Home Network - DMZ, Guest Network, VLAN?
-
I think I'm going to redo my home network and I thought I'd ask a few questions.
I currently have a pfSense box with WAN, LAN, and DMZ (IOT) ports. The LAN port goes to a D-Link DGS-2208 10/100/1000 8 port switch. Connected to this switch is Netgear GS108T 8 port gigagbit smart switch. I also have a ASUS-AC3100 WiFi access point connected to the LAN D-Link switch. AiMeshed in with the AC3100 I also have an ASUS RT-AX88U router to improve the coverage around the house. On the pfSense DMZ port I have ASUS RT-66R WiFi access point for my IOT stuff.
Do I really need the DMZ port on my pfSense box for the IOT devices (a few cameras, Ring doorbell, home control, TV, etc.), or would one of the 3 guest networks on ASUS routers be sufficient? I'd kind of like to use the ASUS guest network off my LAN for my IOT because the two AiMesh routers have better WiFi coverage around the house than the single ASUS RT-66R WiFi access point off my DMZ port.
Or should I set up a VLAN? I'm guessing in a perfect world the DMZ port has the most isolation. I haven't messed around with VLANs so I was wondering if I should look into those.
-
A DMZ is generally where you put servers that you want to be accessed by the outside world, while providing isolation from the rest of your network. Is that really what you want. I have set up security cameras and they were always on a separate network that was connected to one side of a DVR. The other side of the DVR could be reached from elsewhere. You can use a managed switch to create a separate network from a VLAN. As for a guest network, does your WiFi support multiple SSIDs. If so, then you use a VLAN to connect the 2nd SSID to pfsense.
-
I agree with @JKnott. I don't think a DMZ is what you want for your IOT network. If your IOT devices are truly on a normal DMZ setup, the are exposed to the internet and anyone can find and access those devices. They may be insulated from the rest of your network, but they are susceptible to intrusions from outside your network.
I do think setting up some VLANs is the best option. This keeps the IOT device behind your firewall to help protect against intrusions, but also separates them from the rest of your network incase there is an intrusion.
Honestly using two IOT VLANs is probably the best option. Use one for devices that need to access the internet to work - such as streaming devices, smart TVs, etc. Use another one for devices that don't need to connect to the internet such as CCTV systems, smart plugs/lights, etc.
Of course you can do this with one VLAN and just create an alias and corresponding firewall rules to allow devices to connect to the internet while blocking anything not listed on the alias. But that requires that you manually add a new device to the alias list whenever you want to allow a IOT device to connect to the internet. By using two VLANs, you can simply connect a new device to the corresponding wifi network (the one that has internet access or not) and not have to manually change anything in the firewall.
I would assume you can use two of the three guest wifi networks for these two IOT VLANs. This still leaves you with one guest vlan and hopefully your regular wireless LAN network. If for some reason you only have a total of 3 wireless networks available, I would probably set it up like this: regular LAN wifi, no internet IOT wifi, and a combined guest/internet IOT wifi.