Home network security

[abudabi]

I used to have only my router and pc/ps4/cell on my home network.

These days I have 10s of devices from tvs to lights switches etc. on my network and I need to get serious with security.

I have fiber flowing into my Mikrotik router that's connected to 2 x wireless APs

Guest wifi ssid/ip range I think is a given.
For my own devices... should I also run various ip ranges per "category" (iot devices, PCs, tvs, cell phones etc.)? Sure this will affect the Lan accessibility of these devices though (controlling lights from my phone.)

What do you guys use / recommend?

 

[SauRoNZA]

Most advise to make use of VLANs if possible with segregated subnet and SSID’s etc to keep it all apart.

Personally, even though I’m perfectly capable of the above I feel it’s unnecessarily complex and I rather focus on more specific per device security that would have benefits everywhere rather than just in my house.

Further I try to keep all the IoT devices off the cloud so far as possible which ultimately negates the need for this perceived security risk.

Lastly I’m also somewhat of the opinion that if you are that desperate to hack my **** then hack away because you really won’t get very far.

If you are being specifically targeted for hacks you have much bigger problems anyway.

Network security is ultimately the fine line between usability and convenience and if you go too crazy with it then you might as well plug it all out and not bother.

 

[TedLasso]

I have a full Ubiquiti setup with dedicated VLANs/SSIDs for Internal, iOT and Guest. On iOT LAN, I have all my security stuff, lights, audio, video,tasmota sonoffs, home assistant, etc. From Internal I can go anywhere. iOT and Guest are restricted. Guest is restricted to use only 20% of total internet bandwidth (just cos I had workers using my WiFi at home and didn't need them eating it all up).

I also have different DNS for the zones - while I standardise on PiHole for entire network, but on internal, if I open netflix, I get US version. Guest or iOT will get SA netflix. PiHole blocks most adverts so all users on network are protected and iOT lan restricted to using a pihole DNS server so most telemetry is blocked too.

Is it complicated to manage? Hell yeah - initially.

I record everything in an Excel Spreadsheet with regards to IPs, etc, and the ubiquiti does the rest. It is truly magical platform and does make admin much easier. It is also rock solid reliable.

 

[inkos]

I have a full Ubiquiti setup with dedicated VLANs/SSIDs for Internal, iOT and Guest. On iOT LAN, I have all my security stuff, lights, audio, video,tasmota sonoffs, home assistant, etc. From Internal I can go anywhere. iOT and Guest are restricted. Guest is restricted to use only 20% of total internet bandwidth (just cos I had workers using my WiFi at home and didn't need them eating it all up).

I also have different DNS for the zones - while I standardise on PiHole for entire network, but on internal, if I open netflix, I get US version. Guest or iOT will get SA netflix. PiHole blocks most adverts so all users on network are protected and iOT lan restricted to using a pihole DNS server so most telemetry is blocked too.

Is it complicated to manage? Hell yeah - initially.

I record everything in an Excel Spreadsheet with regards to IPs, etc, and the ubiquiti does the rest. It is truly magical platform and does make admin much easier. It is also rock solid reliable.

One day you have to show us how you put everything together, sounds interesting.

 

[TedLasso]

One day you have to show us how you put everything together, sounds interesting.

The last thing I have to do is document everything. Sure is complicated. Was just thinking, what will I have to do, if I sell the house. Eeek

 

[The_Ogre]

I have a full Ubiquiti setup with dedicated VLANs/SSIDs for Internal, iOT and Guest. On iOT LAN, I have all my security stuff, lights, audio, video,tasmota sonoffs, home assistant, etc. From Internal I can go anywhere. iOT and Guest are restricted. Guest is restricted to use only 20% of total internet bandwidth (just cos I had workers using my WiFi at home and didn't need them eating it all up).

I also have different DNS for the zones - while I standardise on PiHole for entire network, but on internal, if I open netflix, I get US version. Guest or iOT will get SA netflix. PiHole blocks most adverts so all users on network are protected and iOT lan restricted to using a pihole DNS server so most telemetry is blocked too.

Is it complicated to manage? Hell yeah - initially.

I record everything in an Excel Spreadsheet with regards to IPs, etc, and the ubiquiti does the rest. It is truly magical platform and does make admin much easier. It is also rock solid reliable.

