References or Recommendations for Better Home Network Security

[dlbzone]

My home network has grown out of control and I want to invest a little time and money to make sure we are getting the best possible performance and also improve security.

We usually have 4 to 6 high bandwidth connections (IPTV, Video Conferencing, etc.) and about 60 total connections (PCs VPN'd into work/School, Phones, Tablets, TVs and STBs, IoT devices, etc.) to the network at any one time. About 40 are wired and about 20 are wireless.

I run a Netgear R7800 for firewall, DHCP Server, 5 and 2.4GHz Local and Guest networks directly from ISP Cable Modem via CAT6. We have 250/25mbps plan today, but can see this increasing over time. I have a Netgear R7000 running as an AP via CAT6 from the R7800. I have a 24 port unmanaged switch also from the R7800 via CAT6. I have about 6 other 8-port unmanaged switches throughout our house connecting all the wired devices. Amazingly, it all runs pretty good most of the time. When we have a couple TV's streaming IPTV with 4 computers on Video Conferences, sometimes we run into some issues, but hard to know if it is on our end our not. I have a 3rd Asus AC1900 router that I am currently not using.

For the most part, I put the work and school computers and wireless IoT devices on the Guest WiFi network so they can only get to the internet. I have made a couple of exceptions for convenience and I know this leaves my network vulnerable. I would like to be able to implement vlans to control what devices the IoT devices can and can't interact with and also be able to have work laptops on ethernet, but not able to see anything on my network accept for my network printer.

I know that my routers don't support vlan out of the box and I am not really interested in running dd-wrt or other similar firmware on my routers.

I have spent a little time looking at Wired routers like Ubiquiti ER-X and ER-4, and similar offerings from Microtik, Cisco, Linksys, TP-Link, etc.

I also know that there are smart switch options that support vlans from these same and other suppliers. I haven't put much time looking at these yet.

I want to avoid any subscription services. I also prefer to avoid needing to use SSH and CLI interfaces. I much prefer IP accessible web interfaces for configuring the products if possible.

Q1: Which equipment needs vlan support to do what I am asking for? Can I just buy a new Wired Router, or just a new smart switch, or do I need the router, the switch, and the APs to all support vlans?

Please provide suggestions or links to concise information to help me learn what I need to make this work. Note that I prefer not to spend more than a couple hundred dollars to implement.

Thank you!

 

[L&LD]

All the network infrastructure needs to support the version of VLANs you want. This will not be easy (if possible at all) to get for the budget and other restrictions you have placed on such a product.

Without knowing (a diagram here would help) how your network is actually configured and arranged, your network may not even have the capabilities you seem to think it has.

If you have an old/spare computer around with two Ethernet ports or more, you may be able to do this with pfSense, OPNsense, or any of the other similar options.

I'm guessing any paid-for solution will require replacing many pieces of the infrastructure you already have and surpass your indicated budget.

 

[dlbzone]

Here is my current network diagram roughly. I am sure I am missing endpoints, but I have kept as much wired as possible to keep performance as high as possible. Hopefully the diagram helps.

Unfortunately, I built the house 20 years ago so I only have a single ethernet pulled to most locations so it would difficult to pull new wire.

Since WiFi has improved so much, I expect WiFi to play a part in the vlan network segmentation.

The biggest issue with the IoT devices is that I often want my phones to interact with them and its annoying changing networks for this purpose, but I don't want guests or our business/school laptops to be able to access anything on my network. Now that I think about the complexity of all this, I am starting to think that maybe it is not too annoying to switch between networks to perform certain tasks as needed.

My house is about 3000sq ft on 3 levels. 2 WiFi locations works, but I have a couple week areas so more would be better.

I want all the computers, phones, tablets to be able to access the printer except during VPN sessions of course. The printer has both wired and wireless (Wireless not showing on diagram), including wifi direct, though the wifi direct has been flaky so I think its disabled now.

All switches today are unmanaged. Also, I could spend more than a couple hundred if I find the perfect solution, but would prefer not to. I hate subscriptions or I would probably have already gone the Ubiquiti Unifi path even though I'm not sure if that entirely addresses my needs.

I only have one R7800, I just segmented the WiFi into 2 other blocks for clarification. I also combined all endpoints by location/connection to make diagram manageable.

 

[jeff3820]

My home network has grown out of control and I want to invest a little time and money to make sure we are getting the best possible performance and also improve security.

