Network Segregation Update

It’s been a few months since my post about network segregation, mostly due to laziness but partly because I made some additional network infrastructure changes. Since September I’ve added a few new devices:

  • Two Ubiquiti g3 flex cameras
  • Another Netgear prosafe PoE switch for the living room
  • A Supermicro 4u server in the basement

The New Plan

Last weekend I finally started the process of implementing my VLAN plan. It ended up taking from Sunday evening to Tuesday afternoon to get everything fully functional.

Here was the basic order of steps:

  1. Fully inventory each switch and the patch panel to figure out what is plugged into each port
  2. Sort the new list into four VLANs: users, network management, devices/IoT, and cameras
  3. Configure sub interfaces on pfsense and create dhcp pools for each subnet.
  4. Create firewall rules to allow traffic between VLANs. These rules will be replaced once you’re done to be more secure.
  5. Configure the basement (core) switch ports first, focusing on trunk ports first. Don’t remove VLAN 1 until native VLAN settings are set and everything can connect
  6. For each endpoint on a switch, assign it to a VLAN and set its PVID or native VLAN. Remove all other VLANs from the port
  7. For trunked ports to other switches, add all VLANs as tagged traffic. Don’t set PVID for the switches until later in order to maintain the ability to easily configure them
  8. For access points, send tagged VLAN traffic for the users and devices networks. Additionally, send tagged management network traffic and set that VLAN as the management VLAN in UniFi
  9. Once everything is configured, remove VLAN 1 from every port

What Actually Happened

Ideally this is how it would’ve worked. Unfortunately, Ubiquiti and Netgear have different ways of handling VLAN setup.

For instance, to send traffic to a Netgear device on the management VLAN, you need to send it untagged, like the switch is an endpoint. Ubiquiti devices instead require management VLAN traffic to be tagged, with the “management VLAN” setting telling the Ubiquiti device to pluck it out of tagged traffic.

Netgear prosafe switches also have a weird requirement that you be on the same subnet as the device you’re configuring, even if you can reach it from outside. This means if I want to configure a Netgear switch from now on, I have to plug into a dedicated network management port on one of the switches. I have another 8-port Ubiquiti switch coming to replace the office switch, and whenever they come out with a 24-port Poe switch with SFP+, I’ll be upgrading the basement switch to that.

Coming from a Cisco background, this was a bit confusing, but I think the experience helped me to better understand VLANs. And I only had to factory reset my Ubiquiti switch like five times!

Splitting up the SSID into users and devices wasn’t hard, especially since UniFi lets you modify all of the APs with one configuration change. I just created a second SSID and set it to use the devices VLAN. I also set the existing SSID to use the new users VLAN. The user endpoints like laptops, phones, and tablets all switched seamlessly. All devices that were already on the existing AP stayed there until I migrated them manually.

Upsides

An unforeseen benefit of the segregation seems to be much higher throughput on the users SSID. I suspect this is because all of the devices on that network speak 802.11ac.

Downsides

  1. If I die suddenly and something eventually breaks on the network, my wife will never get back on the internet.
  2. Adding a new device with a physical connection to the network will be more complicated

Future Goals

  • Replace Netgear switches with Ubiquiti
  • Assign every device a static DHCP lease and host name
  • Analyze IoT device traffic and create firewall rules for them to only allow traffic to legitimate services
  • Create home lab VLAN
  • Move network services like UniFi to docker containers
  • Send all of my logs to elasticsearch. Maybe run suricata?
  • Install a couple more UniFi cameras
  • Implement RADIUS so I can do things like dynamic WiFi encryption, encrypted guest portals, and roaming VLAN membership with 802.1x

It’s Time to Segregate Network Devices

You know the old phrase “the shoemaker’s children go barefoot”?  That’s how it goes sometimes with home network administration.  With an upcoming block of time off, I think it’s time to start fixing design issues at home.

Situation:

My entire home network is on one VLAN and one SSID (2.4 and 5 ghz).  With a bunch of smart home devices, smart speakers, streaming devices, and other non-computers, it doesn’t make sense to have them all in one broadcast domain.

