Secured the home network...finally
Posted: Fri May 24, 2019 4:07 pm
It's been a long time coming, but I finally made the effort to segment my home network. I was originally using a Ubiquiti Edgerouter X and several unmanaged switches. I added a few Ubiquiti UniFi 8-port PoE switches (didn't go with one of their USG devices...kept the Edgerouter X).
My WAPs are old Ruckus 7982s...they are beasts. Originally $1K WAPs, got them for next to nothing used. Only A/B/G, but the signal strength is unmatched so far in my stucco/concrete bunker Florida house. I'm looking for something comparable with better speeds, but unless I pay $$$$$$$, there isn't much of an option.
So, I added the following VLANs:
--Management (router, switches, etc)
--General home devices (all desktops, laptops, mobile devices)
--Guest WiFi
--IoT devices (Apple TV, FireTV, Roku, security cams, smart outlets, thermostats, etc)
The Guest and IoT are isolated from everything, meaning they cannot initiate connections to any other LAN devices. They only get DNS (via a Pi-hole) and DHCP from the router. Security cams are blocked entirely from internet access and only viewable via the NVR (sorry Russia!). The management and Home VLANs can initiate to IoT devices, however.
It ended up taking a bit to get the VLANs working on the ER-X due to an annoying glitch that wouldn't let me remove the IP from the Switch0 interface. That's required when enabling VLAN capabilities...end result was constantly being locked out of the router until I got it right.
If anyone is using an Edgerouter and has questions, let me know. There are a lot of forum posts out there on configuring it and a hundred different ways to do things. I'll try to help if I can.
My WAPs are old Ruckus 7982s...they are beasts. Originally $1K WAPs, got them for next to nothing used. Only A/B/G, but the signal strength is unmatched so far in my stucco/concrete bunker Florida house. I'm looking for something comparable with better speeds, but unless I pay $$$$$$$, there isn't much of an option.
So, I added the following VLANs:
--Management (router, switches, etc)
--General home devices (all desktops, laptops, mobile devices)
--Guest WiFi
--IoT devices (Apple TV, FireTV, Roku, security cams, smart outlets, thermostats, etc)
The Guest and IoT are isolated from everything, meaning they cannot initiate connections to any other LAN devices. They only get DNS (via a Pi-hole) and DHCP from the router. Security cams are blocked entirely from internet access and only viewable via the NVR (sorry Russia!). The management and Home VLANs can initiate to IoT devices, however.
It ended up taking a bit to get the VLANs working on the ER-X due to an annoying glitch that wouldn't let me remove the IP from the Switch0 interface. That's required when enabling VLAN capabilities...end result was constantly being locked out of the router until I got it right.
If anyone is using an Edgerouter and has questions, let me know. There are a lot of forum posts out there on configuring it and a hundred different ways to do things. I'll try to help if I can.