How to secure home network with budget 200$?

fat_pikachu · October 14, 2021, 6:50pm

Currently I have a router TP-LINK Archer C6 AC1200 which can’t create VLAN - only guest network.

I would like to be secured in case of being hacked, spied on etc (devices in main network). Budget 200$

I’m considering:

putting all IoT devices into guest network. I don’t use guest network so it’s not a problem.
flashing current router with openwrt, then create VLANs
buying new router + switch + ap with VLAN support (TP-Link ER605 router, TL-SG2008P switch, EAP 110)
buying new sim card and creating hotspot from old phone and then put IoT devices into this network - crazy idea, almost for free, maybe not so bad?

I will use dedicated tablet for steering home assistant so I dont need to use my mobile phone for steering ligts etc (separted network is fine for me).

What would you do?

tom_l · October 14, 2021, 10:02pm

Not a good idea. This idea of a guest network is that it has access to the internet but not to the local network or other devices on the guest network.

An EdgeRouter X is incredibly cheap for the power it has. It requires some knowledge to configure though, there aren’t a lot of GUIs. A Ubiquiti AP AC Lite might be within your budget too, if you run the Unifi software on an existing server.

Sounds like a terrible idea. The wifi coverage will be awful and most cellular networks use CGNAT complicating remote access.

Viable idea but… unless you are quite familiar with VLANs you will probably end up making your network less secure.

jaalperin · October 14, 2021, 10:32pm

OpenWRT for sure. Start with your current router. However, a Pi4B puts most routers to shame.

koying · October 15, 2021, 8:01am

I second that. I bought my last router (a while ago) specifically to be able to install OpenWRT on it.

Now, generally speaking, using VLAN’s is a recipe for headaches, imo.
Not sure what kind of hacking or spying the OP has in mind, but plain using SSL everywhere would mitigate 99.99% of those.

k8gg · October 15, 2021, 3:36pm

I’m interested in this topic also.

I understand not all IoT devices would/could be easily configured to go SSL (we are talking about local SSL within LAN, right?) So if SSL is not 100% feasible, and VLAN introduces headaches, what other options do we have?

Do we… firewall everything with a bunch of rules?

koying · October 15, 2021, 3:58pm

DO.NOT.USE.WIFI.IOT

Now, seriously, what spying/hacking do you think your Tuya plug will do?
Phone home, that’s sure, but that’s the base idea of cloud-based IoT (unless you manage to reflash it, ofc).

Until someone point me to an actual hacking example where a VLAN would have made a difference, it’s all FUD to me…

Tromperie · October 16, 2021, 12:27am

I suggest an older x86 computer with two Gigabit ports & install OPNsense as the router, buy a switch, & use your current router as an AP. It is what I use.

ghvader · October 16, 2021, 1:52am

buy a mini-pc (something like an intel nuc, you can get cheaper versions from other OEMs) and put pfSense on it.

Tromperie · October 17, 2021, 7:16am

I don’t have any objections to pfsense, only that I’ve found OPNsense to be more user friendly, including the forums.