NGINX, reverse proxy, overall security - need advice and knowledge

Corey_Johnson · January 15, 2018, 2:32pm

I am redoing my entire home network and am trying to build it a bit more secure.

Currently I have a main (general user) network under the primary router then a secondary router & subnet built off of it for all my home automation/etc devices. I can access my Hass.io (SSL) and ZM installs remotely.

I would like to have a single network (1 subnet) (purchased 2 nighthawk routers for coverage) that handles everything but definitely want to make sure that my Hassio (rPi3) and ZM (server) are protected.

What is the best way to go? I see a lot of discussions about NGINX but I do not fully understand. I have extra hardware lying around to which I could dedicate to running this but is it needed? I am particularly concerned about unauthorized access to my camera system. (I know I need to make it SSL).

I have also been advised before about splitting my ip allocation up (normal vs home automation) but for the life of me i cannot wrap my brain around it.

Please, any advice or input is welcome. I do not mind reading up (and have read mosts of the discussions here) but I really need a plain, simple explaination or how-to.

flamingm0e · January 15, 2018, 2:39pm

so you are double natting, and not really securing this other network.

it will be no more or less protected than it currently is.

NGINX is used as a reverse proxy. It has nothing to do with ‘security’

so don’t open the web interface to the internet.

you would want VLANs and a proper firewall

First things first:

Lay out a design of what you actually want. Ignore the specifics of what devices or technology to use until you figure out what you want the end goal to be. Once you figure out what you want your network to look like, then we can work on what it will take to get there.

I always recommend a proper networking setup and run all iOT/HomeAutomation items on a separate VLAN that is firewalled off from the regular network, except for specific components you need to access directly.

Corey_Johnson · January 15, 2018, 3:20pm

I would prefer a single network & 1 wifi SSID (via 2 AP [ 1 router w/ addional AP) but secure and to only be able to access my Haasio & ZM instances remotely (or anything else specific I might add later). My current setup has 2 wifi SSID (1 for HA, 1 for general use) with 2 AP ( or 1 router with an additional AP) each because I had coverage issues.

I thought I had a somewhat secure system before/now since I have to specify ports for the HA & ZM to be able to be seen remotely… I cannot (not that I really have any knowledge) access any other devices unless I am connected directly to the secondary local network so I didn’t think anyone else could either.

Thank you in advance! I love to learn but proper networking has eluded my skill set.

Oh, and i have changed the default ports on all my devices (cameras, ZM, HA)

Corey_Johnson · January 15, 2018, 9:01pm

Should I buy/build a pfsense box to do this? create separate vlans?

flamingm0e · January 15, 2018, 9:50pm

Personally I am a fan of Ubiquiti gear. EdgeRouter or USG is where I would go, along with some UAC-LR access points. (actually my setup now consists of an Edgerouter POE, a Cisco 3650 POE switch, and a UAC-LR. I don’t need more than one access point in my 2500 sq ft home. it even reaches to the end of my half acre lot.)

Corey_Johnson · January 15, 2018, 10:19pm

This may be a dumb question but would I need multiple APs if I want to connect wirelessly to separate VLANS?

I have the hardware to build a decent pfsense box, I have multiple switches (although I think they are all unmanaged), and 2 netgear nighthawk r6700/AC1850 (as well as a half dozen lesser wifi routers not in use).

I could install multiple NICs into the pfsense box to create separate vlans and then into the unmanaged routers (1 vlan each).But then, unless I am misunderstanding, any AP would be dedicated to the vlan it is connected to… right?

flamingm0e · January 15, 2018, 10:50pm

Nope. A decent AP will handle VLANs just fine.

This wouldn’t be VLANs then. They would just be LANs.

If you don’t have managed switch or a router that can do it, then your idea is just physical separation, and there is no VLAN involved.

Corey_Johnson · January 16, 2018, 1:11pm

Good morning! Would this be an acceptable managed switch? NETGEAR GS108Tv2 8-Port Gigabit Smart Managed Pro Switch

I don’t think my Netgear R6700 wireless routers can manage VLANs to the extent needed.

Here’s my idea… I run cable modem to a PFSense Box (create VLANs) then to Managed Switch, then to wired devices and my to R6700 running as APs. Is this conceivable? Given that I ‘manage’ the VLAN properly, would it create a secure network?

https://www.amazon.com/dp/B003KP8VSK?ref=emc_b_5_t

flamingm0e · January 16, 2018, 1:38pm

I suppose so. I have never used that line of switches but it seems like it will do what you need.

This is a really solid plan. Make sure you utilize the firewall in PFSense to restrict traffic between the VLANs and you are good to go.

Corey_Johnson · January 19, 2018, 3:16pm

Just to give an update, here is my plan:

Create 3 VLANs:
VLAN10 (Video)
VLAN20 (HA, ZM, other PCs/Phones)
VLAN30 (IoT, Alexa, Google, MQTT, IP Cameras)
Add VPN to connect out of the home (LATER)

Comcast WAN
↓
PfSense
↓
NetGear GST108T #1 –
#2 --> HA/RPi3
#3 --> ZM Server
#4 --> open
#5 --> open
#6 --> VLAN 20, VLAN30 --> R6700 Nighthawk as AP (no current need for video here)
#7 --> VLAN10 (for 1 wifi smart-tv), VLAN 20, VLAN30 --> R6700 NIghthawk as AP
#8 --> VLAN10 --> 4 port un-managed switch (not sure if this will work, but will only have FireTV & PS4 connected - can upgrade to managed if necessary.)

