VLAN on NEW Router... or Separate Routers for IoT and Security

[ldesmar]

Hello and the best of 2021 to everyone.
I have recently moved to a new home in BC (Canada) and have brought all of my previous gear along. I have a fair bit of hardware accumulated over the years that can be incorporated into a more secured network design. However, I have not yet concluded on best approach to ensure performance and more secured SOHO network that will also need to include some newly purchased IoT Smart Devices as well!

I am seeking recommendations on how best to re-implement/design a SOHO Network in my new home with proper security to segregate IoT/Smart devices. FYI: My wife and myself are the only 2 people sharing this network.

At the moment, the only network equipment currently “in use” is what came from my new ISP Provider (Shaw):

• One DOCSIS 3.1 Compatible Gateway (Technicolor Model XB6 CGM4140COM) which probably runs a modified Xfinity Infinity Gateway firmware for Shaw ISP. The Core FW provided by Shaw is very restricted in terms of manual settings and controls.
• It does come with 4 Wireless 4K TV Players (Xi6), in use at various locations in the house.
• Also have a Network Printer: HP OfficetJet PRO 8630 connected via WiFi.

I also have, on-hand, the following hardware that can be incorporated into the final redesign:

• Netgear Nighthawk R7000 WiFi Router
• Netgear Nighthawk X6S R8000P Triband WiFi Router
• Netgear 16-port Gigabit Unmanaged Switch Model GS116NA
• NAS is QNAP TS-459 PRO (8 GB), which holds a large music library & personal files.
  • It is accessed via Intranet access ONLY.
  • Am now debating to install either Plax or Kodi on the QNAP.
  • Any recommendations on one vs the other is welcome !
• The new home does have 4 Cat 5e Ethernet Jacks that converge into a basement closet. …. and Coax cabling in key areas.
• I also have subscriptions to BitDefender and Express VPN, so could install these softwares on routers and/or NAS if needed.

There are quite a few recent IoT/Smart Devices that would need to be securely integrated into the final design:

• 4 Smart TV’s, currently connected via HDMI to the 4 Wireless 4K TV Players (Xi6)
• 1 NVIDIA Shield TV STB connected via WiFi and HDMI-cabled to one TV
• 1 Google Nest Audio + 1 Google Home + 2 Google Minis …all via WiFi
• 1 Google Nest Hello Video Doorbell … via WiFi
• 4 WeMo Wifi Smart Plugs … via WiFi
• 4 Feit WiFi Smart Dimmers … via WiFi

Option 1: I was initially considering to use the Nighthawk R8000P as the Prime Router and to create VLAN’s to separate the devices into various subnets.

• The Shaw Gateway XB6 would be used in “bridged-mode”.
• The Nighthawk R8000P would be the Primary router.
• The Nighthawk R7000 would be used as a Wireless AP to access some more remote areas.
• VLAN’s groups would have separated IoT and Smart Devices from main personal LAN.

However, after much searching, I am finding conflicting information of the Netgear stock firmware regarding VLAN’s! Some are saying it is just not reliable, others say they use it successfully for their Smart TV’s!
I also looked for OpenSource FW for the Netgear R8000P but could not find any developed for this particular model with VLAN’s.


Option 2: Another possibility could be to use the existing 2 Netgear Routers as 2 separate networks using a single internet connection:

• Smart & IoT Devices would connect to the R7000 Router.
• PC’s , Smart Phones, Printer and NAS would connect to the R8000P Router.
• I assume that the Shaw Gateway would be set to “bridge mode”, the R7000 Router would connect to the Gateway and the R8000P would connect to one of the R7000 LAN port.
• Any opinions on the effectiveness of this method & settings would be appreciated.

Option 3: Other options that could be considered:

• Possibly purchase a Smart Switch that could support VLAN separation?
• Buy a higher-grade Primary Router with proper VLAN support, and using all other routers as AP? Any recommended Routers ?
• Open to other ideas ….

Now looking for:

• Best options to optimize the available hardware and purchase what may be essential to isolate IoT and improve security.

