Your recommendations on my Home network architecture

[XabiX]

Hello SNB friends,

I have been reading a lot around but most of the time, I don't find a similar network to get the best ideas on how to setup my home network. Usually companies will have a network architect and security guru that would be able to help

Here is what I had in mind:

• The OverTheBox it's a service to agregate several internet lines in one big pipe towards the internet. More on https://www.ovhtelecom.fr/overthebox/ (in French).
• My switch is an Ubiquiti ES-24-lite which I was planning to segment with VLANs in WAN, CAM and LAN switches
• I am planning to install a Pfsense VM on Virtualbox to replace the Asus AC87u that I am using today . So Pfsense will do the routing & FW while the Asus will do the AP.
• Note the Host as only one NIC so I was thinking to use VLANs on the switch and on each server: NAS, OTB and Pfsense to separate the "physical' interfaces.

1. Is this OK or too complex to have separate networks behind operators boxes? In other words should I flatten the networks and rely on the OTB to send it all (DMZ) to the Pfsense which will then route on the same LAN to other devices.
2. I am concern of the security of my NAS (host) in WAN network. I did put it there for CAMs to record the video streams. Otherwise I may have to put the CAMs and the NAS in the LAN side behind the Pfsense? then I can do a VPN from any public client to the Pfsense to get access to the LAN network
3. An alternative to simplify is to keep using the AC87u instead of the PSense (it can do VPNs etc... but I was concerned of is capability to sustain capacity/stability. Besides VLANs are not easily with the Asus merling fw manageable)?

Let me know if I am not being clear and what are the recommendations for such network.

MANY THANKS
XabiX

 

[MichaelCG]

1.) Too complex is up to you on what you want to build, support, and troubleshoot. A flat network is soooooo much simpler to deal with, however it comes with security segmentation trade-offs. Unless you know why you are segmenting...don't. Just doing segmentation because you can generally doesn't work out the best.

2.) Why would you ever directly expose your NAS to the Internet? Never....ever....do that. Setup OpenVPN or something else to securely connect in to access the data you are after. You will want your camera and NAS on the same subnet from a traffic efficiency perspective...especially with you using a single NIC on your VM server. However...that comes with a trade-off that now your LAN clients accessing the NAS will now need to traverse the FW which may now be optimal.

Why are you isolating the cameras from the LAN? Do you not trust your cameras or your LAN? Who/What/Why are you isolating?

Using a single NIC is fine assuming your expectation of speeds never exceeds 200Mbps'ish.....assuming it is a 1Gb connection. You can always work to add a 2nd NIC later if you wish to improve speeds.

3.) VPN...my vote is pfSense. You are correct in that you will have speed scaling challenges on the 87u when compared to pfSense...of course assuming your VM server has a decent CPU behind it. Heck....if you wanted, you could actually build a dedicated 2nd pfSense VM just for VPN if you really wanted to go down the secure segmentation route.

 

[XabiX]

Thanks MichaelCG.

I have decided to buy a 2 ethernet PCI card to make things much easier and proper.

I will flatten the network and just differentiate WAN vs LAN and put the CAMs in the LAN together with the NAS (host server).
The OTB VM will stay alone on the WAN to aggregate the different access and the Pfsense will do routing and firewalling so all my internal traffic stays in the same L2.

Here is the new diagram.

To me it seems more logical and easier to maintain.

MERCI