First, you have to understand that if you are setting up a "router on a stick" architecture (ie not having your switches act as true layer 3 devices with the DHCP and rules programmed at the switch level), any traffic traveling from one VLAN to another will have to pass through the firewall/router. However all traffic that is passing within the same VLAN is handled by the switch and that data does NOT pass through the firewall/router. If the VLANs are set up where too much traffic is passing between different VLANs, you will quickly create a bottleneck of data unless your trunk lines are much faster than the rest of the network. So if you have 1gb network, but use a 10gb connection between your switches and firewall/router then this might not be a problem. But if you have 1gb connections between the switches and firewall/router, then it could easily create a bottleneck. Therefore you need to carefully consider your VLAN makeup and ensure that traffic will tend to stay confined to the VLAN as much as possible and only cross over to access the internet and as few times outside of that as possible.
@The Automation Guy - Thank you very much for the in-depth reply and recommendations for my setup.
I do have to caveat, Networking is not my strong suit and takes me longer to figure things by researching.
I would say my setup is more advanced than a “router on a stick”. If, I am understanding you correctly, I have several FW rules setup regarding inbound/outbound traffic. I currently, block all inter-vlan trafficking by default, but have a FW rule to allow traffic to traverse specific ways. I am GEO-IP blocking from various countries, ad-blocking across the whole network, and content blocking on some certain VLANS.
The hardware I use is Unifi. I currently have the UDM PRO SE, 48 Port PoE 750W, 8 Port PoE 150W, various Flex Mini switches, and AP’s throughout the house. The connection between the ISP --> UDM PRO SE is 2.5GB, (which I am currently pulling 1.5GB DOWN and almost 100MB UP. The connection from the UDM Pro SE --> 48 Port PoE switch is SFP+ (10GbE). All hardwiring throughout the house is CAT6/6A, and I'm currently in the process of running Fiber from my network rack to another building on my property.
Second, you are correct to use VLANs to segment your network based on access to the internet and other VLANs. However I think you are trying to get too narrow in your segments which is going to cause VLAN traffic to travel between VLANs for no good reason. Let me try to give you a couple of "rules" to follow. First, if you have a large number/group of devices that you are trying to control access for, then a VLAN makes the most sense. However if there are only one or two devices that you are trying to control access for, then using firewall rules is a better solution than creating a new VLAN that will only have one or two devices on it - especially if that VLAN traffic will regularly have to travel to another VLAN.
I absolutely agree with you. I had a feeling I was getting too narrow with my VLANs which in result is making it more complex for me (but also potentially a bottleneck on the network). A couple of my VLANs or VLANs I plan to make were only going to have a few devices. Taking into account what you are saying, I should just FW rules those specific machines – which is a great idea. Thank you!
For example, I like that you are using two different VLANs for IOT devices with one that offers internet access (IoT) and one that does not offer internet access (NoT). This way you can simply assign a device to the appropriate VLAN/wireless SSID depending on if the device needs internet access or not. This method is much easier to maintain than using one IoT VLAN and trying to use rules to determine which devices can access the internet and which cannot. On the other hand, having two VLANs for the cameras and BI is actually detrimental and will create a data bottleneck faster than needed. You should really put all of those devices on a "camera" VLAN that blocks internet access and then write a single rule in that allows the BI machine to access the internet. This way 99% of the "camera" traffic stays on the same VLAN and doesn't have to be routed through the firewall/router. The only time you will send traffic outside of this VLAN is when you are using a personal device to "check footage". If your cameras and BI machine are on two different VLANs, 100% of that traffic will have to travel through the firewall/router unless you have set your network switches up with layer 3 functionality and take the DHCP and VLAN management away from the firewall/router.
Agree, MUCH easier to maintain! Many YouTube videos/forum recommendations specifically went through separating IoT vs NoT. I’ve always separated the IoT devices throughout the years, but recently (within the last year or so) starting analyzing my NoT devices. I didn’t like that traffic was always going outbound especially, when it never impeded the functionality. I had a feeling separating BI and cameras was going to cause issue. My rationale just “sounded” good and that’s why I went with it. Even folks I’ve spoken with online and in-person would keep BI/Cameras on the same VLAN; my whole though was, if a camera happened to become compromised, at least it would be much difficult to access my server that’s managing all the cameras.
If you kids are very young, you may find it effective to limit their internet access by putting them on their own VLAN. However you will be surprised at how quickly kids will find a "work around" in ways you never even considered. It's generally accepted that trying to limit your kids access to certain elements of the internet through filtering/rules is a loosing battle. You are much better to have conversations early and often about the internet and try to teach them why things are bad vs trying to protect them by trying to block all of that from them. They are going to find it sooner rather than later and having conversations with your kids about it sooner rather than later is more a more effective way of handling it. Therefore I would tend to put the kids and inlaws on the same VLAN. The only reason to add a different guest VLAN is to change the wifi password often without affecting the kids/inlaws. If you aren't going to do that, then put them on the same VLAN as the kids and inlaws.
