Need Advice On Network Security Design & Possible Security Appliance

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

b1ggjoe

Regular Contributor
Hey Everyone,

So I've been slowly re-doing my entire Home Network. I've been updating my Network Hardware along with other improvements in order to accommodate all of my 'Smart Devices', along with my new and slowly improving Home Theater goals.

As of tonight, here's a sample of what I have:

1. - Gigabit Fiber enters my home through a CenturyLink Modem (10.x.x.x).

2. - Orbi Router sits behind the CenturyLink Modem (192.168.8.x). The Orbi is FANTASTIC and all of my Smart Devices connect to either the Orbi Router or one of the 2x Satellites via WiFi.

Here's where I need some direction:

I have a brand-new QNAP NAS with about 20TBs of Storage (RAID 5). The problem here, is that I want to use this QNAP NAS as both my SOHO File Storage backup NAS, as well as to store all of my Blue-Ray RIPS/Remux files so that I can stream the movies from this QNAP NAS to either my NVIDIA Shield TV in one room, or to one of my Amazon Fire TV 4K sticks in other rooms.

So on the one hand I have important files/docs that I wish to safeguard and secure. On the other, I also have all of these movies and a growing collection that I also want to store on the QNAP NAS as well as stream from (Not so important).

I'm not entirely sure on the best way to design my small network so that the QNAP NAS will be secure in the event that my Home Network is hijacked/hacked yet I want to be able to stream movies trouble-free.

I know that the Orbi does support VLANs.

I also have a brand-new ZyXEL 24-port Managed Switch that also supports VLANs among other features.

I have an older SonicWALL TZ210 Router/Firewall.

So my questions are:

1. - Would it be a good idea to insert another Router/Firewall or dedicated Firewall appliance into this scenario, in order to add another layer of protection to the NAS?

If the answer is 'YES', would I be ok with using this older SonicWALL TZ210? I was going to renew the security updates but I just found out that it will be EOL this month. Or would I better off with a small Firewall appliance such as either a SOPHOS XG 85 / Untangle u25x /pfSense SG-1000 or SG-3100?

2. - Regardless of which appliance I use, where exactly or how exactly should I position it within the overall Network topology?

For example; I was thinking of having it just sit between the Orbi and the QNAP NAS. That way, if someone were to gain access and get passed the ORBI...they couldn't just easily walk into the QNAP NAS.

3. - Or would it be better to just implement some VLAN magic? Or both, a Firewall appliance + VLAN magic?

Random Notes:

- The NAS is a QNAP TVS-473, so it does have 4x Gigabit RJ45 ports.

- The NAS will be physically right next to all of the network equipment mentioned above. So there's a lot I can do with regard to physically connecting the NAS to either the Firewall appliance or the ZyXEL switch or even the ORBI for that matter, if going the VLAN direction.

Any help would be greatly appreciated.

Thank you!!

BJ
 

degrub

Very Senior Member
use redundant removable, external storage to back up your critical files and keep them off the network.
A NAS is not backup. It can be part of a backup strategy if you want.
 

sfx2000

Part of the Furniture
Something to consider - QNAP has integrated a couple of popular FOSS router packages - pfSense and OpenWRT (so pick one).

The x73 has more than sufficient horsepower to run packages like that - and QNAP has good soft switch capabilities...
 

b1ggjoe

Regular Contributor
Wow, I never thought about the soft packages for QNAP. So basically, you're saying instead of adding a Firewall security appliance in front of it, instead implement it's native or built-in security. Makes sense. Yeah, it came with 16GB of RAM, but I bought additional RAM separately to max it out to 64GB of RAM. It was cheaper for me going that route, instead of buying the QNAP that already came with 64GB of RAM. Very interesting.

So thus far, no vote for any VLAN magic?

I was wondering about creating a separate VLAN just for my 'Smart Devices' and 'Home Theater' devices as well. Then adding one of the QNAP RJ45's to that same VLAN for streaming purposes.

With that many NICs available, I also considered port trunking 2x of the NICs, just to help the 4K streaming....but I'm not sure.

BJ
 

coxhaus

Part of the Furniture
I vote for VLAN magic.

I had a special music server setup at my house before I had VLANs at my house many years ago. I had spent a lot of hours setting up this music server with a stripped down server OS and special hardware with good sounding wires. A friend brought over his problem laptop which had a virus on it. It infected my music server. I had spent over 2 weeks building the music files. I said never again. I built VLANs on my network including a VLAN just for music.

I think home smart devices fall into this category and should have their own VLAN.
 

b1ggjoe

Regular Contributor
Wow, that's crazy. Sounds like a great idea then. I would normally do a VLAN for only the Smart Devices and then only for Home Theater. However, I have them both sort of integrated. For example, I followed a tutorial on YouTube to create a custom Alexa Skill to control my DirecTV from my Echo. Also integrated my Ring Doorbell Pro with my Fire TV 4K and one of my HDMI switches, so that I can say, 'Alexa...show me the front door' and then no matter what I'm watching on DirecTV, it will switch to the HDMI input where the Fire TV 4K stick is plugged into, then it will show me the Front Door.

So I guess, a VLAN just for IoT / Home Theater then. Possibly Port trunk or bond two of the RJ-45 NICs on the QNAP to 2x ports on the ZyXEL to help streaming and also dedicated into this VLAN.

Also implement one of the FOSS security packages mentioned above for added security. Maybe a dedicated VLAN so that family members can authenticate into the QNAP and mount as a Network share to back up their files?

