Network design advise sought

john_galt

Hi Everyone,

I have been doing a lot of reading and research here on the forum and in my first post I'm going to plead
to those more knowledgeable for advise.

I currently have a stable home network with Time Warner/Spectrum 250/25 WAN. My current router/AP
is an ASUS AC68U running DD-WRT. I have 3 Cisco SLM2008 Smart Switches which I'm using in "dumb" mode.
To these Router/switches/AP I'm connecting a variety of wired and wireless. Everything from desktop, laptops
tablets, TV's, Wireless IP cameras, Amazon ECHO and wireless micro-controllers.

My goal is to replace the ASUS AC68U with a home built 4 port box with pfSense 2.3.3 installed.
An i5, 5250u version of this https://forum.pfsense.org/index.php?topic=114202.0
Based on recommendations of the forum I have ordered a Ubiquiti AC-Pro to use as an AP so I believe
I will have all the needed hardware soon.

Given the above I am looking for advise on how best to setup my network so as to maximize usability
among all the above devices while also maintaining or increasing security.

Thank you for any assistance you can offer.

Doug

johnpoz

Well first step would be to classify your devices in some manner to you can figure out what network/vlan to put specific devices on so that you can then isolate those devices from your other devices.  This could be based upon multiple factors.

IP cameras for example could be on their own network/vlan - this may or may not be lumped in with other such iot devices.  That is up to you and the measures of security you want to put on different classes of devices.

I assume you will have like a trusted wifi ssid, and then one for guests and say another one for iot wireless devices, etc.

The use of the multiple networks/vlans allow you to control what can talk to what and on what ports and which devices can create communication to other devices.  Also for easy lock down of say your iot devices not being able to talk to internet, or only talk to specific things on the internet.  And then allowing your lan devices to talk to the iot devices, while the iot devices can not create a conversation to your lan devices only answer them, etc.

If you want some help in how to classify going to need a list of every device.  And what needs to talk to what on what protocols.  If you have devices that use say multicast or broadcast to find other devices this can be a problem to solve when they are not on the same layer2, etc.

john_galt

John,

Thanks for your reply. While waiting for the correct memory for my pfSense box to ship  I will make a list of my devices and take advantage of your gracious offer of help.

As for WIFI  I've only had the 5 and 2.4 GHz bands with WPA2. When you say "guests" do you mean and open SSID for anyone or just guests to use while in my home with password?

I'm not sure if this matters by way back in early in the early 90's I applied for and was given a public class C address. Purly for nastolgic reasons I would like to continue using it as I am now behind my ASUS AC68U. I understand it might present problems when creating rules for the various lans, VLANs so if you recommend I just chuck it and stick to private addresses I will. I'm not married to that address.

Again thanks for your offer of assistance. It's greatly appreciated.

Doug

johnpoz

Well I wouldn't make my guest open ;)

But I have a SSID that "guests" can use - this network has ZERO access to my other networks.. Just what I need some infected guest users machine banging up against the file shares on my pcs I move files back and forth on.. For all I know its infected with some PDoS malware searching for my iot devices that might have telnet open that can not be turned off, etc.

Any device that is not under your control, until you have validated it should be considered hostile.. While I don't care if they use a bit of my internet bandwith - they have zero need to see the rest of my network.. They still need the PSK to get on, I don't want billy bob driving by using my bandwidth, etc.

"early 90's I applied for and was given a public class C address."

So do you have use of 24 public IPs?  Does your ISP actually route those to you??  PM this network if you dont' mind – curious..

john_galt

John,

Yes I would want WIFI access to anything behind my pfSense to be password protected. The idea of isolating the "unknown" that a guest might present to my WIFI network, intentional or not.

Yes back in the dark ages. My first email address didn't have a "@" in it only "!"

No my ISP doesn't route to this address. It's all behind my current router and future router.

I'll send  PM

Doug

NogBadTheBad

How I set mine up :-

https://forum.pfsense.org/index.php?topic=126109.msg696572#msg696572

The IOT, GUEST & DMZ can't access  ( and each other ) my USER & VOICE subnets

john_galt

Very nice NogBadTheBad! I have several Pi's and a couple Arduino Yun's.

I'll have to give it a good look when I'm on a screen bigger than my iPad  ;)

Doug