Is this a good network architecture/configuration that makes good/secure sense?

imthenachoman

I want to spend time planning on the front-end so I avoid head-aches down the road.

I just need a second set of eyes on what I am thinking to make sure it makes sound sense, if I am missing something, or if I am over-complicating.

What I Have

• FIOS
• pfSense box
• 8 port Unifi PoE switch
• Unifi 6 Lite AP
• FIOS wifi 6 router (spare; free; not being used; I'd like to use it unless there is a reason I shouldn't)
• Intel NUC as home server with some internet accessible Docker containers (https, Plex, etc...)
• personal desktop
• work desktop
• SmartThings HUB
• Roku
• personal laptop
• personal phones
• IoT devices

How I Plan To Connect Everything

• FIOS ONT to WAN port on pfSense
• LAN port on pfSense to 8 port Unifi PoE switch
• 8 port Unifi PoE switch to:
  1. Unifi 6 Lite AP for Roku, personal laptop, personal phones, and IoT devices
  2. FIOS wifi 6 router for guest devices
  3. SmartThings HUB
  4. Intel NUC
  5. personal desktop
  6. work desktop

VLANs

• servers - VLAN 10
  • Intel NUC
• computers - VLAN 20
  • personal desktop
  • work desktop
  • home SSID from Unifi 6 Lite AP
    • Roku
    • personal laptop
    • personal phones
• IoT - VLAN 30
  • SmartThings HUB
  • IoT SSID from Unifi 6 Lite AP
    • IoT devices
• Guest - VLAN 40
  • FIOS wifi 6 router with guest

Rules/Policies I Think I Need

• port forward DNS queries back to pfSense for all VLANs
• block all IPv4/IPv6 traffic on WAN, any protocol, any source, any destination
• port forward specific WAN ports (HTTPS, Plex, etc...) back to Intel NUC on servers VLAN
• Guest and IoT VLAN should have no access to any other LAN/VLAN
• Only computers VLAN should be able to access pfSense with anti-lockout for pfSense
• port forward any NTP time lookups back to pfSense
• allow pinging FROM servers and computers VLANs
• allow WAN traffic on specific ports for all VLANs
  • this will be specific to each VLAN
  • for example:
    • servers will need to use random ports for the services it runs
    • computers should only have a few like HTTP/HTTPS
    • similar for IoT and Guest
• limit inter VLAN communication
  • computers should be able to reach anything
  • servers should probably not be able to reach anything
  • servers should only allow access on specific ports from specific devices in computers
• ???

​

How does this all look? Any glaring issues I am not seeing? What about any more rules/policies I need that I am missing?

Any advice/perspective/experience is appreciated. TIA!

heper

most of it seems fairly do-able to me....

personally i wouldn't bother to give it too much thought for a home network - you can always change it as you go.
in an enterprise environment it's much more difficult to make big design changes afterwards because of the scale & potential downtime

NogBadTheBad

Put ALL your SSIDs on the Unifi 6 Lite AP and trunk all the required VLANs to it.

It's one less Wi-Fi channel you need to worry about.

imthenachoman

@heper said in Is this a good network architecture/configuration that makes good/secure sense?:

you can always change it as you go.

Sure, but I want to try to get as much right on the front so I don't have to keep mucking with it. Time is hard to come by -- especially with a kid on the way -- which is why I want to do it now cause I don't think I will have time later.

@nogbadthebad said in Is this a good network architecture/configuration that makes good/secure sense?:

Put ALL your SSIDs on the Unifi 6 Lite AP and trunk all the required VLANs to it.

I want to make sure my home SSID (VLAN 20) is operating at peak since I only have 1 Unifi 6 Lite AP for my entire ouse (albeit a small house).

So would 3 SSIDs on the Unifi 6 Lite AP be better or 2 SSIDs on the Unifi 6 Lite AP and one on the FIOS router?

NogBadTheBad

@imthenachoman How much traffic are you expecting from in/out from your IOT network?

It will be quite small, unless you’re streaming Netflix, etc ...

Also if you need to extend your coverage you can just add another AP.

I have 5 SSIDs on my Unifi AC Pro.

imthenachoman

@nogbadthebad said in Is this a good network architecture/configuration that makes good/secure sense?:

Also if you need to extend your coverage you can just add another AP.

Hoping to avoid buying another AP. I will try it with all 3 SSIDs on my Unifi.