Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Best practice for entertainment devices

    L2/Switching/VLANs
    3
    4
    114
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NGUSER6947
      last edited by

      I currently have my main network (Data) for PCs, Unifi cameras, and also my Roku devices.

      Also have a VLAN 'Automation' for smart thermostat and other similar devices.

      I am running pfBlockerNG which blocks a ton of crap from Roku, etc.

      Should I create an 'Entertainment' VLAN and move the Roku devices to it as the next step to improving my network security? Or is that overkill? BTW no 'smart' TV's washing machines, etc. in the house.

      S 1 Reply Last reply Reply Quote 0
      • AndyRHA
        AndyRH
        last edited by

        Mostly an opinion question.
        I put my cameras and security server an a separate VLAN. TVs and such on my primary network and the smart devices isolated on the Evil network. Another network is reserved for no ad blocking.
        For me it did not make sense to have the TVs and Rokus on a network different from the media server. The cameras cannot be stopped from calling home, so they got special treatment.
        Smart devices are Evil, self explanatory.

        If you feel it makes sense to separate them then you should. There is not a technical reason not to.

        o||||o
        7100-1u

        N 1 Reply Last reply Reply Quote 0
        • N
          NGUSER6947 @AndyRH
          last edited by

          @AndyRH LOL I love the 'Evil' network designation.

          1 Reply Last reply Reply Quote 0
          • S
            sic0048 @NGUSER6947
            last edited by sic0048

            @NGUSER6947

            TL DR - Don't use VLANs when a firewall alias is the more appropriate solution.

            You don't want to get too granular with your VLANs IMHO. I think most home networks only need 3 VLANs.

            1 - a "Secure" VLAN for the router/firewall device itself and other network equipment, as well as all of your personal data. This likely includes most of your personal computers/laptops, network storage devices, etc, but it does NOT include personal mobile devices like phones and tablets. Devices on this VLAN should be able to access any other VLAN.

            2 - a "No Internet" VLAN for any device that doesn't need internet access. This might include a lot of the automation devices in your network, CCTV cameras, any network printers, etc etc. Of course the VLAN not having internet doesn't mean you won't be able to access these devices either locally or remotely (over a VPN connection), because you will still be able to do that if setup that way. Devices on this VLAN shouldn't have access to any other VLAN.

            3 - an "Everything else" VLAN for........ you guessed it......... everything else (ie your media servers, smart TVs, mobile devices, etc.) Basically anything that needs an internet connection but isn't "secure" enough, or has no reason to be accessing your personal data (which resides on the "Secure" VLAN) needs to go on this VLAN. Not only do your personal mobile devices need to be on this VLAN for security reasons, it's also easier to cast/stream to the media servers when everything is on the same VLAN. Honestly the vast majority of your devices will likely fall onto this VLAN. Devices on this VLAN would have access to the "No Internet" VLAN only.

            When you have just a small number of devices that you want to handle differently, this is when you can/should create firewall "aliases" and control groups of devices this way. Most of the time an alias is a better way to manage the devices than a full blown VLAN IMHO. So no, I would not create an "Entertainment VLAN" because that is getting too granular with your VLANs, but I probably would create an "entertainment" firewall alias if I wanted to handle those devices differently when it comes to ad blocking, rules, or other typical firewall activities.

            PS - I know a lot of people want to have a "Guest" wireless network/vlan but that isn't actually needed most of the time now that your guests are generally going to have a mobile phone and mobile internet service that works well. Perhaps if your home is located in a cellular "dead spot" this would be helpful to your guests, otherwise it really isn't needed. I know that I initially created a guest network and it was only used perhaps twice over about a 5 year period, so I eventually did away with it. Having a guest network that isn't actually used/needed is nothing but a security risk that should be eliminated.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.