I’m going to be overhauling my network over the next few months as I get ready for my new municipal fiber installation. I have a general idea of how to set things up, but I’m not an expert and would appreciate a few extra pairs of eyes in case I’m missing something obvious.
Hardware available:
- Microtik Routerboard - 5 ports
- Ubiquiti AP - AC-Lite; plan to add U6+ or U6 Lite once I get faster service
- some dumb switches
Devices (by logical category; VLANs?):
- main - computers and phones (Wi-Fi for now, I plan to run cable)
- media - TVs, gaming consoles, etc
- DMZ - wired security cameras, Wi-Fi printer (2.4GHz wireless g only)
- guest - guests, kids computers
Goals:
- main - outgoing traffic goes through a VPN
- media - outgoing traffic limited to certain trusted sites; probably no VPN
- untrusted - cannot access internet, can be accessed from main
- guest - can only access internet, potentially through a separate VPN from main
Special devices:
- NAS (Linux box) - can access main, media, and DMZ
- printer - accessible from main, rest of devices on untrusted don’t need to be (I can tunnel through the NAS if needed); can potentially configure a CUPS server on the NAS to route print jobs if needed
Plan:
Router ports:
- Internet
- WiFi APs
- main VLAN
- untrusted (VLAN)
- unused (or maybe media VLAN)
WiFi SSIDs (currently have a 2.4Ghz and 5Ghz SSIDs):
- main VLAN
- guest VLAN
- untrusted - hidden SSID (mostly for printer) - 2.4GHz only
If the VPN causes issues, I would like the ability to move individual MACs to another VLAN (say, to media, or a separate, usually unused backup VLAN). Not required, just a backup plan in case the VPN causes issues.
This is my first time configuring VLANs, so I’m not really sure what my options are. Also, I’m not super familiar with Mikrotik routers (I’m not a sysadmin or anything, just a hobbyist), I just got fed up with crappy consumer hardware and wanted something a bit more reliable.
Does that sound like a reasonable plan? Is there something I could improve or suggestions you have?
Edit: DMZ is the wrong term, so I replaced it with “untrusted”. By that I meant a local-only network, so no Internet access. Ideally I could access these devices from my main network, but they can’t initiate connections outside their VLAN. However, that’s not necessary, since I can tunnel through my NAS if needed.
My bad, I’m obviously not a sysadmin. :)
I want my IoT devices to not access the Internet whatsoever, because there’s no reason to. I’ll be running a self-hosted home automation system (i.e. Home Assistant) that will communicate with them as needed. That’s running on my NAS (old Linux PC), hence the need to bridge it with my main network. I can tunnel through my NAS to access devices directly if needed.
As for my “media” network, I don’t trust modern smart TVs and would prefer to treat them like the IoT devices, but I’d like to allow them to access certain services (e.g. Netflix and Disney+). I’d prefer a “dumb” TV and a separate streaming device instead, but that’s not really a thing anymore. So the next best is to limit what it can access. I don’t trust them on the main network, but unlike the IoT devices, they need some limited access to the Internet.
Mostly privacy. My wife likes to play MP games on her PC, and I don’t want those services to know our IP. I also don’t trust websites generally, so I’d like to hide our IP for most, if not all, traffic. Our current ISP has us behind a NAT (we were assigned a 10.x.x.x static address), but our next ISP may have our IP public facing, and I still don’t want our exact city to be discoverable (we’re in a relatively small city, so easier to doxx). An added bonus is hiding our traffic from our ISP, but I don’t have a reason to distrust our current or future ISP just yet.
So I want to set up a VPN at the router level to a server nearby (for minimal added lag). I’ve tested it, and I think my router should be able to handle it just fine, and the pings to the nearby VPN are really low (<5ms).
And I do use CloudFlare’s DNS already, and my browser uses DNS over HTTPS. I’m just looking for a bit more privacy, without sacrificing too much lag.
You do you, I certainly won’t judge your choices or opinions or whatever. I will say that adding a VPN into the mix will add (probably significant amounts of) latency to any connection routed through it. This has the potential to make multiplayer games borderline unplayable depending on the type and its sensitivity to latency in general.
If you’re that worried about being doxxed stand up a site-to-site vpn between your tik and an AWS VPC. Use the right region and you probably won’t have much latency issues, although the transit fees from AWS might bite you.
On the flip side, since the mikrotik can act as a vpn server you could always set up your whole home vpn along with the vpn server, travel overseas to somewhere like Japan, set your upstream vpn’s exit as the same country you’re visiting, VPN in to your house over your phones Japanese cellular carrier data connection, then watch local JP netflix with the knowledge that the traffic is tunneling around the globe to get to you and marvel at the interconnectedness of the modern world. ask me how i know how amazing this is.
Yeah, I’ll certainly test it first. I’m planning to get one at a local datacenter, and ping times are only 4ms from my home. I’ll be using WireGuard, so router level overhead should be minimal.
But I’ll definitely set up a test “secure” VPC so my wife and I can test it out.
There’s other reasons as well, such as this law in my state that requires parental approval for kids to access SM. I don’t want my wife or kids to give SM that PII, so I want to protest it at the network layer, at least with a secure SSID, if not the default outgoing network.
Yup, that’s also part of the plan. I want to access my NAS anywhere, but I don’t want it publicly exposed. I may even want to access my IP cameras and whatnot as well.
So my plan is to set up a VPS and configure my own private VPN, connect my NAS to it, and then from there I can access anything on my home network. My kids like to use my computer to play games, so one common use case is to SSH in to the computers and unlock them while I’m at work (i.e. if they’re on vacation or something) so my wife doesn’t need to type my password (it’s kinda long). I do that already from my phone so I don’t have to walk downstairs, but it would be nice to be able to do it from my phone at work.
I also don’t trust cloud-connected IP cameras, but want cameras monitoring my house while I’m away, so I’ll definitely need my own personal VPN.
Ah, never mind then, ignore everything I said.
Unless I’m misunderstanding, you don’t need a VPS for this. RouterOS supports you enabling a built-in VPN server, which you can then connect to directly, you don’t need to set up a VPS or anything. Then you can just put allow rules in the firewall for traffic from the VPN subnet in to your main subnet, your NASs subnet, your camera subnet, etc. This is how I access my homes resources remotely, the only ports open to the Internet are the VPN ports on my CCR1036.
On the topic of privacy, someone knowing your IP address in itself isn’t really a major leak of information. Even if you lived in a village of 1200 people, that in itself isn’t going to matter all that much.
You’ve already given out plenty of information on Lemmy from a cursory glance at your profile, including that you are a certain distance from your job. I could probably look up smaller cities in your state near employers that match your description and pull up most of the possibilities. All an IP would do is confirm it, the data on “sugar_in_your_tea” is already out there.
The best way to have privacy is to corrupt that data. You edit your comments to still live in (state) but now commute (distance to capital/larger city) and work for (insert larger employer details that are similar-ish). Instead of specific tech details you “work on web apps”. Your spouse is just a spouse, you don’t disclose details beyond that.