My network was of similar complexity, until one day, I had to go away on business for a week.

Let's just say from day two onwards my wife had to use her phone as a hot-spot so she and the kids could watch TV.

I still don't quite know what went wrong, I just remember resetting everything and spending an hour setting things up again when I got back.

Nowadays I rely on a much simpler, flatter network structure. It also makes it easier to direct the wife to what to do when there are issues while I'm not home.

 

[abudabi]

The last thing I have to do is document everything. Sure is complicated. Was just thinking, what will I have to do, if I sell the house. Eeek

Luckily I'm in my forever home so can go all-out untill the ambulance comes to fetch me

 

[TedLasso]

My network was of similar complexity, until one day, I had to go away on business for a week.

Let's just say from day two onwards my wife had to use her phone as a hot-spot so she and the kids could watch TV.

I still don't quite know what went wrong, I just remember resetting everything and spending an hour setting things up again when I got back.

Nowadays I rely on a much simpler, flatter network structure. It also makes it easier to direct the wife to what to do when there are issues while I'm not home.

Exactly. However, since switching to this - everything has been 100% reliable - Internet, Wi-Fi coverage around the house, performance, etc. No issues whatsoever ...but


In my case, load shedding borked the Ubiquiti controller on the Raspberry Pi, so nothing was working. It also didn't help that the USG itself got corrupt somehow. Thankfully. I did make notes of all the customisations I did and to restore everything but first I had to setup USG as a standalone firewall just to get internet to download stuff, then used a ubiquiti backup file to restore the controller on my Windows PC as a stopgap measure , so that I could then re-do the Pi all overs again. The ubiquiti backup / restore is amazing - it's works cross platform

Anyway, this is the reason, I am now in the process of doing what I do at work - building redundancy - in this case, backup power for all my critical equipment (HOMECRIT) and switching everything to a PC/SSD. Thankfully, I ensured all my devices everything is in one place so easy to manage.

This is how far one can go down the rabbit hole ... Last week I installed a Pow R2 into the electricity feed powering all my HOMECRIT equipment so that I could see how big a UPS / battery I needed. 64w on average, so about 1.6kWh a day which is not bad for a USG, 8 port POE switch, 8 x port Gigabit switch, 2 APs, 2 x Pis, 1 x NAS, 1x Sonos, 1 x HUE, 1 x efergy and one or two other small things running 24/7

The POW R2 had a new Tasmota Firmware (8.1.0) that was available ... so it starts the upgrade process... then loses internet - why? Because it was powering everything that gave the the Internet so it stays in minimal firmware mode (without me knowing) ... when I finally check to fix it ... the same **** happens again .. all my HOMECRIT devices are down ... felt like inception ... tells me that I need a UPS inbetween POW and HOMECRIT equpiment for this so that when the POW decides to upgrade itself, I don't lose everything.

Still must document

 

[AlphaJohn]

Just redid my network.... With a poor man's Vlan



Was ok when I had 1 or 2 Sonoff's

My IoT has grown a tad (Over 12 devices + camera's) so needed to split away as well as having a way to disable it when devices tend to flood the network. (Horror stories I've hear re Google min's and such)

Edit: Just ordered a cheap Pi for Pi-hole that will go into Rain Huawei to add some manageability as well as act as a DHCP server for my IoT as the useless B315s doesn't have a way to bind my camera's to static IP's.

 

[MDKza]

My setup is full Unifi with my home network + Guest + IoT as well. LAN can access the IoT and internet and IoT/Guest have internet access only.

Use VLAN's and different SSID's to split everything it keeps it nice and neat.

 

[AlphaJohn]

My setup is full Unifi with my home network + Guest + IoT as well. LAN can access the IoT and internet and IoT/Guest have internet access only.

Use VLAN's and different SSID's to split everything it keeps it nice and neat.

Yeah.... no. Looked at Unifi and its not an option.

R2K for wifi AP + R2K for Security gateway + 1K for managing it all never mind buying a new switch cause POE... All that for 3 PC's, 2 Phones, 2 camera's, 2 Google Nests and a couple of Sonoffs's, don't think so.