We usually have 4 to 6 high bandwidth connections (IPTV, Video Conferencing, etc.) and about 60 total connections (PCs VPN'd into work/School, Phones, Tablets, TVs and STBs, IoT devices, etc.) to the network at any one time. About 40 are wired and about 20 are wireless.

I run a Netgear R7800 for firewall, DHCP Server, 5 and 2.4GHz Local and Guest networks directly from ISP Cable Modem via CAT6. We have 250/25mbps plan today, but can see this increasing over time. I have a Netgear R7000 running as an AP via CAT6 from the R7800. I have a 24 port unmanaged switch also from the R7800 via CAT6. I have about 6 other 8-port unmanaged switches throughout our house connecting all the wired devices. Amazingly, it all runs pretty good most of the time. When we have a couple TV's streaming IPTV with 4 computers on Video Conferences, sometimes we run into some issues, but hard to know if it is on our end our not. I have a 3rd Asus AC1900 router that I am currently not using.

For the most part, I put the work and school computers and wireless IoT devices on the Guest WiFi network so they can only get to the internet. I have made a couple of exceptions for convenience and I know this leaves my network vulnerable. I would like to be able to implement vlans to control what devices the IoT devices can and can't interact with and also be able to have work laptops on ethernet, but not able to see anything on my network accept for my network printer.

I know that my routers don't support vlan out of the box and I am not really interested in running dd-wrt or other similar firmware on my routers.

I have spent a little time looking at Wired routers like Ubiquiti ER-X and ER-4, and similar offerings from Microtik, Cisco, Linksys, TP-Link, etc.

I also know that there are smart switch options that support vlans from these same and other suppliers. I haven't put much time looking at these yet.

I want to avoid any subscription services. I also prefer to avoid needing to use SSH and CLI interfaces. I much prefer IP accessible web interfaces for configuring the products if possible.

Q1: Which equipment needs vlan support to do what I am asking for? Can I just buy a new Wired Router, or just a new smart switch, or do I need the router, the switch, and the APs to all support vlans?

Please provide suggestions or links to concise information to help me learn what I need to make this work. Note that I prefer not to spend more than a couple hundred dollars to implement.

Thank you!

Like you my network was getting large and I wanted more segmentation for security purposes. You should have VLAN capability on the router, any switches, and WiFi access points. For my router I decided on Pfsense and installed it on a Protectli fanless device. Their 6-port or 4-port devices are sufficient and I only use 2 ports...WAN and LAN. It is a wonderful system, very configurable and supports VLANs easily. You have to be comfortable setting it up but there are a ton of YouTube videos you can watch to help. I modeled the system on the videos done by Lawrence Systems. Tom explains things well. Once I got the hang of setup, I'm very comfortable tweaking it for my needs. For the switches and WiFi access points I chose Ubiquiti and their Unifi system. I have one access point that can cover my entire house (though you can add additional access points for additional reach easily), a 16-port switch in my office, an 8-port switch in the family room, and a cloud key controller that is used to configure and monitor all of the devices. Again, Tom Lawrence's videos show how to set it all up. It was fairly straightforward and from a single Unifi interface you can configure all of the switches and WiFi. It all works well. I have not looked back.

There are similar offerings from TP-Link that I have been playing with as well as a lower cost option. They all do VLANs and can be configured from a central location.

 

[dlbzone]

Like you my network was getting large and I wanted more segmentation for security purposes. You should have VLAN capability on the router, any switches, and WiFi access points. For my router I decided on Pfsense and installed it on a Protectli fanless device. Their 6-port or 4-port devices are sufficient and I only use 2 ports...WAN and LAN. It is a wonderful system, very configurable and supports VLANs easily. You have to be comfortable setting it up but there are a ton of YouTube videos you can watch to help. I modeled the system on the videos done by Lawrence Systems. Tom explains things well. Once I got the hang of setup, I'm very comfortable tweaking it for my needs. For the switches and WiFi access points I chose Ubiquiti and their Unifi system. I have one access point that can cover my entire house (though you can add additional access points for additional reach easily), a 16-port switch in my office, an 8-port switch in the family room, and a cloud key controller that is used to configure and monitor all of the devices. Again, Tom Lawrence's videos show how to set it all up. It was fairly straightforward and from a single Unifi interface you can configure all of the switches and WiFi. It all works well. I have not looked back.

