What tech should I be looking at to segregate a home network?

[Dan-H]

Can you point me in the right direction to do some reading and research?

My goal is to segregate my home network to keep things I don't trust away from the things I need to have on a trusted network. Here's a first cut on loose requirements:

Area 1: Guest wifi. - works out of the box on my router. Only has outbound access. I don't need this to route back to my private network. Simply a guest, outbound network for family members that visit.

Area 2: A less trusted area; wired and WiFi. Contains "internet of things" things in my house that I'm not sure I want on my more trusted network. Home to a minecraft server that has inbound access via NAT / port forwarding on my current router.


Area 3: The more trusted area. I want my Win8 and Win7 and OSX Desktop/Laptops here. Most are wired. I need VPN inbound to at least one of the systems, and I need the ability to Wake On Lan one of the systems. I guess the HP printer/scanner could live in this area, but Area 2 would be better. If all the connections are host initiated then I'd prefer it in area 2.

I think I want all of our phone's in Area 2 when on WiFi so they can control the Blu-Ray's and turn on the coffee pot.

Why?

I don't trust the phones.

I don't trust the WiFi enabled DVR/BluRay/Wii/WashingMachine/CoffeeBot on the same LAN as my desktops.

I don't like the minecraft server for my kids NAT'd / Port forwarded inbound is on the same LAN as the rest of my systems. Maybe I'm paranoid. I think I have it locked down fairly well but since port forwarding is enabled to a close-sourced, now owned by M-Soft, and we run some mods, and, I'd like a wall between it and me

So back to my original question. What tech should I read up about?

Should I be looking for a layer 2 approach? or fire walled layer 3 approach or ???

An link to article or post to point me in the right direction would be awesome.

Thanks in advance.

ps: The CoffeeBot reference was sarcasm and a Freudian typo, but I expect to own one soon, so if nothing else I will know who takes the last cup and does not brew another pot.

 

[thiggins]

Perfect application for VLANs.
http://www.smallnetbuilder.com/lanwan/lanwan-howto/30071-vlan-how-to-segmenting-a-small-lan

 

[System Error Message]

In terms of VLANs semi managed switch are capable of those and layer 2 semi managed switches are quite cheap nowadays. In terms of brand make sure to avoid dlink. TP-link is very good for basic functionality but if you need more other brands will do better.

So to put your network into "zones" as openwrt/linux puts it you can use layer 2 segmentation. To do that you need a semi managed switch and a router that supports VLANs. On a network device, each port can only be part of 1 untagged VLAN and as many tagged vlans. Untagged vlan means that the port is a member of that vlan without needing any configuration from whats plugged into it but a tagged vlan does although tagged vlans allow you to pass multiple zones of traffic on 1 wire. Some companies use a tagged VLAN for management that requires the PC to have the VLAN configured on the NIC

On the router when using VLANs you set your configuration to the VLAN Interface and not the ethernet interface. Ethernet. You can imagine VLANs as being a seperate wired network but virtually on a single physical network. Instead of using eth you'd be using VLAN300 for example for a vlan value of 300.

On wifi VLANs are done by having seperate SSIDs and using AP Isolation. You will also need to bridge the SSID to the vlan interface just like on the router. Each SSID could be in the form of wlan0.1 and wlan0.2 on a linux machine.

For your choice of router, ASUS WRT supports wake on LAN. merlin firmware adds a configurable firewall to it so you can do things like hijack DNS and force it to use your router for DNS lookups. This is particularly useful if you want to restrict devices communicating outside. Using a sniffer on each device at a time to learn what it does and than applying the config for block/redirecting that communication to the router. There are many examples of how to do this on the forum. For a consumer router if the firmware doesnt have the features you want you can try tomato or openwrt. Merlin firmware is a good compromise though between the features on openwrt and the performance and easy of use of stock firmware. Basically choose a router with a good hardware and support for 3rd party firmware. PFsense and UTMs (x86 OS that you would need to download and install not embedded) are also a choice but require x86 hardware so you would need to scavange/buy hardware for it.

For your choice of switches, layer 2 semi managed switches will do the job well. Look for VLANs, green ethernet, energy savings, access lists, DHCP snooping, ARPs and some security. This is one area where saving energy can help you greatly.

for Wifi, choose either one that is an integrated router (which you would install 3rd party firmware and do your configs with it) or you would need a seperate one that can perform the task you want. All it needs is multiple SSIDs, VLAN, bridging and AP Isolation. Ubiquiti unifi is a non consumer one i know thats priced as a consumer item but there are many out there that are good, well priced and easy to configure for a consumer.

 

[coxhaus]

I like using layer 3. It is more complicated but I think it works better. To keep things simple I assign an IP network to every VLAN. I use tags on my VLANs.

 

[Dan-H]

Thanks for the replies. Life got very busy for a few weeks... I'll do some reading and hopefully come back with some specific questions.