[Help] Home Network Upgrade for Security & Performance - Cameras & IoTs

[DrPyro2k]

Hello... Need some help designing my upgraded home network. The primary motivation for this upgrade is the addition of IP Cameras and the slow but relentless IoT and IP Control additions to the existing network. Plus, the wifi network is a little shaky in some critical rooms (office & bedroom). As a result, I'm taking a fresh look at my current network, limitations and security.

Current Hardware: Asus RT-AC3200, and a variety of dumb switches (homerun Cat 5e Network)
Current Wifi Devices: ~15 wifi devices, that are on 2 networks (users & guest)
Current LAN Devices: ~20+ hardwired devices, all on a single flat lan network [Synology NAS, Printers, PCs, BluRays, AVRs, TVs, misc internet streamers, etc]


Issue:
As I noted, I'm looking to add 5 IP video cameras to my network (to start with). The current favorite are the Ubiquiti G3 cameras, but still deciding.... No matter what cameras are ultimately chosen they will be hardwired and POE. I will also add some type of NVR for local recording/storage.

The wifi is a little weak in a few rooms, so considering adding multiple APs with a hardwired backhauls, like the Ubiquiti Unifi AP AC-Pro.

Security: I'm growing more and more concerned about the single flat network topology, and would like to start to segregate devices based on their access/security modality. In other words, I don't think that the all of the IOTs or cameras should have unfettered access to the whole network.

Pondered Solution:
I think, that VLANs (each on its own subnet) and some sort of firewall/router rules should get me the control that I think i need. I can divide the wifi network into 2/3 possible access modalities.

1) Secure WiFi: Full Internet & Intranet access
2) Guest WiFi: Full Internet access, but not Intranet
3) IoT Wifi: Full Internet access, but not Intranet (Not sure if I can combine with Guest WiFi, if I can isolate individual users, i.e. individual users can't see/ping each other)

For hardwired connections, I can see 4 VLANs, but I'm confused with the hardwired IoT VLANs

1) Management: base VLAN for all of the L2/L3 switches
2) VOIP: Full Internet access, but not Intranet ***use a Linksys VOIP so relatives in china can call (local chinese #)***
3) Secure: Full Internet & Intranet access
4) Camera: Intranet Access only.
5) Guest: Full Internet access, but not Intranet *This will be the port default, limits potential mistakes*

I'm still working on the access modality for the hardwired IoTs, but I think there will be 3 or 4 different usages
1) Only have Internet access (no local control/communication)
2) No Internet access, only Local control by a limited number of devices
3) Full or Limited Internet access, only Local control by a limited number of devices (2 devices)
4) Full Internet access, Local control by a large number of devices (ie, Chromecast)


Questions:
1) Hardware I'm looking at are Ubiquiti Unifi managed switches & USG (or EdgeLite), as I like a single point to configure the entire network. Suggestions, recommendations?
2) Is the described VLAN/subnet the "best" approach? [forgive "best" description]
3) How are users dealing with IoT security? I realize the most secure would be to not have any, but I have family that has many many times left doors open/unlocked when leaving the house. So getting security alerts and being able to remotely lock/close doors is a vastly more secure. How are user limiting control, is there even a way given the control ports may be tricky/impossible to find?

Any help or suggestions would be greatly appreciated, Thanks!

 

[CaptainSTX]

I also had concerns about the level of security of my IoT so I decided to segregate these devices using hardware I had on hand. In total in my home I have 61 networked devices. (35 wired 26 WiFi)

My network facing router is an ASUS AC68 router running the latest version of Merlin's firmware. I have six guest network s enabled. Any Iot devices that use Wifi I have are assigned to connect to one of the six guest SSIDs depending on the radio the device has, speed needed and how suspicious I am of their security. The other two non guest SSIDs are used for my admin purposes and to enhance security only a couple of my devices can access this router's admin pages. None of these devices need a printer connection or access to my NAS.

Behind the primary router I have an ASUS N66 which is double NATed behind the primary Internet facing router. This router is supported by a VPN Accelerator and all my devices on my primary network connect to the Internet using a VPN connection. Because they are on the VPN they can not communicate with any devices on the primary network unless their VPN connection is terminated. Devices on the primary router can't communicate with any device on my more secure second network because of the different subnets and the fact that the connection between the networks is LAN - WAN. I also have an AP hardwired to my primary router for total coverage of all areas of my home.

Is there a downside to this setup, yes my latency is somewhat increased, but this setup has little impact on my download speeds.

Would it be more elegant from a networking setup to enable VLANs, certainly but I had the extra router and I get buy using TP-Link unmanaged switches and even a couple of old Linksys 54Gs where I need multiple Ethernet connections and a 100 Mbps switch won't bottle neck my network.