Goal:

  • Design a network segregation strategy that puts all my devices into one of three or four VLANs based on their purpose
  • Reduce the ability of a compromised network device to be used as a pivot point
  • Restrict single-purpose device network comms to only what they need
    • ex: only allow Echo devices to talk to Amazon’s servers
  • Preserve the ability to access services from devices that I presume only communicate to the local network like HDHomerun

Network Inventory:

  • Two Desktop gaming-style PCs
  • Macbook Pro
  • Surface Book
  • Ipad
  • Shield Tablet
  • Kindle Paperwhite
  • Xbox One
  • Xbox 360
  • PS4
  • PS3
  • Wii U
  • Switch
  • Nintendo 3DS
  • Steam link
  • Fire 4k Stick
  • Vizio TV
  • Onkyo Receiver
  • Echo (1st Gen)
  • Two Echo dots
  • Echo Tap
  • Samsung Smartthings hub
  • Four Belkin Wemo plugs
  • HDHomerun Connect
  • Asustor  NAS
  • Epson Printer
  • Tesla Model 3
  • Tesla Solar Controller (soon)
  • Nest Doorbell
  • Nest Thermostat
  • Three Raspberry Pis

Proposed Network Breakout:

I think it would be best to break the network into end-user devices, smart home devices, infrastructure devices, and security cameras.

Main Network

  • Two Desktop gaming-style PCs
  • Macbook Pro
  • Surface Book
  • Ipad
  • Shield Tablet
  • Epson Printer
  • NAS
  • Raspberry Pi
  • HDHomerun Connect

Smart Home Network

  • Fire 4k Stick
  • Vizio TV
  • Onkyo Receiver
  • Echo (1st Gen)
  • Two Echo dots
  • Echo Tap
  • Samsung Smartthings hub
  • Four Belkin Wemo plugs

  • Tesla Model 3
  • Tesla Solar Controller (soon)
  • Nest Doorbell
  • Nest Thermostat
  • Kindle Paperwhite
  • Xbox One
  • Xbox 360
  • PS4
  • PS3
  • Wii U
  • Switch
  • Nintendo 3DS
  • Steam Link

Management Network:

  • Three Ubiquiti APs
  • Basement Netgear Prosafe 16-port PoE switch
  • Office Netgear Prosafe 8-port PoE switch
  • Bedroom Netgear Prosafe 6-port PoE-passthrough switch
  • Living Room Netgear Prosafe 8-port switch
  • pfsense router
  • Raspberry pi (Unifi server)

Security Camera Network:

  • One Ubiquiti G3 PoE camera

Network Infrastructure:

Internet access comes in the form of FIOS Gigabit service via a CAT 6 cable from the ONT outside the house.  I have a small form factor PC running pfsense with dual Intel gigabit NICs.  That handles routing, dnsbl, OpenVPN service, etc.

In the basement, I have a Netgear Prosafe 16-port PoE switch acting as the core switch and to handle some of the devices that connect directly to the basement comm rack like the basement AP.

The living room has a Netgear Prosafe gigabit switch to provide services to all the game consoles and the TV.

In my office on the second floor, I have another Netgear Prosafe gigabit PoE switch to support the desktops, NAS, and wifi AP.

In the bedroom we have another Netgear Prosafe switch but this one’s powered by PoE from the basement.  This provides service to the Xbox 360, PS3, and an additional Ubiquiti AP

For Wifi, I have three Ubiquiti UAP-AC-PRO access points managed by a Unifi server on a Raspberry Pi.

Why so many Access Points?

Good question.  When I switched from VHT40 channel bandwidth to VHT80 on 5ghz, the viable range of the AP significantly dropped.  I’m happy with the increased throughput in the spots of the house that the APs serve, so I chose to just add more APs to the house

Network Map with proposed VLAN setup

Next Steps

So I need to figure out a cutover plan to implement all of the VLANs without locking myself out.  Security rules for each VLAN can be figured out later, since it will probably need a lot of analysis per IoT device to figure out what should be allowed.

Tasks for each switch

  • Create VLANs 10, 20, 30, and 40
  • Map out each switch to figure out what device is plugged into each port
  • Assign each switchport to a VLAN or trunk (untagged)

Tasks for the pfsense

  • Create VLANs 10, 20, 30, and 40
  • Assign each VLAN to a subinterface
  • Set up DHCP for each VLAN/network

Tasks for Unifi Controller

  • Set up a second SSID
  • Assign main SSID to VLAN 10
  • Assign Secondary SSID to VLAN 30

Tasks for each wifi device

  • Assign a static IP or set up a DHCP lease that fits the new subnet strategy
  • Re-join the appropriate SSID

Conclusion

Just mapping out and inventorying my network has given me a better understanding of what’s going on here.  Something like Netbox or Bookstack might be a good idea for long-term documentation.

However, I think getting these steps done is really only half of the problem.  Long term, I still need to lock down the ACLs in VLAN 30 to prevent unnecessary exfil paths.  Also, I’d like to get away from using RPI boards to offload management services. 

Let me know what you think of my plan in the comments.