There are similar offerings from TP-Link that I have been playing with as well as a lower cost option. They all do VLANs and can be configured from a central location.

@jeff3820 Thank you! I spent the last few hours watching youtube videos to better understand Ubiquiti and the Unifi system after reading your post.

On the cloud key controller, I now understand this is optional as you can run their controller software from a PC and is only required to be running while you are changing configurations and checking status of the Unifi devices. I see there is $199/yr subscription for the cloudkey. Is the subscription only required if you are using their cloud services? It wouldn't make sense to buy the cloud key otherwise assuming you own a pc to run the controller software, right?

I will have to look at pfsense more closely, but was hoping to keep the solution I go to from getting overly complex to set up and manage. What kind of throughput can you get with the recommended security features on the Protectli device? I would like whatever solution I go with to stay close to 1gbps throughput.

 

[jeff3820]

The cloudkey has a price of $200...that is not a subscription but an outright purchase of the hardware. You can disable the connection to the cloud if you want and run locally once you setup a local user. You can run the controller yourself on a PC. It is needed to configure the Unifi devices and then monitors in the background if you want. Or turn off the controller...up to you.

Pfsense should have no issue with gigabit up and down on most x86 hardware. If you add IPS type of software then you'll seed some more horsepower to still do gigabit but nothing an i3 or i5 system and 8GB of RAM couldn't handle. I have 300/300 internet and don't bother with IPS software on my i3 Protectli. CPU usage rarely gets to 2% even while running a VPN server and doing speedtests in the background. Not very hardware intensive!

 

[dlbzone]

I decided to try the Ubiquiti Dream Machine as my Gateway/Router/Controller and it includes an integrated AP. I also ordered a 3-pack of their Flex-mini managed switches to create port vlans to segment my wired network. This should be enough to get things set up and once I determine range on the integrated AP, I will look at adding APs as necessary for improved site coverage. If I need more managed switches or PoE for the APs, I will considering adding as needed. I chose this route, because it seemed like the best mix of products, features, performance, and support resources, with a manageable amount of complexity and cost.

The TP-Link Omada products were also interesting and very price competitive. However, it didn't appear to have all of the performance/features I was looking for.

The Linksys LRT routers looked somewhat interesting, but Linksys doesn't seem to really be investing/developing in this space.

Cisco's SoHo solutions also seem like they might work, but always seem overly complex and costly.

I decided not to pursue PFSense at this time. It was more cost and more complexity. Probably more performance and features, but not something I have the time to invest in right now.

Thanks @L&LD, @jeff3820, and @ldesmar for your inputs!

 

[roadPilot]

Curious for you to opine on what performance/features you were looking for that the Omada products lacked that the DM does.

Last fall, we moved into a new (to us) house. Three levels and around 4,500 ft². Most every room had two CAT5e and two coax cables, but the PO had never even terminated nor even installed a patch panel (what?). I mounted a nice sized backboard, adding to it an Omada OC200 controller, the TL-R605 VPN router, and three EAP245v3 access points (one on each level). I'm still waiting on my TL-SG2428P POE+ switch (not yet released), so right now I've just a little 5-port TL-SG1005P POE switch in place to power up the APs. I'm waiting on the 28 port switch before setting up my VLANs and such (normal traffic, guests, IoT, etc.), but it sure is nice managing everything else through either the controller itself (VPN directly to the TL-605) or from the Omada cloud. Looking forward to investigating the full potential of this SDN setup.

 

[mib]

Take a look at the Sensei Plug-in. This brings several NGFW features to popular open-source firewalls (e.g. OPNsense, pfSense). You can do Policy-based app/web filtering, Parental Controls, Advanced Network Analytics, and employ security blacklisting based on real-time cloud threat intelligence. Basically, I think we've been able to bring some enterprise-grade features to the reach of Pro home users. (Disclaimer: I'm from the Sensei team).

Zenarmor

Take your OPNsense open source firewall to the next level with Zenarmor! Sunny Valley Networks, Zenarmor product page.

www.sunnyvalley.io

Home Network Security - Zenarmor

Home Network Security for Professionals Enterprise-grade network security now available for your home! Free Trial Stop Threats in Real Time

www.sunnyvalley.io

Welcome to the Zenarmor User Guide - zenarmor.com

Welcome to the Zenarmor User Guide

www.sunnyvalley.io

On OPNsense, Sensei can be managed both on-prem/through Cloud. On pfSense, and other platforms it's cloud-managed.