Network Security Setup Advice Needed

D

david-bann

Active Member
Joined
Aug 11, 2008
Messages
31
Reaction score
8
Hey everyone,

I have recently upgraded my home network and want to secure it now but need guidance please. I’m not afraid to get my hands dirty but I am by no means an expert in networking. I understand basic concepts such as VLAN’s, subnets, ports, etc, but still have a long way to go in my overall understanding of network security and “best practices”.

This is my current hardware setup:
  • Ubiquity UCG-Ultra
  • Unifi access points
  • Reyee POE Managed switches
  • Dahua IP NVR and cameras
  • IOT devices
  • Intel NUC running Home Assistant
A basic diagram of what I think I am trying to achieve:
1761065113530.png

This is what I think I need to set up on the UCG:
NetworkVLAN IDWLANNotes
Default1FamilyTo be used for family member devices like mobile, iPads, laptops, printer, etc.
CCTV2n/aFor our CCTV cameras, to isolate from other networks. For now I only have wired cameras but might add wireless later, in which case I will create a new WLAN for that linked to the Camera network.
Guest3GuestWe run a single unit B&B and want them isolated from our other networks.
IOT4Smart DevicesFor all the IOT devices such as light switches, globes, breakers, Google Nest speakers, etc.

Questions:
  • Any suggested changes to my approach above? i.e. any potential problems, risks or better ways?
  • Should my Home Assistant server be on the IOT network, along with all other IOT devices?
  • Since I am not using Ubiquity managed switches, but rather Reyee managed switches, how do I handle the VLAN’s? I mean, do I create the VLAN’s on the UCG and mirror the same VLAN ID’s on the Reyee switches? Will that pass through correctly if I do that?
  • I’m not experienced with VLAN config, so some guidance on how to configure the Reyee VLAN’s would be appreciated – i.e. do I set the port connected to the UCG as an access or trunk port, and do I set to tag packets or not? Then same question for ports to AP’s, to TV,s, Home Assistant server, other switch, etc.
  • I will obviously need to set up firewall rules to control which networks have access to what. Unifi now manages that through Zones. Would also appreciate some guidance on what types of rules I need to create.
Hopefully I've provided enough context, but please let me know if you need clarity on anything.

Many thanks
David
 
Overall design looks solid. I would also look to utilise some sort of captive portal for the BnB - and think of using tokens as well that you create and setup out of the Unifi gateway.

My HA is running on the main trusted network while all my IoT devices are on untrusted VLAN then i have a firewall rule granting the HA device to the IoT network.

I am not sure how Reyee handles the VLANs and tags but it SHOULD be standard - so setting them up on Unifi should propagate them through with little issues. I run a full Unifi stack so mine is seamless from that perspective. i HAVE tagged certain ports (CCTV) where necessary

The Zone based firewall makes doing rules much easier than what it used to be - check this out


 
Mzezman said:
I am not sure how Reyee handles the VLANs and tags but it SHOULD be standard - so setting them up on Unifi should propagate them through with little issues. I run a full Unifi stack so mine is seamless from that perspective. i HAVE tagged certain ports (CCTV) where necessary
Click to expand...

This is one thing I hate about my Reyee POE switches. No matter whether you config them in the cloud or log into each one remotely, you have to manually go into each one and setup all the VLANs for each port. First you have to go to a separate area to enter all the allowable VLAN IDs, then you have to go to each port and configure whether the port is an access port or a trunk port, then what the native VLAN is, and then what VLANs are allowed to go through if it's a trunk port. If you have 5 switches like I do, you have to do this 5 times. It sucks compared to how easy it is to do in Unifi.
 
Following this, I have a similar setup and have already setup similar VLAN's but am busy with access, rules, firewall, filters, etc.
 
One thing I have done is my cameras dont have a gateway address so they can't access the net. I use Frigate as my NVR.
 
getafix33 said:
One thing I have done is my cameras dont have a gateway address so they can't access the net. I use Frigate as my NVR.
Click to expand...

