Question Home network security.

[Values]

Hello everyone.
In my home network, i want to create different subnets using VLANs, and i also want to implement a firewall to increase network security.
I have been considering several options:
1- Install a managed switch that can create Layer 2 VLANs.
2- Install a managed switch that can create Layer 2 VLANs + a low-cost firewall.
3- Install a router/firewall that also supports IDS/IPS.
4- Install a router/firewall that also supports IDS/IPS + a managed switch.

Perhaps another option would be to implement some solutions with a Raspberry Pi or similar.

Which option do you think would be best? Thanks!

 

[kanewolf]

Hello everyone.
In my home network, i want to create different subnets using VLANs, and i also want to implement a firewall to increase network security.
I have been considering several options:
1- Install a managed switch that can create Layer 2 VLANs.
2- Install a managed switch that can create Layer 2 VLANs + a low-cost firewall.
3- Install a router/firewall that also supports IDS/IPS.
4- Install a router/firewall that also supports IDS/IPS + a managed switch.

Perhaps another option would be to implement some solutions with a Raspberry Pi or similar.

Which option do you think would be best? Thanks!

You didn't really say WHY you want VLANs so it is difficult to recommend a best answer.

I will say that you have to have a VLAN aware network all the way from your primary router to your client connection. That typically means, router, switch(es) and access points. From the VLAN perspective, none of your options is complete.
IDS/IPS is good but not critical, IMO. NAT is the primary security feature for home networks. Unsolicited traffic doesn't get in. Obviously that doesn't stop a user from a phishing e-mail or such. But IDS/IPS may not either.

Security is a layered activity. Virus software, VLANs, firewall, and USER TRAINING/AWARENESS all contribute to network security.

 

[Values]

You didn't really say WHY you want VLANs so it is difficult to recommend a best answer.

I will say that you have to have a VLAN aware network all the way from your primary router to your client connection. That typically means, router, switch(es) and access points. From the VLAN perspective, none of your options is complete.
IDS/IPS is good but not critical, IMO. NAT is the primary security feature for home networks. Unsolicited traffic doesn't get in. Obviously that doesn't stop a user from a phishing e-mail or such. But IDS/IPS may not either.

Security is a layered activity. Virus software, VLANs, firewall, and USER TRAINING/AWARENESS all contribute to network security.

Hi Kanewolf, thanks for your response.
What i want is for my ISP router to have two networks: one for Network A and the other for Network B.
That is, my ISP router will have two ports occupied: port 1 for Network A and port 2 for Network B, which will go directly to my router/firewall, switch, or whatever option i choose.
The goal is for Network A to be completely isolated from Network B.

Additionally, on Network B, i want several separate VLANs (unless i want to change that): one VLAN for IoT, another for PCs, etc.

Perhaps this will provide some more information.

Thanks.

 

[kanewolf]

Hi Kanewolf, thanks for your response.
What i want is for my ISP router to have two networks: one for Network A and the other for Network B.
That is, my ISP router will have two ports occupied: port 1 for Network A and port 2 for Network B, which will go directly to my router/firewall, switch, or whatever option i choose.
The goal is for Network A to be completely isolated from Network B.

Additionally, on Network B, i want several separate VLANs (unless i want to change that): one VLAN for IoT, another for PCs, etc.

Perhaps this will provide some more information.

Thanks.

It is most likely that your ISP router doesn't support VLANs or multiple DHCP servers or other things required for two networks. That is why I made the generic statement about needing hardware that is VLAN aware from start to finish.
Most ISP routers do support a guest WIFI but not a separated wired network.
First question to ask "Is the ISP router required or can you replace it?" If you have IPTV or IP phone, from your ISP it can be difficult to replace it.
If you are just trying to keep Network B from accessing Network A, you could use a second router in front of Network A. The wan port of that router would connect to your ISP router. That would prevent B from accessing A, but A might be able to access B.

 

[Values]

It is most likely that your ISP router doesn't support VLANs or multiple DHCP servers or other things required for two networks. That is why I made the generic statement about needing hardware that is VLAN aware from start to finish.
Most ISP routers do support a guest WIFI but not a separated wired network.
First question to ask "Is the ISP router required or can you replace it?" If you have IPTV or IP phone, from your ISP it can be difficult to replace it.
If you are just trying to keep Network B from accessing Network A, you could use a second router in front of Network A. The wan port of that router would connect to your ISP router. That would prevent B from accessing A, but A might be able to access B.

What is the problem with my ISP router not being able to manage VLANs? I could always connect a VLAN-capable router to my ISP router and have it connect to my network B.

The goal is to secure network B as much as possible. Im not interested in B being able to access A or A being able to access B.
I simply want B to have internet access through the ISP router, but nothing more.
Perhaps i misunderstood your comment.
Thank you very much!

 

[kanewolf]

What is the problem with my ISP router not being able to manage VLANs? I could always connect a VLAN-capable router to my ISP router and have it connect to my network B.

The goal is to secure network B as much as possible. Im not interested in B being able to access A or A being able to access B.
I simply want B to have internet access through the ISP router, but nothing more.
Perhaps i misunderstood your comment.
Thank you very much!

If you are going to have a second router, then my statement about "A" and "B" can be reversed if "B" is the network requiring more protection. A second home router with the WAN connected to the ISP router will treat the ISP router as "the internet" you will get standard NAT protection of B from everything else connected to the ISP router. Network B will be in a double NAT configuration which for most things is not an issue.

Maybe your ISP router can handle VLANs. You didn't provide a model so I can't comment on that, other than it would be unusual for an ISP provided router to be VLAN capable.

