Network Segregation Update

It’s been a few months since my post about network segregation, mostly due to laziness but partly because I made some additional network infrastructure changes. Since September I’ve added a few new devices:

  • Two Ubiquiti g3 flex cameras
  • Another Netgear prosafe PoE switch for the living room
  • A Supermicro 4u server in the basement

The New Plan

Last weekend I finally started the process of implementing my VLAN plan. It ended up taking from Sunday evening to Tuesday afternoon to get everything fully functional.

Here was the basic order of steps:

  1. Fully inventory each switch and the patch panel to figure out what is plugged into each port
  2. Sort the new list into four VLANs: users, network management, devices/IoT, and cameras
  3. Configure sub interfaces on pfsense and create dhcp pools for each subnet.
  4. Create firewall rules to allow traffic between VLANs. These rules will be replaced once you’re done to be more secure.
  5. Configure the basement (core) switch ports first, focusing on trunk ports first. Don’t remove VLAN 1 until native VLAN settings are set and everything can connect
  6. For each endpoint on a switch, assign it to a VLAN and set its PVID or native VLAN. Remove all other VLANs from the port
  7. For trunked ports to other switches, add all VLANs as tagged traffic. Don’t set PVID for the switches until later in order to maintain the ability to easily configure them
  8. For access points, send tagged VLAN traffic for the users and devices networks. Additionally, send tagged management network traffic and set that VLAN as the management VLAN in UniFi
  9. Once everything is configured, remove VLAN 1 from every port

What Actually Happened

Ideally this is how it would’ve worked. Unfortunately, Ubiquiti and Netgear have different ways of handling VLAN setup.

For instance, to send traffic to a Netgear device on the management VLAN, you need to send it untagged, like the switch is an endpoint. Ubiquiti devices instead require management VLAN traffic to be tagged, with the “management VLAN” setting telling the Ubiquiti device to pluck it out of tagged traffic.

Netgear prosafe switches also have a weird requirement that you be on the same subnet as the device you’re configuring, even if you can reach it from outside. This means if I want to configure a Netgear switch from now on, I have to plug into a dedicated network management port on one of the switches. I have another 8-port Ubiquiti switch coming to replace the office switch, and whenever they come out with a 24-port Poe switch with SFP+, I’ll be upgrading the basement switch to that.

Coming from a Cisco background, this was a bit confusing, but I think the experience helped me to better understand VLANs. And I only had to factory reset my Ubiquiti switch like five times!

Splitting up the SSID into users and devices wasn’t hard, especially since UniFi lets you modify all of the APs with one configuration change. I just created a second SSID and set it to use the devices VLAN. I also set the existing SSID to use the new users VLAN. The user endpoints like laptops, phones, and tablets all switched seamlessly. All devices that were already on the existing AP stayed there until I migrated them manually.

Upsides

An unforeseen benefit of the segregation seems to be much higher throughput on the users SSID. I suspect this is because all of the devices on that network speak 802.11ac.

Downsides

  1. If I die suddenly and something eventually breaks on the network, my wife will never get back on the internet.
  2. Adding a new device with a physical connection to the network will be more complicated

Future Goals

  • Replace Netgear switches with Ubiquiti
  • Assign every device a static DHCP lease and host name
  • Analyze IoT device traffic and create firewall rules for them to only allow traffic to legitimate services
  • Create home lab VLAN
  • Move network services like UniFi to docker containers
  • Send all of my logs to elasticsearch. Maybe run suricata?
  • Install a couple more UniFi cameras
  • Implement RADIUS so I can do things like dynamic WiFi encryption, encrypted guest portals, and roaming VLAN membership with 802.1x

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.