I'm going to be overhauling my network over the next few months as I get ready for my new municipal fiber installation. I have a general idea of how to set things up, but I'm not an expert and would appreciate a few extra pairs of eyes in case I'm missing something obvious.
Hardware available:
Microtik Routerboard - 5 ports
Ubiquiti AP - AC-Lite; plan to add U6+ or U6 Lite once I get faster service
some dumb switches
Devices (by logical category; VLANs?):
main - computers and phones (Wi-Fi for now, I plan to run cable)
media - outgoing traffic limited to certain trusted sites; probably no VPN
untrusted - cannot access internet, can be accessed from main
guest - can only access internet, potentially through a separate VPN from main
Special devices:
NAS (Linux box) - can access main, media, and DMZ
printer - accessible from main, rest of devices on untrusted don't need to be (I can tunnel through the NAS if needed); can potentially configure a CUPS server on the NAS to route print jobs if needed
Plan:
Router ports:
Internet
WiFi APs
main VLAN
untrusted (VLAN)
unused (or maybe media VLAN)
WiFi SSIDs (currently have a 2.4Ghz and 5Ghz SSIDs):
main VLAN
guest VLAN
untrusted - hidden SSID (mostly for printer) - 2.4GHz only
If the VPN causes issues, I would like the ability to move individual MACs to another VLAN (say, to media, or a separate, usually unused backup VLAN). Not required, just a backup plan in case the VPN causes issues.
This is my first time configuring VLANs, so I'm not really sure what my options are. Also, I'm not super familiar with Mikrotik routers (I'm not a sysadmin or anything, just a hobbyist), I just got fed up with crappy consumer hardware and wanted something a bit more reliable.
Does that sound like a reasonable plan? Is there something I could improve or suggestions you have?
Edit: DMZ is the wrong term, so I replaced it with "untrusted". By that I meant a local-only network, so no Internet access. Ideally I could access these devices from my main network, but they can't initiate connections outside their VLAN. However, that's not necessary, since I can tunnel through my NAS if needed.
Good point. I plan on moving my important stuff (NAS and router) into a closet, which would make using a UPS much more reasonable. Right now the router is in my bedroom, the NAS is on my desk, and the AP is in the hallway (though powered via POE).
And yeah, I definitely want the network to stay up in a power outage since there's still value in accessing the NAS to make last minute backups or whatever.
I think the sketched setup is mostly good, segregating untrusted stuff is a great idea. I wouldn't hide any SSID's because that makes MITM easier.
I'd invest in a simple Ubiquiti PoE switch and use your Mikrotik router as a firewall if it supports it. Put it between the modem and the switch and now you can use your switch to control access to the internet through VLANs. Use your ISP's modem as an uplink, have it setup in bridge mode if possible to prevent double NAT. A Ubiquiti switch integrates well with the AP setup and you can much more easily push out VLANs that work through the wired network as well. It also saves you the injector for the existing AP and makes it easy to add additional ones.
Thanks for the feedback! I'll look into a Ubiquiti switch. My current AP is passive PoE, so I don't have an active PoE switch yet, so I might as well go managed for that.
I wouldn’t hide any SSID’s because that makes MITM easier.
Ok, makes sense. I guess the broadcast opens me up to that.
I'll look into adding the printer to a VLAN by MAC, it's really only the one device that needs Wi-Fi access that I don't want to talk to the network (it's outside the security update window).
Just my opinion - This seems crazy overcomplicated to me... Just to stop a Chromecast from dialing home and to mask your IP address? What do you think game servers are doing with your IP address anyway?
You're going to be spending so much time troubleshooting and explaining to others in your house why "sometimes Netflix doesn't work" or why latency in games is sometimes high.
Rather than handling all these issues at the network layer why not sate your paranoia with tor-browser and a desktop vpn when you want to mask your Internet traffic?
It's not the games themselves I'm worried about, but what gets leaked in a breach.
I also don't want to give ad companies more ways to uniquely identify me, troll admins ways to doxx me, etc. They don't need my IP for anything, so if I can protect myself and my family with a simple config change, why not?
Though maybe I'll make an "insecure" VLAN to allow temporarily bypassing the VPN if it causes issues.
tor-browser and a desktop vpn when you want to mask your Internet traffic?
I want to protect my wife and kids as well, not just myself, and getting them to manage their own VPN would be a hassle for everyone.
My state is also passing stupid laws, such as parental permission for kids to access social media. This means they and I would need to provide them PII just to make a stupid account. My kids don't use SM yet and lemmy is my only SM, but I would like to protest this by using a VPN so my data leaves the state. If this passes at the national level, I'll have to VPN into Canada or something instead.
Sorry it's difficult for me to care too much about an IP addresses being "leaked" since they're basically public information. I can "leak" IPs by scanning a subnet and reporting systems that respond to "ping". Account information being leaked is much more serious though.
There used to be a time when everybody's name, phone number and address were printed in books and literally dropped on your doorstep for free. But your IP address is now highly confidential info for... reasons.
They don’t need my IP for anything, so if I can protect myself and my family with a simple config change, why not?
Why not? Rapidly diminishing returns - that's why. Each component you add to your network is a point of failure that takes work to maintain and gains you very little in actual value. Your IP address is the very least important bit of information compared to account and credit card information you may be providing your services. Especially if you're on a NAT'd connection from your ISP - your IP address isn't even unique to you.
And to protect you from... What exactly? Everyone who rants about "MY IP ADDRESS!" seems to fear only nebulous boogy men. Seriously I think VPN marketing is having a crazy effect on people. "HAXORS MIGHT GET YOUR IP ADDRESS!!!" ... and do ... what exactly?
The biggest threat to self-hosting is automated scanning and intrusion done by hoards of bots. They just blindly scan and look for hosts exposing compromised services. They don't get "lists of IP addresses" from a leak to scan. Do you know how much greater effort it would be for somebody to spend time specifically curating IP address vs. just blindly scanning?