Hello... Need some help designing my upgraded home network. The primary motivation for this upgrade is the addition of IP Cameras and the slow but relentless IoT and IP Control additions to the existing network. Plus, the wifi network is a little shaky in some critical rooms (office & bedroom). As a result, I'm taking a fresh look at my current network, limitations and security.
Current Hardware: Asus RT-AC3200, and a variety of dumb switches (homerun Cat 5e Network)
Current Wifi Devices: ~15 wifi devices, that are on 2 networks (users & guest)
Current LAN Devices: ~20+ hardwired devices, all on a single flat lan network [Synology NAS, Printers, PCs, BluRays, AVRs, TVs, misc internet streamers, etc]
Issue:
As I noted, I'm looking to add 5 IP video cameras to my network (to start with). The current favorite are the Ubiquiti G3 cameras, but still deciding.... No matter what cameras are ultimately chosen they will be hardwired and POE. I will also add some type of NVR for local recording/storage.
The wifi is a little weak in a few rooms, so considering adding multiple APs with a hardwired backhauls, like the Ubiquiti Unifi AP AC-Pro.
Security: I'm growing more and more concerned about the single flat network topology, and would like to start to segregate devices based on their access/security modality. In other words, I don't think that the all of the IOTs or cameras should have unfettered access to the whole network.
Pondered Solution:
I think, that VLANs (each on its own subnet) and some sort of firewall/router rules should get me the control that I think i need. I can divide the wifi network into 2/3 possible access modalities.
1) Secure WiFi: Full Internet & Intranet access
2) Guest WiFi: Full Internet access, but not Intranet
3) IoT Wifi: Full Internet access, but not Intranet (Not sure if I can combine with Guest WiFi, if I can isolate individual users, i.e. individual users can't see/ping each other)
For hardwired connections, I can see 4 VLANs, but I'm confused with the hardwired IoT VLANs
1) Management: base VLAN for all of the L2/L3 switches
2) VOIP: Full Internet access, but not Intranet ***use a Linksys VOIP so relatives in china can call (local chinese #)***
3) Secure: Full Internet & Intranet access
4) Camera: Intranet Access only.
5) Guest: Full Internet access, but not Intranet *This will be the port default, limits potential mistakes*
I'm still working on the access modality for the hardwired IoTs, but I think there will be 3 or 4 different usages
1) Only have Internet access (no local control/communication)
2) No Internet access, only Local control by a limited number of devices
3) Full or Limited Internet access, only Local control by a limited number of devices (2 devices)
4) Full Internet access, Local control by a large number of devices (ie, Chromecast)
Questions:
1) Hardware I'm looking at are Ubiquiti Unifi managed switches & USG (or EdgeLite), as I like a single point to configure the entire network. Suggestions, recommendations?
2) Is the described VLAN/subnet the "best" approach? [forgive "best" description]
3) How are users dealing with IoT security? I realize the most secure would be to not have any, but I have family that has many many times left doors open/unlocked when leaving the house. So getting security alerts and being able to remotely lock/close doors is a vastly more secure. How are user limiting control, is there even a way given the control ports may be tricky/impossible to find?
Any help or suggestions would be greatly appreciated, Thanks!
Current Hardware: Asus RT-AC3200, and a variety of dumb switches (homerun Cat 5e Network)
Current Wifi Devices: ~15 wifi devices, that are on 2 networks (users & guest)
Current LAN Devices: ~20+ hardwired devices, all on a single flat lan network [Synology NAS, Printers, PCs, BluRays, AVRs, TVs, misc internet streamers, etc]
Issue:
As I noted, I'm looking to add 5 IP video cameras to my network (to start with). The current favorite are the Ubiquiti G3 cameras, but still deciding.... No matter what cameras are ultimately chosen they will be hardwired and POE. I will also add some type of NVR for local recording/storage.
The wifi is a little weak in a few rooms, so considering adding multiple APs with a hardwired backhauls, like the Ubiquiti Unifi AP AC-Pro.
Security: I'm growing more and more concerned about the single flat network topology, and would like to start to segregate devices based on their access/security modality. In other words, I don't think that the all of the IOTs or cameras should have unfettered access to the whole network.
Pondered Solution:
I think, that VLANs (each on its own subnet) and some sort of firewall/router rules should get me the control that I think i need. I can divide the wifi network into 2/3 possible access modalities.
1) Secure WiFi: Full Internet & Intranet access
2) Guest WiFi: Full Internet access, but not Intranet
3) IoT Wifi: Full Internet access, but not Intranet (Not sure if I can combine with Guest WiFi, if I can isolate individual users, i.e. individual users can't see/ping each other)
For hardwired connections, I can see 4 VLANs, but I'm confused with the hardwired IoT VLANs
1) Management: base VLAN for all of the L2/L3 switches
2) VOIP: Full Internet access, but not Intranet ***use a Linksys VOIP so relatives in china can call (local chinese #)***
3) Secure: Full Internet & Intranet access
4) Camera: Intranet Access only.
5) Guest: Full Internet access, but not Intranet *This will be the port default, limits potential mistakes*
I'm still working on the access modality for the hardwired IoTs, but I think there will be 3 or 4 different usages
1) Only have Internet access (no local control/communication)
2) No Internet access, only Local control by a limited number of devices
3) Full or Limited Internet access, only Local control by a limited number of devices (2 devices)
4) Full Internet access, Local control by a large number of devices (ie, Chromecast)
Questions:
1) Hardware I'm looking at are Ubiquiti Unifi managed switches & USG (or EdgeLite), as I like a single point to configure the entire network. Suggestions, recommendations?
2) Is the described VLAN/subnet the "best" approach? [forgive "best" description]
3) How are users dealing with IoT security? I realize the most secure would be to not have any, but I have family that has many many times left doors open/unlocked when leaving the house. So getting security alerts and being able to remotely lock/close doors is a vastly more secure. How are user limiting control, is there even a way given the control ports may be tricky/impossible to find?
Any help or suggestions would be greatly appreciated, Thanks!