Yes, my children are younger (10 & under). I wholeheartedly agree with sitting them down and having conversations about what’s appropriate and not (which my wife and I do). The FW rules are setup as a backup “safety net”, in the event they accidentally click on malware I can minimize the impact. Heck, we have people in our company of all ages that have poor OPSEC and click on link’s they shouldn’t despite quarterly training…I digress! It’s difficult for very young kids to understand the different between “good” and “bad” website links. Hmm, I never thought about putting the kids and the in-laws on the same VLAN, but that makes complete sense! They basically have similar FW rules (minus a couple), but I could just setup the additional rules for the kids based on their IP/MAC Address. Thanks for the great recommendation!
So based on your list, I would change my VLANs to this architecture:
Management VLAN - provides access to all VLANs and network devices. Includes all network hardware and perhaps one "management" computer - although you can always log onto this SSID with a computer for access when needed. You'll use this VLAN when you are "working" on the network.
Protected VLAN - gives internet access and blocks access to some of the other VLANs. You probably want to give this VLAN access to the Main VLAN and Camera VLAN for example. This is where your devices that contain your family's "personal" information/documents lives that you want separated from everything else. Includes most personal computers, any NAS that includes personal documents, backups, etc. but it does not include your phones or other mobile devices. Those should be considered insecure devices and put on the Main VLAN.
Main VLAN - gives internet access but blocks other VLAN access except Camera VLAN access (at least for some devices) and possibly the NoT if you are doing a lot of automation things. Basically anything that needs the internet, but doesn't need to regularly access the "personal family data" goes on this VLAN. Includes media streamers, TVs, automation/smart devices that need internet, kids computers, inlaw computers, any printers/scanners/fax machine, ALL mobile devices including your personal phones/tablets, etc
NoT VLAN - blocks internet access and access to other VLANs. Includes anything you want to keep off the internet and away from your family's personal information. Things like lights, appliances, alarm system, HVAC, etc
Camera VLAN - blocks internet access and blocks access to other VLANs. Includes all cameras and the BI machine. You can write a rule that allows the BI computer access to the internet and turn it on/off as needed.
Guests VLAN - provides internet access, but blocks other VLAN access and also isolates devices from each other on the guest network. Honestly unless you have long term guests or live in an area where cellular service is unreliable or not available, this is probably not needed in a residential setting because guests will have their own mobile devices with internet access built in. I had a Guest VLAN for a long time and eventually turned it off because it was only used once. Less is sometimes better (and more secure).
Only you can decide the importance of putting the VMs on their own VLAN, but I don't see a reason to do it unless you need a DMZ for a special reason. If they include personal information or need to access the personal information, they belong on the Protected VLAN. If they don't, they belong on the Main VLAN. You also need to be honest/realistic about your "data". For example, a movie/music collection isn't "personal family data" and doesn't need to be on the Protected VLAN. It will work better on the Main VLAN anyway because the media streamers that would be accessing that data the most are also on that VLAN. You also need to think about how much you really need a test VLAN. Personally I don't think it is really necessary. Just add those devices straight away to the target VLAN or if there really is some sort of testing phase to go through with the device, add them to the Main or NoT VLAN for testing depending on if it needs internet access or not.
Thank you for the VLAN Architecture recommendation. I will work on it this weekend. I see your Main VLAN is similar to devices that would be on IoT. Do you prefer to use the name Main VLAN vs IoT?
As far as the VMs, no I do not need a DMZ. It was just to keep my network consistent and separated into its own VLANs. Some of the VMs do/need access to personal information and other don’t. With that said, based on your architecture, I should split them into the Protected vs Main VLAN. After reading your comments on the test VLAN I am going to remove it. It’s not something that is currently used all the time, but would use it when I wanted to test different products, etc.
Here are some other VLANs that I would consider using if applicable:
Gaming VLAN - if you game online, many times these devices (computers and consoles) need special firewall rules and services turned on that are less secure than what I want for the rest of my network. By placing these on their own VLAN, it is easy to add a new device as needed, as well as protect the rest of my network by not exposing the other devices to these less secure rules/services.
IP Phone VLAN - if you have an ip phone system (asterisk, etc), then you definitely want those devices (phones and server) on their own VLAN - just like you want to put cameras on their own VLAN.
Also, be sure to block access to your firewall's web GUI from most VLANs (really every one but the Management VLAN). You'll need to ensure devices can access the various firewall services (DHCP, NTP, etc, etc), so you can't write a rule that blocks access to the entire IP address of the firewall (ie the gateway address of each VLAN) , but you definitely want to block the web GUI to prevent someone from being able to change firewall settings.
Good idea on the Gaming VLAN. I do a little bit of gaming and so does the kids. No IP Phone’s so I don’t have to work about it. I might dabble with them one day, but right now, I don’t see a need for us to have them.
Ah, yes! I forgot to mention it in my original post. I do block access to the gateway. Every VLAN except my default VLAN cannot access the gateway. I even block access to HTTP/S and SSH.
