Is this a good network architecture/configuration that makes good/secure sense?
-
I want to spend time planning on the front-end so I avoid head-aches down the road.
I just need a second set of eyes on what I am thinking to make sure it makes sound sense, if I am missing something, or if I am over-complicating.
What I Have
- FIOS
- pfSense box
- 8 port Unifi PoE switch
- Unifi 6 Lite AP
- FIOS wifi 6 router (spare; free; not being used; I'd like to use it unless there is a reason I shouldn't)
- Intel NUC as home server with some internet accessible Docker containers (https, Plex, etc...)
- personal desktop
- work desktop
- SmartThings HUB
- Roku
- personal laptop
- personal phones
- IoT devices
How I Plan To Connect Everything
- FIOS ONT to WAN port on pfSense
- LAN port on pfSense to 8 port Unifi PoE switch
- 8 port Unifi PoE switch to:
- Unifi 6 Lite AP for Roku, personal laptop, personal phones, and IoT devices
- FIOS wifi 6 router for guest devices
- SmartThings HUB
- Intel NUC
- personal desktop
- work desktop
VLANs
- servers - VLAN 10
- Intel NUC
- computers - VLAN 20
- personal desktop
- work desktop
- home SSID from Unifi 6 Lite AP
- Roku
- personal laptop
- personal phones
- IoT - VLAN 30
- SmartThings HUB
- IoT SSID from Unifi 6 Lite AP
- IoT devices
- Guest - VLAN 40
- FIOS wifi 6 router with guest
Rules/Policies I Think I Need
- port forward DNS queries back to pfSense for all VLANs
- block all IPv4/IPv6 traffic on WAN, any protocol, any source, any destination
- port forward specific WAN ports (HTTPS, Plex, etc...) back to Intel NUC on servers VLAN
- Guest and IoT VLAN should have no access to any other LAN/VLAN
- Only computers VLAN should be able to access pfSense with anti-lockout for pfSense
- port forward any NTP time lookups back to pfSense
- allow pinging FROM servers and computers VLANs
- allow WAN traffic on specific ports for all VLANs
- this will be specific to each VLAN
- for example:
- servers will need to use random ports for the services it runs
- computers should only have a few like HTTP/HTTPS
- similar for IoT and Guest
- limit inter VLAN communication
- computers should be able to reach anything
- servers should probably not be able to reach anything
- servers should only allow access on specific ports from specific devices in computers
- ???
How does this all look? Any glaring issues I am not seeing? What about any more rules/policies I need that I am missing?
Any advice/perspective/experience is appreciated. TIA!
-
most of it seems fairly do-able to me....
personally i wouldn't bother to give it too much thought for a home network - you can always change it as you go.
in an enterprise environment it's much more difficult to make big design changes afterwards because of the scale & potential downtime -
Put ALL your SSIDs on the Unifi 6 Lite AP and trunk all the required VLANs to it.
It's one less Wi-Fi channel you need to worry about.
-
@heper said in Is this a good network architecture/configuration that makes good/secure sense?:
you can always change it as you go.
Sure, but I want to try to get as much right on the front so I don't have to keep mucking with it. Time is hard to come by -- especially with a kid on the way -- which is why I want to do it now cause I don't think I will have time later.
@nogbadthebad said in Is this a good network architecture/configuration that makes good/secure sense?:
Put ALL your SSIDs on the Unifi 6 Lite AP and trunk all the required VLANs to it.
I want to make sure my home SSID (VLAN 20) is operating at peak since I only have 1 Unifi 6 Lite AP for my entire ouse (albeit a small house).
So would 3 SSIDs on the Unifi 6 Lite AP be better or 2 SSIDs on the Unifi 6 Lite AP and one on the FIOS router?
-
@imthenachoman How much traffic are you expecting from in/out from your IOT network?
It will be quite small, unless you’re streaming Netflix, etc ...
Also if you need to extend your coverage you can just add another AP.
I have 5 SSIDs on my Unifi AC Pro.
-
@nogbadthebad said in Is this a good network architecture/configuration that makes good/secure sense?:
Also if you need to extend your coverage you can just add another AP.
Hoping to avoid buying another AP. I will try it with all 3 SSIDs on my Unifi.