I’m going to be overhauling my network over the next few months as I get ready for my new municipal fiber installation. I have a general idea of how to set things up, but I’m not an expert and would appreciate a few extra pairs of eyes in case I’m missing something obvious.

Hardware available:

  • Microtik Routerboard - 5 ports
  • Ubiquiti AP - AC-Lite; plan to add U6+ or U6 Lite once I get faster service
  • some dumb switches

Devices (by logical category; VLANs?):

  • main - computers and phones (Wi-Fi for now, I plan to run cable)
  • media - TVs, gaming consoles, etc
  • DMZ - wired security cameras, Wi-Fi printer (2.4GHz wireless g only)
  • guest - guests, kids computers

Goals:

  • main - outgoing traffic goes through a VPN
  • media - outgoing traffic limited to certain trusted sites; probably no VPN
  • untrusted - cannot access internet, can be accessed from main
  • guest - can only access internet, potentially through a separate VPN from main

Special devices:

  • NAS (Linux box) - can access main, media, and DMZ
  • printer - accessible from main, rest of devices on untrusted don’t need to be (I can tunnel through the NAS if needed); can potentially configure a CUPS server on the NAS to route print jobs if needed

Plan:

Router ports:

  1. Internet
  2. WiFi APs
  3. main VLAN
  4. untrusted (VLAN)
  5. unused (or maybe media VLAN)

WiFi SSIDs (currently have a 2.4Ghz and 5Ghz SSIDs):

  1. main VLAN
  2. guest VLAN
  3. untrusted - hidden SSID (mostly for printer) - 2.4GHz only

If the VPN causes issues, I would like the ability to move individual MACs to another VLAN (say, to media, or a separate, usually unused backup VLAN). Not required, just a backup plan in case the VPN causes issues.

This is my first time configuring VLANs, so I’m not really sure what my options are. Also, I’m not super familiar with Mikrotik routers (I’m not a sysadmin or anything, just a hobbyist), I just got fed up with crappy consumer hardware and wanted something a bit more reliable.

Does that sound like a reasonable plan? Is there something I could improve or suggestions you have?

Edit: DMZ is the wrong term, so I replaced it with “untrusted”. By that I meant a local-only network, so no Internet access. Ideally I could access these devices from my main network, but they can’t initiate connections outside their VLAN. However, that’s not necessary, since I can tunnel through my NAS if needed.

    • sugar_in_your_tea@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 months ago

      Good point. I plan on moving my important stuff (NAS and router) into a closet, which would make using a UPS much more reasonable. Right now the router is in my bedroom, the NAS is on my desk, and the AP is in the hallway (though powered via POE).

      And yeah, I definitely want the network to stay up in a power outage since there’s still value in accessing the NAS to make last minute backups or whatever.

    • sugar_in_your_tea@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      My bad, I’m obviously not a sysadmin. :)

      I want my IoT devices to not access the Internet whatsoever, because there’s no reason to. I’ll be running a self-hosted home automation system (i.e. Home Assistant) that will communicate with them as needed. That’s running on my NAS (old Linux PC), hence the need to bridge it with my main network. I can tunnel through my NAS to access devices directly if needed.

      As for my “media” network, I don’t trust modern smart TVs and would prefer to treat them like the IoT devices, but I’d like to allow them to access certain services (e.g. Netflix and Disney+). I’d prefer a “dumb” TV and a separate streaming device instead, but that’s not really a thing anymore. So the next best is to limit what it can access. I don’t trust them on the main network, but unlike the IoT devices, they need some limited access to the Internet.

      why all of your “main” traffic needs a VPN

      Mostly privacy. My wife likes to play MP games on her PC, and I don’t want those services to know our IP. I also don’t trust websites generally, so I’d like to hide our IP for most, if not all, traffic. Our current ISP has us behind a NAT (we were assigned a 10.x.x.x static address), but our next ISP may have our IP public facing, and I still don’t want our exact city to be discoverable (we’re in a relatively small city, so easier to doxx). An added bonus is hiding our traffic from our ISP, but I don’t have a reason to distrust our current or future ISP just yet.

