New VLAN setting, advice request
Hi all,
I switched from a "consumer" setup to a SOHO/Enterprise setup for my home network. Speaking of devices, my network is made of:
1) FWG as router, with port 4 to WAN and port 3 failover with a 4gLTE modem, port 1 Tado bridge, port 2 to switch (see following)
2) Switch Ubiquiti Enterprise 8 POE: port 1 is connected to FWG, port set to accept all traffic (this should be the trunk, right? everything will pass to FWG), port 3 is connected to Zyxel AP NWA210AX, port set to accept all traffic (again, is this correct?), port 2 is connected to an unmanaged 2.5gbit switch, VLAN 103 untagged, ports 4-5 aggregated to a Synology NAS 220+, VLAN 103 untagged.
3) Unmanaged switch (the one connected to port 2 of the ubiquiti) with 7 devices, all of them are not capable of sending tagged packets (i.e. TV, AVR, Nvidia Shield, WD My Cloud, Xbox, BRD), that's why I set VLAN 103 as untagged
4) Zyxel access point (the connected to port 3 of the ubiquiti), with 3 SSID: one is the "main", no VLAN and hidden, on which I connected my personal devices such as laptops, phones, tablets ets. One SSID is for Guests (VLAN 102 untagged), the last one is for IoT, (VLAN 101 untagged), with several devices on it (i.e. smart clock, printer, google home, security camera etc)
Apart from devices, I now have:
1) LAN "main" connection ip class 192.168.58.x, with Ubiquiti Switch, Zyxel Access Point, and my personal wi-fi devices
2) VLAN 101 IoT, ip class 192.168.214.x with said devices all connected via Zyxel AP, hidden SSID
3) VLAN 102 Guest, ip class 192.168.12.x, connection via Zyxel AP
4) VLAN 103 Multimedia, ip class 192.168.82.x, connection via Ubiquiti switch ports 2, 4 and 5
Rules are:
1) VLAN 101 (IoT): allow traffic from LAN, block: traffic to LAN, traffic from&to IoT, traffic from internet, traffic from&to Multimedia, traffic from&to Guest
2) VLAN 102 (Guest): allow traffic from LAN, block: traffic to LAN, traffic from&to IoT, traffic from internet, traffic to LAN, traffic from&to Multimedia, traffic from&to Guest
3) VLAN 103 (Multimedia): allow traffic from LAN, allow traffic from&to Multimedia (needed because I want Nvidia shield to access NAS and Western Digital), block: traffic to LAN, traffic from&to IoT, traffic from&to Guest, traffic from internet.
That's it, is this in your opinion a correct configuration? Or can I add something more in terms of VLANs, rules etc? I could, for example, add a specific VLAN for work devices (2 laptops and 2 phones)... maybe a VLAN only for my personal devices also?
Is there anything about the tagged/untagged setting I can change? The only device which is capable to send tagged packets is the synology NAS, but I don't know if I can set a mixed tagged and untagged profile in ubiquiti switch.
I tried pinging devices from my LAN and it's ok, and if I connect to guest network ping other devices results in loss, as I was expecting
Sorry for the very long post, but it's my first time with VLANs :D
-
It would help if you could post a diagram showing your network layout, from the text above, echoed by @Firewall's comments, your network seems quite complex, having a diagram showing how things are wired up, which VLANs run to where, etc would be useful for providing advice.
Hint: Sometimes just sitting down and diagramming what's supposed to go where and under what conditions can show you a solution to the question.
-
The diagram certainly helps, thanks!
(Incidentally, is that done with Creately? Trying to figure out where I've seen the format before, I really should get around to diagramming my setup with something more than pen&paper).
In terms of adding more VLANs, you mentioned you've got a Gold which is fine, the Purple is limited to 5 VLANs so you have to be a bit careful with allocation of devices. I'm using mine for security so I've got two IoT VLANs, one for devices that are cloud-based so you can restrict access to outgoing WAN-only, and one for devices where you need local access.
You may also want to consider a VLAN for high-risk devices, I have one for VoIP devices which tend to have more than their share of vulns and are typically full-blown Linux boxes once an attacker gets in, those are locked into a WAN-only VLAN with no ability to access anything local.
-
Yes, I made that diagram with creately, very useful.
In terms of setup, I'm thinking about another VLAN for work devices (total of 4, 2 laptops and 2 phones), this would be managed by the access point.
I think nothing more should be worth to do, as a matter of fact I already segmented all my devices between personal (in LAN-WLAN), multimedia (VLAN 103) and IoT (VLAN 101). My guests will connect to their network (VLAN 102) eventually. In terms of rules, other than the generic block from internet, I locked VLANs in their subnet and between devices, with the only exception of VLAN103 where devices in there are able to talk with each other (need it to let the nvidia shield read files from NAS and WDMyCloud). LAN devices can of course access to everything. I made some simple ping test, connecting my laptop to the Guest network: I wasn't able to reach the NAS for instance, so this should work.
Hope Firewalla will release a Gold "plus" with some 2.5gb ports, now the router is the only part of main components which is using gigabit ports...
-
Ah, that's a good idea, have a VLAN that disallows traffic between devices. So if you wanted to be really careful you'd have three VLANs for IoT, one for purely cloud-based devices that allows WAN access and nothing more (Apple TV would be an example), one for cloud + local, e.g. uploads to the cloud + admin via local SSH (WeeWX would be an example), and one for local access, e.g. interacts with things locally (a NAS as an example). I'm thinking here of the most effective way to isolate at-risk IoT devices if they get compromised.
Please sign in to leave a comment.
Comments
7 comments