I'll go with what I have, just rework how everything gets access. Had Telkom Capped LTE for my gaming and Rain LTE for off peak internet balanced via a TP-Link based on Time of Day. If I want to go Unifi I will have to add that to my existing setup as I would still like to switch PC internet between Telkom and Rain.

TLDR: Unifi is like using a 10 ton truck to move a bag of sand.

 

[Tinuva]

Yeah.... no. Looked at Unifi and its not an option.

R2K for wifi AP + R2K for Security gateway + 1K for managing it all never mind buying a new switch cause POE... All that for 3 PC's, 2 Phones, 2 camera's, 2 Google Nests and a couple of Sonoffs's, don't think so.

I'll go with what I have, just rework how everything gets access. Had Telkom Capped LTE for my gaming and Rain LTE for off peak internet balanced via a TP-Link based on Time of Day. If I want to go Unifi I will have to add that to my existing setup as I would still like to switch PC internet between Telkom and Rain.

TLDR: Unifi is like using a 10 ton truck to move a bag of sand.

Not sure how you got to that, but for me using a Unifi AP is all that you really need. The management server doesn't need to run 24/7 only when you need to reconfigure the AP, but that said it can run alongside home-assistant on a pi easy. Then its only R2k for the AP. I still use a Mikrotik RB750Gr3 router and is very happy with it as is.

 

[MDKza]

Yeah.... no. Looked at Unifi and its not an option.

R2K for wifi AP + R2K for Security gateway + 1K for managing it all never mind buying a new switch cause POE... All that for 3 PC's, 2 Phones, 2 camera's, 2 Google Nests and a couple of Sonoffs's, don't think so.

I'll go with what I have, just rework how everything gets access. Had Telkom Capped LTE for my gaming and Rain LTE for off peak internet balanced via a TP-Link based on Time of Day. If I want to go Unifi I will have to add that to my existing setup as I would still like to switch PC internet between Telkom and Rain.

TLDR: Unifi is like using a 10 ton truck to move a bag of sand.

The point is keeping everything on different VLANs, if you run different IP ranges on the same VLAN that's a security no-no.

You can do the same with a Mikrotik setup or anything really that can do VLAN's and a gateway that can do some kind of firewalling/ACL's.

I am not telling you to buy Unifi, I bought it cause it's really easy to manage. There is other kit that will be able to do the same for less.

Unifi just works great for my need.

 

[AlphaJohn]

Not sure how you got to that, but for me using a Unifi AP is all that you really need. The management server doesn't need to run 24/7 only when you need to reconfigure the AP, but that said it can run alongside home-assistant on a pi easy. Then its only R2k for the AP. I still use a Mikrotik RB750Gr3 router and is very happy with it as is.

If you only use Unifi Access point, how you going to manage the wired connections?

Still going to need the 2K gateway. As for running alongside Home assistant, yeah sure, HassIO on pi is not the fastest now you want to add more to it. Sure can run config on PC but would like it dedicated so I can access it from somewhere else

The point is keeping everything on different VLANs, if you run different IP ranges on the same VLAN that's a security no-no.

I know thats why they on different networks aka Poor man Vlan

 

[Tinuva]

If you only use Unifi Access point, how you going to manage the wired connections?

Still going to need the 2K gateway. As for running alongside Home assistant, yeah sure, HassIO on pi is not the fastest now you want to add more to it. Sure can run config on PC but would like it dedicated so I can access it from somewhere else

The mikrotik router do that just fine? Not sure what you asking...

Dont need the 2K gateway, and the unifi software really doesn;t add any load to the Pi.

 

[AlphaJohn]

The mikrotik router do that just fine? Not sure what you asking...

Dont need the 2K gateway, and the unifi software really doesn;t add any load to the Pi.

What mikrotik router? I dont see any in my lan

 

[Tinuva]

What mikrotik router? I dont see any in my lan

Yeah look if you want to be stupid then make do with what you have. I explained to you how I do it on my network, not sure why you looking for a mikrotik router in your own network.

 

[AlphaJohn]

Yeah look if you want to be stupid then make do with what you have. I explained to you how I do it on my network, not sure why you looking for a mikrotik router in your own network.

No need to insult?

Think we talking over each other, I am talking about make do with what I have and still being recently secure as well as why I did not go Unifi, while you on about something else.