Everything is Gigabit w/CAT6 if that matters.

Where I am at:

I had the Comcast service installed yesterday (Will replace AT&T on this setup is complete), installed PFSense, setup GST108T (I think, U vs T vs blank throwing me off), created VLANs in PfSense, ran CAT6 to media center with unmanaged switch, connected FireTV & PS4, setup 1 R6700 onto port 7 to give some form of WiFi for now (not complete, VLAN, or protected really).

I’m stuck on the NAT for the PS4 but I do have connectivity to both the FireTV and PS4 with IP addresses within VLAN10.

I believe I should keep the HA & ZM computers away from the IoT VLAN but not sure. Would I then create a massive about of forwards to get the information? Or would it be better to put those on the IoT VLAN30 and just create the forwards I need to get to the Web GUIs?

My wife works from home so I want to get everything working perfectly before I move her over to the newer Comcast/PfSense connection.

Please advise if this seems like a workable & secure setup. I spent about 8 hours working on this yesterday (5 hours Googling how-to’s) and am left feeling a little confused and frustrated. I definitely learned how little I know about networking.

flamingm0e · January 19, 2018, 4:34pm

U is ‘Untagged’, which means if you put a VLAN tag on the port, as Untagged, any device that plugs into that port will be on that VLAN with no configuration needed from the device.

T should be ‘Tagged’ which means that it will use the default VLAN ID as ‘untagged traffic’ and anything tagged with that VLAN tag that you specify on the port, will be on that VLAN.

Blank would just use the default ‘No VLAN’ setting

You shouldn’t do any forwarding here. At the router level it should just be firewall rules, not NAT rules/forwarding. This is going to be a complicated setup, as you will want to restrict traffic from and to IP addresses and ports.

This is what I would do personally. Put them all on the same VLAN, and then just create a firewall rule to access the web interfaces.

Corey_Johnson · January 20, 2018, 10:49pm

I am not feeling the love from PfSense… days of working on it. I can’t even get the PS4 to work right so I fear my knowledge of being able to successfully install to get other aspects (HA/ZM) to work is just not where it needs to be.

flamingm0e · January 20, 2018, 11:38pm

What is the issue with the PS4?

Corey_Johnson · January 21, 2018, 1:51am

I thought I had it setup but I couldn’t get past a NAT of 3 so I started over using a different walk through and now I get a NAT Failed, if I get an IP at all. My VLANs are screwy and I keep being able to connect to 192.168.1.x which according to the author (emailed him) I should not be able to do. My brain will self-destruct soon.

flamingm0e · January 21, 2018, 2:13am

I would recommend you start small.

Ignore VLANs until you get a working LAN.

Corey_Johnson · January 21, 2018, 4:11am

Also, it doesn’t look like the Nighthawk R6700 can support VLAN if they are in AP mode.

My home is @ 1800 sq ft, do you think the UAC-LR would support that with multiple VLANs?
Also do I need the cloud controller? Not sure If I want to dedicate yet another computer.

flamingm0e · January 21, 2018, 4:15am

My home is 2500 sq ft sitting on a half acre of land. My single UAC-LR has no problems providing WiFi on 3 different VLANs to my entire property. The number of VLANs is never the issue, it is the number of clients. From your standpoint you will be fine.

you only need the app to set up the access point. you do not need to run it all the time. The only benefit to running it all the time is that it will track and log information about your WiFi clients (connection times, bandwidth usage, etc)

You don’t need to dedicate a computer. You can just run the app in a VM, on a pi, or on any computer that is running 24/7

Corey_Johnson · January 22, 2018, 12:44pm

Awesome, I am sending the newer R6700 back and my UAC-LR should deliver tonight or tomorrow. I am still fighting with pfSense but have a somewhat working setup.

I have been using these guides:
https://nguvu.org/pfsense/pfsense-baseline-setup/
https://nguvu.org/pfsense/pfsense-router-on-a-stick-with-netgear-gs108/

I still need to work on getting vlans for my iot & security and then figure out the rest of the PS4. I think I may need to dedicate a port to the video vlan as I think it confuses the PS4, FireTV seems to work fine. The router setup guide I followed has the port on my GS108 as a mixed vlan port but when I moved it to a port with a single vlan, it works better (still NAT failure). I will try again tonight probably.

It is slow but I think I am learning a little at least

Corey_Johnson · February 9, 2018, 6:11pm

Latest update and looking for advice.

I have setup a separate internet provider, connected to pfSense that then serves multiple VLANS both to a managed switch and Ubiquity Pro Aps. (VLANS = MGMT, VLAN, CLEAR, CAM)

I have managed to setup a VPN VLAN and a secure one for Zoneminder & it’s cameras.

The last thing for me to move over is HASS along with Amazon & Google devices. Ideally, I believe I would want HASS to be on the VPN VLAN but I am not sure about how to then get the Amazon & Google devices to communicate back/control. I read some previous but older discussions and still not sure what to do.

Would it be possible to have HASS on the VPN VLAN and then have Amazon & Google on the CLEAR VLAN and just create a port between the IPs?

flamingm0e · February 9, 2018, 8:10pm

Yes, you can just create a firewall rule that allows communication between those devices, but Auto Discovery of things will not work properly without some effort with MDNS/Avahi configuration

Is there some reason you want to move HASS over to this other VLAN?