I'll have to see who has better VLAN capabilities...Orbi vs. ZyXEL. For example maybe I'll setup a Dynamic VLAN, so that regardless of where family members hard wire into, they will be auto grouped into a private VLAN for the family and can access the QNAP on that same VLAN.

Now to figure this all out...
 

b1ggjoe

Regular Contributor
Ok, here's a stupid question:

I have 2x ZyXEL switches, a GS1900-8 (8-Port) and a GS1900-24E (24-Port). According to their specs they support the following VLAN/QoS specs:

Traffic Management and QoS
• Port-based VLAN • IEEE 802.1Q VLAN tagging • IEEE 802.3ad LACP • Guest VLAN • Voice VLAN • Storm control • IEEE 802.1p priority queues per port • IEEE 802.1p Queuing method (scheduler) • Input priority mapping • Rate limiting per port (ingress/ egress) • IEEE 802.3x flow control

Looks like no support for Dynamic VLANs. Eh, I guess that's probably too much resource overhead anyway...oh well.

My 'Lil Orbi' Router seems to only support basic VLAN tagging. However, the ORBI does allow for you to create a 'Guest WiFi' and restrict users from even seeing/interacting with each other and etc.

As laughable as it may seem, my CenturyLink Modem seems to have more options for VLAN Management than the Orbi.

So that said, since I would like to do some VLAN Magic and create various types of Wireless VLANs, for Guests, Home/Family and Smart Home devices. Is there a way to do this with the my current hardware? Or do I need to purchase additional hardware like a cool little EdgeRouterX or something?

Also, I'm trying to understand...since I'm using the Orbi RBR50 w/ Two Satellites...I'm not sure how I can create additional WiFi VLANs without adding additional APs or other equipment?

Any thoughts and recommendations welcome!!

BJ
 

coxhaus

Part of the Furniture
The way VLANs and Wi-Fi work is you create a VLAN then assign a SSID to the VLAN. So you need wireless devices which support VLANs and SSIDs.
 

b1ggjoe

Regular Contributor
Hmm...that makes sense. Question:

If I were to create a few port-based VLANs via my ZyXEL switches. Then, I hardwire the Orbi Router into one of the VLANs...wouldn't that at least cause the entire Orbi ecosystem (Orbi Router, Satellites and anything connected to them via WiFi or Ethernet) to be on that same dedicated VLAN in that ZyXEL Switch's port?

In that same vein, couldn't I also add a few separate APs or re-deploy my old ASUS Routers into AP mode, hard wired into another ZyXEL switch VLAN...just to create/have another seperate WiFi VLAN?

Oddly enough, my CenturyLink's Modem does support WiFi VLANs and I see what you're referring to as far as selecting them and so forth. It's WiFi capabilities only support 2.4Ghz but hell, might not be too bad for guests only.

I know this isn't the best design, but I'm trying here LOL.

Any more thoughts?

BJ
 

coxhaus

Part of the Furniture
I always assign a network to each VLAN I create. So I use a layer 3 device to route VLANs. I never use VLANs at layer 2 which can be done. My way works very easy. There is no distension between networks my way. They all work the same. So I am not the best one to ask for plugging things together at layer 2 for VLANs. Consumer routers handle VLANs different ways that I have seen in the old days. My head does it one way. You can use a router or a layer 3 switch to handle VLAN routing in my world.
 

sfx2000

Part of the Furniture
The way VLANs and Wi-Fi work is you create a VLAN then assign a SSID to the VLAN. So you need wireless devices which support VLANs and SSIDs.

And getting there - the VLAN/SSID association does require a bit more than most consumer grade router/AP's can do....

Airport's can do this lightly - e.g.. the Guest Network is VLAN'ed out (VLAN1003), but to get to some serious work, it's enterprise grade AP's.
 

b1ggjoe

Regular Contributor
And getting there - the VLAN/SSID association does require a bit more than most consumer grade router/AP's can do....

Airport's can do this lightly - e.g.. the Guest Network is VLAN'ed out (VLAN1003), but to get to some serious work, it's enterprise grade AP's.

@sfx2000,

Thank you for the feedback. Looks like I'm going to have to bite the bullet and add additional Enterprise-class APs to my whole new setup, in order to accomplish my goals. Any recommendations?

My main thing is that I need support for Multiple SSIDs and Multiple VLANs.

I was looking at this article here:

https://www.smallnetbuilder.com/wir...91-2x2-ac-access-point-roundup-part-2?start=9

I was leaning towards the Ubiquity AP-AC-PRO or the AP-AC-LR...but now I'm not sure.

BJ
 

b1ggjoe

Regular Contributor
Well, I ended up purchasing 3x Ubiquity AC AP LR units.

Now, I’m at the last stage of my decision making LOL.

I’m trying to decide what would be better as far as security and performance goes:

1. - Remove the entire Orbi Ecosystem and replace with my 3x Ubiquity APs and use them for all three WiFi Networks (Private, Guest and IoT).

2. - Use both the Orbi Ecosystem and the 3x Ubiquity APs together.

2.B - Then if using both the Orbi Ecosystem and 3x Ubiquity APs...which would be better for the Private WiFi, the IoT WiFi and the Guest WiFi.

The Orbi and 2x SATs also have built-in switches, so they can extend the Ethernet drops that they will be plugged into.

I’m also not sure what kind of RF interference could result from the Orbi and SATs being placed closely to where the Ubiquity APs will be located.

Hmmmmm...what to do.

BJ
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top