It’s Time to Segregate Network Devices

You know the old phrase “the shoemaker’s children go barefoot”?  That’s how it goes sometimes with home network administration.  With an upcoming block of time off, I think it’s time to start fixing design issues at home.

Situation:

My entire home network is on one VLAN and one SSID (2.4 and 5 ghz).  With a bunch of smart home devices, smart speakers, streaming devices, and other non-computers, it doesn’t make sense to have them all in one broadcast domain.

Goal:

  • Design a network segregation strategy that puts all my devices into one of three or four VLANs based on their purpose
  • Reduce the ability of a compromised network device to be used as a pivot point
  • Restrict single-purpose device network comms to only what they need
    • ex: only allow Echo devices to talk to Amazon’s servers
  • Preserve the ability to access services from devices that I presume only communicate to the local network like HDHomerun

Network Inventory:

  • Two Desktop gaming-style PCs
  • Macbook Pro
  • Surface Book
  • Ipad
  • Shield Tablet
  • Kindle Paperwhite
  • Xbox One
  • Xbox 360
  • PS4
  • PS3
  • Wii U
  • Switch
  • Nintendo 3DS
  • Steam link
  • Fire 4k Stick
  • Vizio TV
  • Onkyo Receiver
  • Echo (1st Gen)
  • Two Echo dots
  • Echo Tap
  • Samsung Smartthings hub
  • Four Belkin Wemo plugs
  • HDHomerun Connect
  • Asustor  NAS
  • Epson Printer
  • Tesla Model 3
  • Tesla Solar Controller (soon)
  • Nest Doorbell
  • Nest Thermostat
  • Three Raspberry Pis

Proposed Network Breakout:

I think it would be best to break the network into end-user devices, smart home devices, infrastructure devices, and security cameras.

Main Network

  • Two Desktop gaming-style PCs
  • Macbook Pro
  • Surface Book
  • Ipad
  • Shield Tablet
  • Epson Printer
  • NAS
  • Raspberry Pi
  • HDHomerun Connect

Smart Home Network

  • Fire 4k Stick
  • Vizio TV
  • Onkyo Receiver
  • Echo (1st Gen)
  • Two Echo dots
  • Echo Tap
  • Samsung Smartthings hub
  • Four Belkin Wemo plugs

  • Tesla Model 3
  • Tesla Solar Controller (soon)
  • Nest Doorbell
  • Nest Thermostat
  • Kindle Paperwhite
  • Xbox One
  • Xbox 360
  • PS4
  • PS3
  • Wii U
  • Switch
  • Nintendo 3DS
  • Steam Link

Management Network:

  • Three Ubiquiti APs
  • Basement Netgear Prosafe 16-port PoE switch
  • Office Netgear Prosafe 8-port PoE switch
  • Bedroom Netgear Prosafe 6-port PoE-passthrough switch
  • Living Room Netgear Prosafe 8-port switch
  • pfsense router
  • Raspberry pi (Unifi server)

Security Camera Network:

  • One Ubiquiti G3 PoE camera

Network Infrastructure:

Internet access comes in the form of FIOS Gigabit service via a CAT 6 cable from the ONT outside the house.  I have a small form factor PC running pfsense with dual Intel gigabit NICs.  That handles routing, dnsbl, OpenVPN service, etc.

In the basement, I have a Netgear Prosafe 16-port PoE switch acting as the core switch and to handle some of the devices that connect directly to the basement comm rack like the basement AP.

The living room has a Netgear Prosafe gigabit switch to provide services to all the game consoles and the TV.

In my office on the second floor, I have another Netgear Prosafe gigabit PoE switch to support the desktops, NAS, and wifi AP.

In the bedroom we have another Netgear Prosafe switch but this one’s powered by PoE from the basement.  This provides service to the Xbox 360, PS3, and an additional Ubiquiti AP

For Wifi, I have three Ubiquiti UAP-AC-PRO access points managed by a Unifi server on a Raspberry Pi.

Why so many Access Points?

Good question.  When I switched from VHT40 channel bandwidth to VHT80 on 5ghz, the viable range of the AP significantly dropped.  I’m happy with the increased throughput in the spots of the house that the APs serve, so I chose to just add more APs to the house

Network Map with proposed VLAN setup

Next Steps

So I need to figure out a cutover plan to implement all of the VLANs without locking myself out.  Security rules for each VLAN can be figured out later, since it will probably need a lot of analysis per IoT device to figure out what should be allowed.

Tasks for each switch

  • Create VLANs 10, 20, 30, and 40
  • Map out each switch to figure out what device is plugged into each port
  • Assign each switchport to a VLAN or trunk (untagged)

Tasks for the pfsense

  • Create VLANs 10, 20, 30, and 40
  • Assign each VLAN to a subinterface
  • Set up DHCP for each VLAN/network

Tasks for Unifi Controller

  • Set up a second SSID
  • Assign main SSID to VLAN 10
  • Assign Secondary SSID to VLAN 30

Tasks for each wifi device

  • Assign a static IP or set up a DHCP lease that fits the new subnet strategy
  • Re-join the appropriate SSID

Conclusion

Just mapping out and inventorying my network has given me a better understanding of what’s going on here.  Something like Netbox or Bookstack might be a good idea for long-term documentation.

However, I think getting these steps done is really only half of the problem.  Long term, I still need to lock down the ACLs in VLAN 30 to prevent unnecessary exfil paths.  Also, I’d like to get away from using RPI boards to offload management services. 

Let me know what you think of my plan in the comments.