Note: I have a good “understanding” of technologies, and don’t mind digging to deepen my understanding to perform a proper set-up. However, I am not a programmer so would favor toolsets that minimize manual coding and ongoing configuration updates (other then FW and security patches).
Would definitively appreciate this group's recommendations on how best to proceed.

 

[Natey2]

My simplistic approach: move risky devices to router's Guest network.
Use my Asus router AiProtection (TrendMicro) to monitor dubious connection activity on all devices, e.g. AiProtection in action

 

[ldesmar]

Thx @Matey2 .
Have been doing a lot of research and reading over the last week and came across some interesting and educational posts from many members of this forum: ex: Trip , coxhaus, L&LD , and many other contributors.

I will be looking to add some PoE Devices down the road, likely Cameras and possibly a wired Access Point via PoE. Consequently, I ended looking at Managed Switches with PoE and came to realize they can also provide VLAN capabilities.

Given the hardware that I already have, would it not make sense to dedicate one (R7000) of the 2 Netgear Routers for all IoT & Smart Devices (all on WiFi), then create VLAN(s) to a Managed Switch, while running the other Netgear Router (R8000P) as the main Private node that would include all PC's, the Printer and the NAS (some WiFi, some wired) ?

Have read way too MANY reviews on Managed Switches, with varying/conflicting information on the right model to get! Information overload now!!!

Any suggestions/opinions on the above setup .... as well as the right switch model that:

• would support the required VLAN(s)
• provide PoE for future devices
• something that offers to 5 to 10 ports max
• no need for extranet access to the switch (local only)
• simple enough configuration GUI
• without any paid subscription

Am a newbie for switch configurations, but willing to learn.
Any recommendations or comments are welcome.

 

[dlbzone]

Idesmar, It looks like we have similar goals and some similar existing hardware. Here is the link to my thread.
https://www.snbforums.com/threads/r...tions-for-better-home-network-security.70561/

I have to believe that there must be a growing need for this sort of network segmentation in modern homes, but I am surprised not to find much response for solutions.

I recently read arguments that vlans and Netgear's guest network isn't secure anyway. Supposedly if you put a device on the network that has the necessary code embedded, it can ignore the segmentation and have visibility across your network anyway. I don't know how true this is, but I still think it's better to have segmentation than not. I see it kind of like having locks on your doors, or not leaving your valuables out in the open. It hopefully removes temptation and keeps honest people honest, but if someone really wants to hack you, they are probably going to figure out a way. Especially if they have physical access to your network.

I will keep a watch on your thread and let you know if I come across some good advice or solutions.

 

[ldesmar]

Hello dlbzone. Thanks for your response and offer to share new findings.

From my side, I have read multiple threads and suggestions from frequent (and more knowledgeable) contributors from SNB. My key take-aways are that my network design will (eventually) encompass:

1. VLAN-capable PoE Switch: Found a few that offer multiple 2.5G/5G ports with 10G backhaul. These are all fairly new devices and are out of my price range for now .... but keeping an eye on how this multi-gig market for SOHO evolves.
   • This will be a core switch for my network, managing all VLAN's.
   • Preferably with some PoE+ and PoE++ ports. Looking for 12-to-18 ports to be available.
   • Am however somewhat confused on the multiple terminologies that refer to VLAN support: some brands show VLAN's at layer 2, others L2+, L3+ ???
     • Cisco CBS250/350 series (Business Gear) is often referred as "best in class" ... but VERY pricey for now!
     • Am also keeping an eye on Netgear GS110TUP @ 240W and MS510TXUP
     • UniFi Switches have a large following of technical experts. Just too technical for me
2. One solid AX Router ... something like the ASUS RT-AX86U which appears very interesting, although a bit pricey. However it does support Multi-gig ports (caps at 2.5 G though) WAN/LAN Link Aggregation support. It also has RMerlin supported Firmware available
   • Router will be used specifically for routing, as I now plan to use a switch to manage the VLAN segregation.
3. Some newer AX Access Points (2) will eventually replace my existing Netgear R7000 and R8000P routers and connect to the Core Switch across VLAN's.
   • Looking for 2.5G/5G or greater backhaul, depending on how this market shapes up.

