Advice on VLAN organization

[giopas]

Hi all,

In my educational journey, I am trying to conceptually (for now) explore how I could better organize my internal home network using VLANs.

The ultimate purpose is to allow me to monitor and increase the security of my network, while keeping a user friendly environment.

I was therefore thinking to create something along those lines:

- 192.168.1.1 router
- 192.168.1.x (internal network: NAS + Omada environnement + smart TVs + SIP phone + main WiFi + game console + laptops + smartphones + tablet + raspberry pi with reverse proxy and pihole)
- 192.168.2.x (smart speakers)
- 192.168.3.x Internet connected home alarm
- 192.168.4.x Internet connected video cameras
- 192.168.5.x Guest network + all unrecognized (wired or wifi)

Given the above, I wanted to grant the following access rights:

- 1.x outgoing connection allow all - incoming connection deny all
- 2.x outgoing connection deny all - incoming connection allow only from 1.x and 2.x
- 3.x outgoing connection deny all - incoming connection allow only from 1.x and 3.x
- 4.x outgoing connection deny all - incoming connection allow only from 1.x and 4.x
- 5.x outgoing connection deny all - incoming connection allow only from 1.x and 5.x

As I have no experience with VLAN, I would really appreciate your comments/advices.

Thanks for your precious input!

 

[drinkingbird]

Hi all,

In my educational journey, I am trying to conceptually (for now) explore how I could better organize my internal home network using VLANs.

The ultimate purpose is to allow me to monitor and increase the security of my network, while keeping a user friendly environment.

I was therefore thinking to create something along those lines:



Given the above, I wanted to grant the following access rights:



As I have no experience with VLAN, I would really appreciate your comments/advices.

Thanks for your precious input!

What devices are you using? That will determine how you go about doing it.

I'm curious why you want your alarm and other stuff not to be able to communicate out, doesn't that defeat the purpose? They will have no internet access.

 

[giopas]

I forgot to mention that is course every VLAN would have internet access

The router is not decided yet (current one is not VLAN capable), but I want to understand - when I will get one - how to take advantage of it.

 

[drinkingbird]

I forgot to mention that is course every VLAN would have internet access

The router is not decided yet (current one is not VLAN capable), but I want to understand - when I will get one - how to take advantage of it.

To do what you're looking for, you'll need a router with VLAN and firewall, omada, edgerouter or mikrotik. Or you'll need to do some somewhat heavy scripting in Merlin. APs will likely need vlan support as well unless you're going to dedicate an AP for each VLAN that needs wireless.

If you're willing to get into scripting with Merlin firmware, what you want is doable on Asus routers. Freshtomato offers VLAN support via the GUI on some models of asus routers, but not sure how much firewall ability it has for inter-vlan routing and filtering.

In reality what you're looking to do probably warrants the proper gear rather than trying to script something on a cheap home router. You might want to consider a whole TP Link Omada setup (router, switch, and APs) or Ubiquiti ER-X, switch, and APs. Mikrotik can do it too but their OS has a steeper learning curve.

Really any VLAN aware switch (8 port ones are in the $25 range) will work with any of those brands above if you want to skip their branded switch (but you lose the ability to manage everything from one tool). You also have the option of going with PFSense or OpnSense for your router, you can buy prebuilt setups or use any x86 based PC. But for small size and low power consumption, one of the ones above is a nice fit as an "out of the box ready" solution with easy management.

Once you VLAN stuff off any of these solutions can be very flexible with what can talk where. Can filter on IPs, ports, interfaces, etc.

 

[giopas]

Thank you for your important clarifications.

One curiosity, my current router (Asus RT-AC86U with Merlin) does not support VLAN. But I have an integrated Omada network, with 2 managed switches and 5 Wifi 6 Access Points.

Do you mean that I could create VLANs already with the current setup, or I would nonetheless need an Omada router / or any VLAN capable router?

 

[Piotrek]

already with the current setup

Yes.

I would nonetheless need an Omada router / or any VLAN capable router

It's better and easier.

 

[Michael3421]

To start at the beginning a VLAN is just a group of devices on your LAN.
When using VLANs, there is still a "home" LAN called an untagged LAN.
Some VLANs are isolated while other VLANs can communicate with either the untagged LAN or another VLAN. You get to decide this for each VLAN.
Within a VLAN, some allow the member devices to communicate amongst themselves others do not. Again, you get to choose.

You should only need one VLAN that is isolated in your home and that also isolates its member devices. All devices in this VLAN can see the Internet and nothing else. And nothing else can see them.

How many other VLANs you need is the hard part. More here

Using VLANs for Network Segmentation and Isolation

Using VLANs for Network Segmentation and Isolation - RouterSecurity.org

www.routersecurity.org