Securing & segregating your home networks

Let me ask you another thing. I have a cisco rv320 router. It’s a dual wan router I bought during covid pandemic as then I had two lte routers. I used that because I worked from home and when ever my nephews turn on youtube my remote connection died. So I used two lte routers because I couldn’t argue with them any more.
Now, this router does support vlans but this is not wifi router.
I have xiaomi mesh wifi for my local network and the main mesh node is connected to my provider huawei router. Can I use this cisco router for a wifi vlan and if I can how to do it?

1 Like

Your threats consist of two factors.

  1. the potential damage being done
  2. the potential risk of it being exploited

Outside threats often have a potential damage that is somewhat low, because you would have made risk management, but there are many that seek to use any potential risk, so that is high.

Inside threats often have a potential damage that is really high, because you often need to open up for users and services that needs access to data on a whole other level that for outside users and services.
Users and services located inside your network is often though known and controlled by you, which limits the potential risk.

Risk management can come in 4 types.

  1. Mitigated (you have done something to lower the risk and the left over risk is then a new risk to be risk managed)
  2. Insuranced (often not a possibility for normal persons, al though some risks like ID theft might be insurancable (is that a word?) today)
  3. Accepted (You know the risk and potential damage, but have to accepted it. Some left over risk will always have to be accepted, because the price of mitigating or insuring is too high)
  4. Ignored (this should really never be accepted as an option, but it is often the case, because people think the risk or potential damage is low, but they have never really looked into it)

Some try to put numeric values on the risk potential and the potential damage to rate the threats. Some just try to put them into a low/medium/high category.

Thanks for the writeup.

Here is a perspective that might be useful when designing for computer security (from Marcus Ranum):

https://ranum.com/security/computer_security/editorials/dumb/index.html

I’m sorry I wouldn’t know because I never owned any of these hardware myself.

@kameo4242 Thanks for the writing.
Question: You go the route of building the firewall on linux instead of using something like Opnsense. Any particular reason for that? Do you see these firewall less reliable than the linux approach?
Thanks

Opnsense is based on Freebase, which is a Unix variant, like Linux.
Opnsense just gives a more polished and complete setup, but if you are confident with Linux, then it can be just as good.

Sorry I just saw the update. I lagged.

So, several points here. First thing first, OpnSense & PFSense are absolutely great products, brilliantly assembled and carefully curated. In a word, nothing against them.

I’m an old-timer. So I’ve been using IP chain, IP tables, nf tables, PF and all that jazz for a while already. So they aren’t frightening for me. And having direct control over them allows me to do things I couldn’t with OPN or PFSense.

So more flexibility, more advanced usage and it’s has stable as it can be, perfectly optimized for my use case, etc.

The point of sharing this here is to allow everyone interested to dive in advanced security.
I’m also integrating more & more tailscale to replace port knocking. Not exactly the same (like knocking would protect you against unknown zero-day overflow in ssh/tailscale, etc.) but should be good enough.

Wow such an amazing write up. I am using Synology as my backbone to my network.

I have the Synology RT6600 as my router and I use the WRX560 as mesh access points.

I’ve just finished reading your other article about starting off right in HA. Such a wealth of knowledge and I’m grateful for the time you spent. I am heading your advice and starting slow and targeted.

I have had some minor issues so far with the VLAN segregation and what I think may be due to the mesh routing. Do you have any suggestions or tips for me with my Synology backbone.

I can write up a more detailed breakdown of my overall network later.

Thanks for your writeup! I can adopt important things to my system. I have few questions for your UniFi setup:

  1. You mentioned that “avoid setting some minimum data rate control” in case of the IoT network. I agree with that, but the settings on the WiFi tab is not clear for me. If I would disable the “Auto” in the checkbox, there will be an exact value settings where I have to define how much Mbps should be the rate. Did you mean keep this settings on “Auto” or what is the value of the rate here?
  2. What do you think of the “Client Device Isolation” in the IoT network? also in the UniFi…

If I’ll have more time to do a writeup of my system, I would bind it to yours:) I have the same security needs as you. My hw tools are a bit different so it would be added value if I could post my config as well. I work with Mikrotik routers/managed switch, HP mini server with Proxmox, where HA, Adguard and UniFi Controller have separated environment (VM/LXC depends on). I also use VLAN network separation, OpenVPN for VPN and hate any cleartext traffic:)

1/ Yeah, I’m not trusting much auto-setting in unify context because they are often 0 or 1 but rarely dynamic. ie, the power output, set to auto == max.
Here, having a good control over the rates allow to avoid outdated 802.11b devices to clutter the network. Having a subnet with only IoT is also what I ended up having so if they want to go slow, they can, without crippling the rest of the network. Mine is set to 2 mbps as we speak on the IoT segment of the wifi network.

2/ It’s useful in an IoT environment usually. They are not supposed to talk to each other, except for the Chromecast, airplay Sonos and the likes. You’re anyway likely to have those on your primary network or use the function that allow you to fine tune who is able to broadcast (terrible for wifi perf) using the “Multicast and Broadcast control” in your setting → wifi configuration of the unifi controller.