 

[Values]

My ISP router doesnt have VLANs, so i thought the best option might be to implement a secondary router that also has a firewall for my network B.

This way, i think i could prevent network A from accessing network B and vice versa.
Then, i could also implement VLANs within network B (with the new router or a managed switch).
What do you think?
Thank you very much.

 

[kanewolf]

My ISP router doesnt have VLANs, so i thought the best option might be to implement a secondary router that also has a firewall for my network B.

This way, i think i could prevent network A from accessing network B and vice versa.
Then, i could also implement VLANs within network B (with the new router or a managed switch).
What do you think?
Thank you very much.

Go back to my first post. You can't just do a managed switch, you have to have a VLAN aware router. You need multiple DHCP servers, address spaces, etc. You probably want WIFI on "B" also. If you want that, then that means VLAN aware WIFI hardware. If you want to buy new, I would recommend looking at the Ubiquiti UniFI line of hardware. It has a single dashboard and all the UniFI hardware is controlled from that dashboard. If you want to DIY, then MikroTik router and whatever used managed switch you get could work.

 

[Values]

Go back to my first post. You can't just do a managed switch, you have to have a VLAN aware router. You need multiple DHCP servers, address spaces, etc. You probably want WIFI on "B" also. If you want that, then that means VLAN aware WIFI hardware. If you want to buy new, I would recommend looking at the Ubiquiti UniFI line of hardware. It has a single dashboard and all the UniFI hardware is controlled from that dashboard. If you want to DIY, then MikroTik router and whatever used managed switch you get could work.

Cant i connect a switch like the D-Link DGS-1100-08 that has VLAN capability to my ISP router even though it doesnt have VLAN capability itself? I thought this was possible.

For example, I have seen the MikroTik RB4011iGS+RM router. Reviewing its information, i saw that the router itself already has the ability to implement VLANs directly. So, wouldnt it be repetitive to install another switch similar to the D-Link DGS-1100-08?

Thank you very much for your help.

 

[kanewolf]

Cant i connect a switch like the D-Link DGS-1100-08 that has VLAN capability to my ISP router even though it doesnt have VLAN capability itself? I thought this was possible.

For example, I have seen the MikroTik RB4011iGS+RM router. Reviewing its information, i saw that the router itself already has the ability to implement VLANs directly. So, wouldnt it be repetitive to install another switch similar to the D-Link DGS-1100-08?

Thank you very much for your help.

You can. But the traffic will NOT be segregated in the router. So A and B are not truly isolated. The networks co-mingle on the LAN side of the ISP router. The VLAN tags are just ignored. So someone on network A could start tagging traffic to an IP in network B and the router would forward and the switch would also.

Adding a DGS to a MicroTik would depend on how many total wired ports you need.

 

[Values]

You can. But the traffic will NOT be segregated in the router. So A and B are not truly isolated. The networks co-mingle on the LAN side of the ISP router. The VLAN tags are just ignored. So someone on network A could start tagging traffic to an IP in network B and the router would forward and the switch would also.

Adding a DGS to a MicroTik would depend on how many total wired ports you need.

So if i install a secondary router/firewall, it will isolate network A from network B and vice versa. Correct? This way, the VLAN tags wont be ignored.

What do you think of the examples i provided, both for the router/firewall and the switch? Thanks.

 

[kanewolf]

So if i install a secondary router/firewall, it will isolate network A from network B and vice versa. Correct? This way, the VLAN tags wont be ignored.

What do you think of the examples i provided, both for the router/firewall and the switch? Thanks.

If you put a second router with the WAN to the ISP LAN, I discussed that above. B would treat A as 'the internet", just like it treats www.google.com as "the internet". So could a user on B use an IP address on A and get to that device? Yes. There is nothing protecting A from B because they are all on the LAN side of the ISP router.
What "examples"? The original post? I think I discussed that in my earlier posts. Your choice of a MikroTik? They are good, but can be difficult to configure. I had a MikroTik HEX as a router for awhile. I chose the simplicity of the Ubiquiti hardware even though it is more expensive.

 

[Values]

If you put a second router with the WAN to the ISP LAN, I discussed that above. B would treat A as 'the internet", just like it treats www.google.com as "the internet". So could a user on B use an IP address on A and get to that device? Yes. There is nothing protecting A from B because they are all on the LAN side of the ISP router.
What "examples"? The original post? I think I discussed that in my earlier posts. Your choice of a MikroTik? They are good, but can be difficult to configure. I had a MikroTik HEX as a router for awhile. I chose the simplicity of the Ubiquiti hardware even though it is more expensive.

I understand what you mean: Im not too worried about B being able to access A. What i would be worried about is A being able to access B. Since, as i mentioned, B is the network that should be the most secure.

The examples i gave you were the following:
router: https://mikrotik.com/product/rb4011igs_rm
switch: https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I?th=1

I know you recommended a Ubiquiti.
Thank you very much!

 

[kanewolf]

I understand what you mean: Im not too worried about B being able to access A. What i would be worried about is A being able to access B. Since, as i mentioned, B is the network that should be the most secure.

The examples i gave you were the following:
router: https://mikrotik.com/product/rb4011igs_rm
switch: https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I?th=1

I know you recommended a Ubiquiti.
Thank you very much!

As I said above, MiroTik is lower cost, high features, but can be difficult to configure. Can it provide you with network protection and VLANs? Yes. Will you be able to configure VLANs successfully? Unknown.
The D-Link switch can provide VLANs. I haven't used that model, so I don't know how straight forward configuration is.
Is WIFI not required on network B ?