      So I want to set up a VPN at the router level to a server nearby (for minimal added lag). I’ve tested it, and I think my router should be able to handle it just fine, and the pings to the nearby VPN are really low (<5ms).

      And I do use CloudFlare’s DNS already, and my browser uses DNS over HTTPS. I’m just looking for a bit more privacy, without sacrificing too much lag.

      • borari@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        8 months ago

        Mostly privacy. My wife likes to play MP games on her PC, and I don’t want those services to know our IP. I also don’t trust websites generally, so I’d like to hide our IP for most, if not all, traffic. Our current ISP has us behind a NAT (we were assigned a 10.x.x.x static address), but our next ISP may have our IP public facing, and I still don’t want our exact city to be discoverable (we’re in a relatively small city, so easier to doxx).

        You do you, I certainly won’t judge your choices or opinions or whatever. I will say that adding a VPN into the mix will add (probably significant amounts of) latency to any connection routed through it. This has the potential to make multiplayer games borderline unplayable depending on the type and its sensitivity to latency in general.

        If you’re that worried about being doxxed stand up a site-to-site vpn between your tik and an AWS VPC. Use the right region and you probably won’t have much latency issues, although the transit fees from AWS might bite you.

        On the flip side, since the mikrotik can act as a vpn server you could always set up your whole home vpn along with the vpn server, travel overseas to somewhere like Japan, set your upstream vpn’s exit as the same country you’re visiting, VPN in to your house over your phones Japanese cellular carrier data connection, then watch local JP netflix with the knowledge that the traffic is tunneling around the globe to get to you and marvel at the interconnectedness of the modern world. ask me how i know how amazing this is.

        • sugar_in_your_tea@sh.itjust.worksOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          8 months ago

          VPN… latency

          Yeah, I’ll certainly test it first. I’m planning to get one at a local datacenter, and ping times are only 4ms from my home. I’ll be using WireGuard, so router level overhead should be minimal.

          But I’ll definitely set up a test “secure” VLAN so my wife and I can test it out.

          There’s other reasons as well, such as this law in my state that requires parental approval for kids to access SM. I don’t want my wife or kids to give SM that PII, so I want to protest it at the network layer, at least with a secure SSID, if not the default outgoing network.

          VPN in to your house over your phones

          Yup, that’s also part of the plan. I want to access my NAS anywhere, but I don’t want it publicly exposed. I may even want to access my IP cameras and whatnot as well.

          So my plan is to set up a VPS and configure my own private VPN, connect my NAS to it, and then from there I can access anything on my home network. My kids like to use my computer to play games, so one common use case is to SSH in to the computers and unlock them while I’m at work (i.e. if they’re on vacation or something) so my wife doesn’t need to type my password (it’s kinda long). I do that already from my phone so I don’t have to walk downstairs, but it would be nice to be able to do it from my phone at work.

          I also don’t trust cloud-connected IP cameras, but want cameras monitoring my house while I’m away, so I’ll definitely need my own personal VPN.

          • borari@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            I’m planning to get one at a local datacenter

            Ah, never mind then, ignore everything I said.

            So my plan is to set up a VPS and configure my own private VPN

            Unless I’m misunderstanding, you don’t need a VPS for this. RouterOS supports you enabling a built-in VPN server, which you can then connect to directly, you don’t need to set up a VPS or anything. Then you can just put allow rules in the firewall for traffic from the VPN subnet in to your main subnet, your NASs subnet, your camera subnet, etc. This is how I access my homes resources remotely, the only ports open to the Internet are the VPN ports on my CCR1036.

            • sugar_in_your_tea@sh.itjust.worksOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              8 months ago

              RouterOS supports you enabling a built-in VPN server

              You’d need a stable, publicly routable address, right? I’m not sure if I’ll have that, and I certainly don’t have it now. I can get it if I want, but it’s cheaper to just get a VPS.

              But yeah, if I end up getting an IPv6 address and my ISP doesn’t block ports, then yeah, that should work.

