network, with internet access only
5) Regular trusted 5 Ghz and wired network that can communicate between devices (ie iMac and NAS, or iPads/iPhones and NAS connections possible between each other)
I hope the above helps! Any suggestions greatly appreciated!
David Whelan
-
1) Yes you should create a VLAN for all IoT devices. You can set rules for an entire network to not allow access to another inside the FWG.
2) You can create a rule for the specific device to be internet only access, or create a group with a set of rules to not allow local traffic. Group would only have one device in it, but would be there if you added something else to the list.
3) You can create a group in FWG to place your sons devices in, with a set of rules to only allow Internet access.
4) Create a VLAN for guest network that only allows Internet Traffic.
5) This is you basic LAN network that would be open.
You have a Setup just like me. Modem -> FWG -> 24 Port Netgear Switch
Port 24 is uplink from FWG with VLAN tags 300, 900 (300 is IoT and 900 is Guest)
Port 1-3 are the TP-Link APs (those ports are tagged with the VLAN 300, 900 so the AP can send the packets through. Must tag the SSIDs with respective VLAN on the AP also)
Port 4 goes to a 8 port NG desktop switch (dumb switch) that has my work Laptop and my Server which has about 5 Virtual Machines on it
Port 5 goes to a unused port in the kitchen for future use
I know I am only using 6 ports on the switch but the switch was free so can't complain, I plan to add more throughout the house but just haven't.
As far as the FWG setup goes, I have port 4 on the FWG as my uplink from the modem. Port 3 then goes to the switch in the garage. Here is the Network Screen
The IKEv2 is a VPN I have setup inside the FWG but really isn't used. I've got both VLANs tagged on port 3, I do not use port 1 and 2.
As for the Rules this is what I have set up for my Guest Network (VLAN 300)
My IoT basically follows the same set of rules, but I also apply the Target List "Log4j attackers". These rules say to block all traffic to my networks and only allow traffic to the internet. I also apply a QoS (smart queue) to the guest network that only allows them 1mbps upload and 10mbps download.
Hope this is helpful.
Please sign in to leave a comment.
Comments
7 comments