Home Networking

198 readers

1 users here now

A community to help people learn, install, set up or troubleshoot their home network equipment and solutions.

Rules

Please stay on topic.
Please use the search function to look for keywords related to what you want to ask before posting since most common issues have been answered.
No Ads. This community is for support and discussion. Ads and self promotion are not welcome here.
No product reviews or announcements. If you have a question about a product, be specific about what you want to know.
Be civil. Don't be a jerk. Not being a jerk is surprisingly easy.
No URL shorteners. URL shorteners tend to hide the real use of a link. For this reason, please use normal links, even if they're long.
No affiliate links.
No gatekeeping. With profession shall come professionalism. Extend help without judging others for their ignorance. The same goes for downvoting of comments or posts for "stupid questions" or not being as knowledgeable as others.

founded 1 year ago

MODERATORS

[email protected]

How would you set up VLANs and Firewall rules for this home network? (imgur.com)

submitted 1 year ago by [email protected] to c/[email protected]

4 comments fedilink hide all child comments

top 4 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 1 year ago (1 children)

I would set up Trusted, IOT and Guest VLANs. Put all PC's, servers and NAS in it, all else goes to IOT (Phones, Tablets, streamers, cameras and NVR, etc). Create firewall rules to allow internet for all and let anything from the Trusted network to get to IOT and Guest, but block everything from IOT and Guest to Trusted (except for a couple exceptions). One exception is I don't see a printer but if you had one I'd assign it a static in the Trusted and allow all VLANs to get to it's IP. Another exception is I use PiHole (lives on Trusted) and I allow only port 53 (DNS) to those IPs, (I have 2 Piholes).

Your Unifi APs are VLAN aware but I have no idea on your router/switches (I assume at least the router is).

[–] [email protected] 1 points 1 year ago (1 children)

I’m pretty sure at least two of the routers are as well, maybe all of them.

I want to block the cameras from being accessed from the internet or accessing the internet. I want them to communicate with trusted (for configuration) and the NVR. And then I want the NVR to be able to access the internet

[–] [email protected] 1 points 1 year ago

I would create another VLAN just for cameras with appropriate firewall rules. Allow Trusted into this "no-internet" VLAN but nothing to the internet. One way would be to figure out which ports the cameras use so you can add a firewall rule to allow communication to the NVR's IP. Another way would be to set the NVR on a static IP in the IOT and allow all traffic to it from this camera VLAN, (this is probably the easiest but not the most secure).

As a side note, I try to set as many things that I can on a static IP, it enables the use of firewall rules, also helps with normal monitoring.

As another side note - The Unifi APs support up to 4 VLANs (1 per SSID) - they also support the use of a SSID with multiple passwords which will allow connection to a VLAN depending on which password is used. It's a new feature and I haven't used it, so idk how well it works or other issues.

[–] [email protected] 1 points 1 year ago

Comes down to how you want people to access them. VLANs and Firewall rules are for restricting access. So that's how you should approach this.

From what I can tell, you have switches with Layer 2 capability, which doesn't help much.... You'd want Layer 3 capability formost to try and seperate things in this network properly, and pass VLANs how you'd need for Firewall rules.

So how I would set them up? This is the definition of a mesh network, and not much can be segregated, due to the capability of your switches...