        • sugar_in_your_tea@sh.itjust.worksOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          Yup, I haven’t been particularly careful on Lemmy for a few reasons:

          • Lemmy is small, so I’m less likely to run into people who would bother doxxing me
          • I plan to recreate my account every year or two like I did on Reddit
          • i generally don’t engage much with the more popular communities

          So yeah, someone could probably work out who I am if they really cared, but I think that would take substantial effort.

          I’m mostly looking for low hanging fruit. As the saying goes, you don’t need perfect security, you just need to be a less attractive target than the next person. My router supports setting up a VPN, a VPN does provide a level of privacy, and it’s not that expensive. So why not give it a shot?

  • atzanteol@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 months ago

    Just my opinion - This seems crazy overcomplicated to me… Just to stop a Chromecast from dialing home and to mask your IP address? What do you think game servers are doing with your IP address anyway?

    You’re going to be spending so much time troubleshooting and explaining to others in your house why “sometimes Netflix doesn’t work” or why latency in games is sometimes high.

    Rather than handling all these issues at the network layer why not sate your paranoia with tor-browser and a desktop vpn when you want to mask your Internet traffic?

    • sugar_in_your_tea@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      What do you think game servers are doing with your IP address anyway?

      Nothing important, and sometimes leaking them:

      It’s not the games themselves I’m worried about, but what gets leaked in a breach.

      I also don’t want to give ad companies more ways to uniquely identify me, troll admins ways to doxx me, etc. They don’t need my IP for anything, so if I can protect myself and my family with a simple config change, why not?

      Though maybe I’ll make an “insecure” VLAN to allow temporarily bypassing the VPN if it causes issues.

      tor-browser and a desktop vpn when you want to mask your Internet traffic?

      I want to protect my wife and kids as well, not just myself, and getting them to manage their own VPN would be a hassle for everyone.

      My state is also passing stupid laws, such as parental permission for kids to access social media. This means they and I would need to provide them PII just to make a stupid account. My kids don’t use SM yet and lemmy is my only SM, but I would like to protest this by using a VPN so my data leaves the state. If this passes at the national level, I’ll have to VPN into Canada or something instead.

      • atzanteol@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        Nothing important, and sometimes leaking them

        Sorry it’s difficult for me to care too much about an IP addresses being “leaked” since they’re basically public information. I can “leak” IPs by scanning a subnet and reporting systems that respond to “ping”. Account information being leaked is much more serious though.

        There used to be a time when everybody’s name, phone number and address were printed in books and literally dropped on your doorstep for free. But your IP address is now highly confidential info for… reasons.

        They don’t need my IP for anything, so if I can protect myself and my family with a simple config change, why not?

        Why not? Rapidly diminishing returns - that’s why. Each component you add to your network is a point of failure that takes work to maintain and gains you very little in actual value. Your IP address is the very least important bit of information compared to account and credit card information you may be providing your services. Especially if you’re on a NAT’d connection from your ISP - your IP address isn’t even unique to you.

        And to protect you from… What exactly? Everyone who rants about “MY IP ADDRESS!” seems to fear only nebulous boogy men. Seriously I think VPN marketing is having a crazy effect on people. “HAXORS MIGHT GET YOUR IP ADDRESS!!!” … and do … what exactly?

        The biggest threat to self-hosting is automated scanning and intrusion done by hoards of bots. They just blindly scan and look for hosts exposing compromised services. They don’t get “lists of IP addresses” from a leak to scan. Do you know how much greater effort it would be for somebody to spend time specifically curating IP address vs. just blindly scanning?

        • sugar_in_your_tea@sh.itjust.worksOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          Yes, my IP isn’t particularly important by itself, it only has value when paired with other identifying information, like account names, personal names, etc. My house has my name on it, but that’s not associated with my IP address outside my ISP.

          So here’s a theoretical attack:

          1. My wife/kids decide to stream
          2. The streaming platform has a breach and our IP is associated with my wife/kid’s account
          3. An unrelated breach on SM or e-commerce associates their name with the IP address (or maybe that’s included in the streaming service breach)
          4. Some viewer looks up that info and doxxes my wife/kids, and someone decides to swat us
          5. Since I tend to screen my calls (I get a lot of spam), we don’t respond to police inquiry and someone gets hurt

          Unfortunately, I don’t think that’s all that unrealistic, so I want to secure my network a bit to reduce the risk of that. If I can do that mostly transparently with a local VPN, why not? I also get some obfuscation from ad networks and whatnot as well. Adding a couple ms to my latency is worth that.