Same. Frigate and all my cameras are on their own VLAN, and only the Frigate NVR has internet access. There's no need to not give the cameras a gateway address, just a simple rule in the firewall to block their access is sufficient. One thing to note though is that your cameras still need access to a NTP server so that they all show the same timestamp on the video, otherwise over time the timestamps start to drift. My Opnsense router runs its own NTP server so I also have a firewall rule to allow the cameras to access the NTP udp port on the router. You will have to go into each camera and set the NTP server to be the IP address of the router.
 
deweyzeph said:
Same. Frigate and all my cameras are on their own VLAN, and only the Frigate NVR has internet access. There's no need to not give the cameras a gateway address, just a simple rule in the firewall to block their access is sufficient. One thing to note though is that your cameras still need access to a NTP server so that they all show the same timestamp on the video, otherwise over time the timestamps start to drift. My Opnsense router runs its own NTP server so I also have a firewall rule to allow the cameras to access the NTP udp port on the router. You will have to go into each camera and set the NTP server to be the IP address of the router.
Click to expand...

Forgot to mention the NTP, thats exactly what I do as well.
 
getafix33 said:
Forgot to mention the NTP, thats exactly what I do as well.
Click to expand...

I also have a dedicated VLAN for my VOIP devices. One of the best things I ever bought was a Fanvil SIP POE intercom for my front gate. Installed 3CX PBX on a raspberry pi, stuck it on the VLAN, bought a few cheap desktop SIP POE phones, put them in convenient spots around the house, and now whenever somebody rings the intercom, all the phones in the house ring and anybody can answer it and find out what whoever at the door wants, usually couriers. Additionally I added a VOIP account as a SIP trunk so you can make and receive normal calls as well. And with the 3CX client app on my smartphone, I have even made it so that when somebody presses the button on the intercom it rings on my smartphone no matter where I am geographically and I can answer it as if somebody is home.
 
deweyzeph said:
I also have a dedicated VLAN for my VOIP devices. One of the best things I ever bought was a Fanvil SIP POE intercom for my front gate.
Click to expand...
Have a Fanvil Intercom on my door which I spun up asterisk on a microserver ages ago. Rings three Gigasets inside the house and perhaps once or twice it failed so I rebooted the server. Not sure if it updates firmware or not but never checked.

It doesnt ring my cell, but we live in a complex which the gigasets have a sip trunk to receive calls and if they dont get an answer at security phone our cells. So anybody at the door has been let in unless its a neighbour.

Ubuntu, asterisk, power, only thing you ever have to worry about is the gigaset batteries.
 
All my devices are on the same network. I don't understand the risks LMAO
 
Bliksis said:
All my devices are on the same network. I don't understand the risks LMAO
Click to expand...

The risk is real. Any IOT device on your network that calls home to a server in China, for example, can easily be used as an entry point into your network. If you have a Windows laptop on the same network and you have open ports on that laptop because maybe the software firewall on the laptop is not running or misconfigured, that IOT device can easily discover the laptop because it's on the same subnet and potentially hack into it.
 
deweyzeph said:
The risk is real. Any IOT device on your network that calls home to a server in China, for example, can easily be used as an entry point into your network. If you have a Windows laptop on the same network and you have open ports on that laptop because maybe the software firewall on the laptop is not running or misconfigured, that IOT device can easily discover the laptop because it's on the same subnet and potentially hack into it.
Click to expand...

1761720910610.png
 
Neuk_ said:
I haven't investigated the details, I just added region blocking for China, North Korea and Russia and then noticed the 3 Sonoff WiFi camera's we have trying to 'phone home' all the time.
Click to expand...

My Sonoff light switches won't work with HA unless they're connected to the cloud, unfortunately there's no way to flash them or to get them to work LAN only. Going to eventually replace them with Tuya which I've got working without any cloud connection.
 
deweyzeph said:
My Sonoff light switches won't work with HA unless they're connected to the cloud, unfortunately there's no way to flash them or to get them to work LAN only. Going to eventually replace them with Tuya which I've got working without any cloud connection.
Click to expand...

Same for us but I haven't had any issues since implementing the region restrictions although I haven't managed to get the Sonoff WiFi cameras to work in HA but I last tried months ago.
 
Neuk_ said:
I haven't investigated the details, I just added region blocking for China, North Korea and Russia and then noticed the 3 Sonoff WiFi camera's we have trying to 'phone home' all the time.
Click to expand...
So it might as well be harmless, but it's a preventative measure?
 
Neuk_ said:
Same for us but I haven't had any issues since implementing the region restrictions although I haven't managed to get the Sonoff WiFi cameras to work in HA but I last tried months ago.
Click to expand...
HA isn't as quick and easy as XDA and some other sites make it out to be (Simply spin up HA, add your devices, and Bob's your uncle) LMAO.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X