ByDemonsBeDriven
New Around Here
Quick background - not a newb but definitely no packet networking pro. I have advanced knowledge in TDM circuit switching which is dying a quick death and I adapt quickly to new tech when I'm thrown in the fire so to speak. I've been teaching myself packet switching/routing as I can, and have a good grasp on the layers and know enough to be dangerous. That's the problem though... I "know" stuff then get home and lump everything on my network to my RT-N66U running tomato where it all works just fine. I'm not thrown in the fire because I have one LAN and unmanaged switches which just get everything working with minimal effort. So...
Thanks to a nearby lightning strike and some damaged equipment I've decided to get this home setup correctly and SECURELY. I grabbed an edgerouter lite, Netgear GS724T 24 port managed switch, and two ubiquiti unifi AP's since I have a fairly large ranch style home. I'm looking for advice as I *think* I know what I need to do but I'm sure there are field-proven best practices I should be following.
I have computers, phones, tablets, printers, and a handful of IoT devices. The devices which never see firmware updates or come from small companies with no real support need to get off my main LAN. The news stories about telnet servers with hard-coded default passwords embedded in wireless cameras/etc are getting more and more frequent and I believe I need some VLANS to separate this stuff. But, I also need to access these IoT devices from phones or computers on other VLANS. I'm thinking if I only allow a connection to the port I need to control the device I'll be "safe". Am I making sense???? So....
My plan is to run the ISP connection to the edgerouter, the edgerouter to the switch, and the unifi AP's also to the switch. I don't know a ton about layer 3 switches but it seems to me I can segment everything, wired or wireless, using just that switch. Is that the right way to go about this? Can I "route" between segmented devices using only the switch or will that traffic need to go back to the router? Example - I have an off-brand colored lighting controller that my kid connects to with her iphone to change the room lights. The lighting controller uses 3 or 4 IP ports for it's communications. I want ONLY those ports open between her phone and the controller. They will be assigned different VLANS. Can I setup a route like that in the switch alone so the traffic never hits the router? That seems like the most efficient method for the network but I'm not sure that's possible.
I haven't even opened the boxes on this equipment yet. I'm just feeling this out to see if I'm thinking correctly before I start wiring things. Any advice is appreciated!
Thanks to a nearby lightning strike and some damaged equipment I've decided to get this home setup correctly and SECURELY. I grabbed an edgerouter lite, Netgear GS724T 24 port managed switch, and two ubiquiti unifi AP's since I have a fairly large ranch style home. I'm looking for advice as I *think* I know what I need to do but I'm sure there are field-proven best practices I should be following.
I have computers, phones, tablets, printers, and a handful of IoT devices. The devices which never see firmware updates or come from small companies with no real support need to get off my main LAN. The news stories about telnet servers with hard-coded default passwords embedded in wireless cameras/etc are getting more and more frequent and I believe I need some VLANS to separate this stuff. But, I also need to access these IoT devices from phones or computers on other VLANS. I'm thinking if I only allow a connection to the port I need to control the device I'll be "safe". Am I making sense???? So....
My plan is to run the ISP connection to the edgerouter, the edgerouter to the switch, and the unifi AP's also to the switch. I don't know a ton about layer 3 switches but it seems to me I can segment everything, wired or wireless, using just that switch. Is that the right way to go about this? Can I "route" between segmented devices using only the switch or will that traffic need to go back to the router? Example - I have an off-brand colored lighting controller that my kid connects to with her iphone to change the room lights. The lighting controller uses 3 or 4 IP ports for it's communications. I want ONLY those ports open between her phone and the controller. They will be assigned different VLANS. Can I setup a route like that in the switch alone so the traffic never hits the router? That seems like the most efficient method for the network but I'm not sure that's possible.
I haven't even opened the boxes on this equipment yet. I'm just feeling this out to see if I'm thinking correctly before I start wiring things. Any advice is appreciated!