          My current IP is behind NAT (my ISP gives me a 10.x.x.x address), but I’m switching providers soon and want to be prepared. Maybe it’ll be unnecessary, IDK, I’m mostly asking to see if my plan is reasonable or if there’s a better way to accomplish my goals.

          scanning

          That only works if you’re already on the network or at least in close proximity.

          I’m more worried about some script kiddie looking at data breach dumps than a drive by attack of some sort.

          • atzanteol@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            I don’t think that’s all that unrealistic

            I mean… That’s a near pathological level of paranoia. So you do whatever you need to do in order to sleep at night.

            That only works if you’re already on the network or at least in close proximity.

            Scanning open ports across the internet works just fine. Here’s a scan of some Google IPs just looking for open port 80.

            $ nmap 64.233.160.0/24 -P -p 80
            Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-21 09:20 EDT
            Nmap scan report for oi-in-f17.1e100.net (64.233.160.17)
            Host is up (0.054s latency).
            
            PORT   STATE SERVICE
            80/tcp open  http
            
            Nmap scan report for oi-in-f18.1e100.net (64.233.160.18)
            Host is up (0.053s latency).
            
            PORT   STATE SERVICE
            80/tcp open  http
            
            (more below)
            

            Now you just send a payload to each of those checking for known vulnerabilities. Done. I’m a script kiddie now.

            • sugar_in_your_tea@sh.itjust.worksOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              8 months ago

              Sure, I know how port scanning works, I’ve used nmap before.

              But you were talking about discovering my IP, not checking for open ports. The only way I can think of to discover someone’s IP when they’re using a VPN are:

              • hacking the VPN
              • malware on a device
              • someone scanning Wi-Fi networks in my physical area with something like Wireshark

              If I don’t use a VPN, just one service I use needs to be compromised, and I use a lot of services.

              I think paranoid would be going to great lengths to prevent the above, e.g.:

              • hacking VPN - I guess Tor?
              • malware - using something like TailsOS that containerizes everything and persists nothing
              • Wi-Fi scanning - don’t use Wi-Fi, or wrap my home in a faraday cage

              I’m not that paranoid. Setting up a VPN on my router takes 10 min or so, and I can have a backup SSID with no VPN in case something gets messed up. On the paranoid spectrum, that’s pretty tame, especially since I’m only really looking at VPNs in a close geographical area to minimize latency (i.e. very low pings, like 5ms).

              But there’s also a practical reason. My state passed some stupid laws requiring some level of ID by social media sites. I’d like an easy way to tunnel to a neighboring state to avoid the restrictions (closest is ~20ms ping away). I definitely want an easy way for my family to avoid that nonsense, so an SSID is a lot easier to use than configuring a device level VPN.

  • nehal3m@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 months ago

    I think the sketched setup is mostly good, segregating untrusted stuff is a great idea. I wouldn’t hide any SSID’s because that makes MITM easier.

    I’d invest in a simple Ubiquiti PoE switch and use your Mikrotik router as a firewall if it supports it. Put it between the modem and the switch and now you can use your switch to control access to the internet through VLANs. Use your ISP’s modem as an uplink, have it setup in bridge mode if possible to prevent double NAT. A Ubiquiti switch integrates well with the AP setup and you can much more easily push out VLANs that work through the wired network as well. It also saves you the injector for the existing AP and makes it easy to add additional ones.

    • sugar_in_your_tea@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Thanks for the feedback! I’ll look into a Ubiquiti switch. My current AP is passive PoE, so I don’t have an active PoE switch yet, so I might as well go managed for that.

      I wouldn’t hide any SSID’s because that makes MITM easier.

      Ok, makes sense. I guess the broadcast opens me up to that.

      I’ll look into adding the printer to a VLAN by MAC, it’s really only the one device that needs Wi-Fi access that I don’t want to talk to the network (it’s outside the security update window).