All-in-all; it seems that the devices that are of interest (for me) are still fairly new and not yet large-scale markets to offer more appealing pricing...so will have to be patient !

For now, I am focussing on running new Cat6a cabling and re-using my existing 2 routers as 2 distinct WiFi networks: One for IOT and Smart Devices, the other one for business/private networks.

FYI: Some interesting links from SNB:

How To Use A Layer 3 Switch In A Small Network
VLAN How To: Segmenting a small LAN​

How To Segment A Small LAN Using Tagged VLANs - Part 2​

Expanding Network with VLANS​

Let me know if you come across anything of interests as well

 

[HTBruceM]

What I have learned is that many IoT devices work just fine on an isolated VLAN, or for that matter, on a Guest network with client isolation enabled. In this scenario, the IoT device(s) have internet access ONLY. However, there are some types of IoT devices that aren't convenient to be setup this way. Specifically, devices that use CASTING technology like speakers, displays, nVidia Shield, TVs, etc. These devices need to be accessed by (usually) your smartphone, tablet, computer, etc. Your phone/tablet/PC has to be on the same Guest network as the IoT device in order to cast. The problem is that firewalls in consumer routers are basic and not reconfigurable to be casting-friendly between the main network and the Guest network. For casting to work, the firewall must allow packets originating from the main/secure network to reach the IoT network, and responses to complete in the other direction. Same for broadcasting. However for security reasons it is still desirable that the firewall limit the IoT network to only access the Internet gateway. I have seen folks setup these types of inter-VLAN rules using more advanced firewalls in EdgeRouter, pfSense, etc. And it works.

Today, a casting-friendly GUEST/VLAN network is a common customer use case. But there are no "casting-friendly" Guest networks available in consumer routers. The options available to home users are:

1. use very sophisticated and complicated equipment - which would be incompatible with a consumer grade product, or
2. setup the 3-dumb router configuration (but you will still need to have your smartphone on the IoT network to make this work).
3. Put your non-casting IoT devices on your Guest network, and put your casting devices on your main/secure network.
4. Put all your IoT devices on your Guest network and just remember to switch your phone/tablet to the Guest network before you attempt to CAST (or just leave it there).

Option 3 is the simplest scenario. The others are too complicated for most consumers. Especially when something isn't working and they have to troubleshoot. Also with the 3 dumb router configuration, any port forwarding becomes a little more complicated to setup through the double NAT.

I just wish we could convince the consumer router marketing/engineering teams to add this feature to their products. It is increasingly important nowadays for security reasons. Engineering wise, it should be fairly straightforward to offer an IoT network profile that is "casting-friendly" in addition to the typical GUEST network they provide today.

 

[ldesmar]

@HTBruceM You make a very good point with regards to CASTING devices and a market need for engineering teams to build a "casting-friendly" network isolation scheme!

@thiggins @L&LD @Trip @coxhaus @RMerlin : All of you guys are certainly a lot more connected to evolving technologies/solutions for small network devices. Are any of you aware of any developments or products aiming to address "casting-friendly" isolation in small networks ?
( see above post from @HTBruceM )

 

[thiggins]

@HTBruceM You make a very good point with regards to CASTING devices and a market need for engineering teams to build a "casting-friendly" network isolation scheme!

@thiggins @L&LD @Trip @coxhaus @RMerlin : All of you guys are certainly a lot more connected to evolving technologies/solutions for small network devices. Are any of you aware of any developments or products aiming to address "casting-friendly" isolation in small networks ?
( see above post from @HTBruceM )

No. I'm not. If the media device is from a major player (Google, Roku, Amazon), I don't see why they would be any less secure than other well-known manufacturer consumer devices and have to be isolated in the first place.

What manufacturers have done is implement things like ASUS'/TrendMicro-based AiProtection that will detect if a device is accessing the internet in an unusual way.

 

[RMerlin]

I don`t. My core business is with small businesses and not-for-profit organizations, none of which are impacted by casting/streaming needs.