I’m eagerly waiting for your writeup because this is typically unusual posts that offer great value for the few people interested in security :wink:

Even though the NSA got hacked, their Best Practices for Securing Your Home Network guide is useful.

Anyone have recommendations on investing in hardware for this strategy?

I love this guide and @kameo4242’s approach! I intend to follow the guide but am interested in first exploring the options that spending more money could introduce.

For example, buying all of the hardware from someone like Ubiquiti or Aruba etc to potentially reduce the number of components while also gaining a single management interface?

Typically you would actually increase the number of components, because you would need a server for running the management software, but other than that it should be no problem with trying to limiting the number of manufacturers.
Some might say that it will be putting all your eggs in one basket and it might even be a single point of failure should malware get into the manufactures software, but on the other hand equipment from same manufacture usually work easier together and the use of same terminology makes it easier to set up and thereby improve the security in general.
Just avoid using the cloud services some of those manufacturers provide, because that can be a loop hole into your network.

You should make sure that the APs, router and firewall can handle VLANs and not just pass-through.

Avoiding cloud management seems to be the sticking point. I’m looking at Aruba/HPE Instant On, Cisco Merkai Go and Ubiquiti and its tough to tell how much of their cloud stuff is actually required.

I use a EdgeRouter 4 from Ubiquiti and you can connect it to the cloud, but it seems to give no bad effects of not doing so.
The EdgeRouter is part of their EdgeMaxbseries, which is for ISPs according to their description, so it is not as such bound to their consumer products.
I use Cisco APs though sonit is a mix.
Cisco is not easy to work with because they are really limiting their support If you do not have an active service subscription.

Likewise, I’m 100% on Ubiquity (4 Unifi AP) and use the complete local controller.
No cloud dependability. I can confirm they are clean. The "cloud’ part is only meant to give you access to remote settlements you may be in charge of.

I don’t see in @kameo4242 's guide that he states where the HA device is connected and on which VLAN it is. I’m not clear yet on how HA monitors all the IoT devices from a different VLAN, or if HA needs to be on the IoT VLAN then how we presumably configure a VPN for it to communicate with the protected VLAN(s) or out to the internet.

I see he is setting up an SSID for each VLAN. Any consideration for a RADIUS server for a single SSID instead?

hi @haio, @WallyR solution will work. You will eventually have issues with device trackers across networks though. The various device_trackers plugins work differently depending on which one you use. I use the iPhone tracker, uncomfortable at tracking device across different subnets. (Ping is as well I think). It’s probably an HA limitation as a whole, I’m not sure. ie if you have yours on 192.168.XXX.YYY and your guests on 172.16.XXX.Yes, it will not be tracking the latter if I recall properly.

A workaround I found to assess if my guests are home or not is to have a script running in a cron, checking their specific IP address and updating an MQTT topic to then in return, with an automation, update the device_tracker.

Not very slick, but works.

#!/bin/bash

iphone_julia="172.16.0.41"
hping3 -2 -c 3 -p 5353 $iphone_julia -q >/dev/null 2>&1
ping -c 3 $iphone_julia >/dev/null 2>&1

if [[ -z `ip neighbor show | grep REACHABLE | grep $iphone_julia` ]]; then
  sleep 5
  hping3 -2 -c 3 -p 5353 $iphone_julia -q >/dev/null 2>&1
  ping -c 3 $iphone_julia >/dev/null 2>&1
  if [[ -z `ip neighbor show | grep REACHABLE | grep $iphone_julia` ]]; then
    julia_status="not_home"
    mosquitto_pub -h localhost -p 1883 -u ESP -P r.e.d.a.c.t.e.d -t homeassistant/phone_tracker/julia -m "not_home"
  else
    mosquitto_pub -h localhost -p 1883 -u ESP -P r.e.d.a.c.t.e.d -t homeassistant/phone_tracker/julia -m "home"
    julia_status="home"
  fi
else
  mosquitto_pub -h localhost -p 1883 -u ESP -P r.e.d.a.c.t.e.d -t homeassistant/phone_tracker/julia -m "home"
  julia_status="home"
fi

echo $julia_status

I declare an MQTT sensor:

    - name: julia_iphone_mqtt
      unique_id: "julia iphone (mqtt)"
      state_topic: "homeassistant/phone_tracker/julia"
      qos: 1

It’s among those ugly things you tell yourself “I’ll fix it one day” and since it works, keep on forgetting about…

HA is easiest to place on the IoT network and then just open up the ports the web interface.
This way all the discovery protocols will work with all the devices on the IoT network and Matter with IPv6 and devices on the IoT network will also be possible to get running.
You can place it on the normal network, but you will have to really set up a lot of routing and firewall rules and Matter will not work with devices on the IoT network.

Yes separate SSID for each VLAN.
No point in segregating into VLANs if your WiFi is not following through and there create a bridge between the VLANs.

1 Like

@WallyR @kameo4242 you guys rock, thanks so much!