Advice on network setup at home.

[dirtyelf]

Hello everyone. I recently upgraded my home ISP and service. I now have a fiber direct to the house and 940/940 service for cheaper than I was paying the cable company for 200/10. I had been thinking about upgrading my network and networking hardware beyond ISP|--|modem|--|router|--|devices for some time and now with the new service I am motivated again. I have three reasons for wanting the upgrade.

The first being that I like to learn about this stuff. I realize that my current setup is more than adequate for my needs, but adding some more control and fidelity sounds like a great learning experience.

The second reason would be security. I'm under no illusion that I will actually add any real hard stops to anyone who wants in badly enough, but I do run a few internet facing servers, a vpn, and have some IOT thingies that might be slightly more secure if separated a bit.

The third reason is adding more hardwired rj45 jacks. I now have my fiber modem on the outside of the house and a cat6 cable running into my master bedroom closet, which is coupled to another cat6 cable that terminates in my office. Lucky for me that is where my current router, switch, servers, and my pc are located. Running into the box in the closet is another few (and I would like to add more) cat6 cables that go to various places around the house. A metal box in the wall in my closet isn't exactly the best spot for a wifi router. I'm wondering what my options are here.

I'm looking for general network setup advice for my needs here. From my reading and research it seems my best bet is to go with a router than can split into VLANs and use some wireless access points. So that might look like this: ISP|--|modem|--|router|--|wireless APs|&|switch|&|devices with the router setup to have a few VLANs for various things. I think 2 wired and 2 wireless VLANs would be sufficient. 1 wired for my pc, 1 wired for IOT stuffs, 1 wireless for phones, tablets, laptops and 1 wireless for IOT stuffs. Maybe another VLAN to dump into from my VPN?

Am I way off track here? Sorry if this is this out of the scope of this forum. Any advice or information you can provide will be greatly appreciated.

Current equipment is as follows: ISP's Fiber Modem, Netgear Nighthawk X4 R7500v2, Unmanaged Aumox 5 Port Gigabit Switch

[deanwebb]

If there is no restriction on communication, there's no real reason to separate devices by VLAN except for administrative tracking purposes. In customer sites, we'll carve up networks for printers, security cameras, medical devices, and such, then put an ACL restriction on them so that there is no inbound/outbound traffic allowed except for the ports used for standard communications, and limited to authorized servers in the case of the cameras and med devices.

If the ISP modem opens a port to a specific IP, not much of a use case for segmentation of your inner network. If it opens a port to your whole network, then you'll want to segment things.

One other way of thinking this through is to have Internet-facing devices in one network, the DMZ, and then a firewall between those and the rest of the home network. The firewall is there to put a hard stop on any traffic coming through the DMZ to your inner network, but to allow inner traffic to get out to the rest of the world - but only through the firewall. This is even more secure if you have no default route defined, so that botnet traffic that doesn't know to use your firewall as a way out will be unusable on your network.

[config t]

If there is no restriction on communication, there's no real reason to separate devices by VLAN except for administrative tracking purposes. In customer sites, we'll carve up networks for printers, security cameras, medical devices, and such, then put an ACL restriction on them so that there is no inbound/outbound traffic allowed except for the ports used for standard communications, and limited to authorized servers in the case of the cameras and med devices.

If the ISP modem opens a port to a specific IP, not much of a use case for segmentation of your inner network. If it opens a port to your whole network, then you'll want to segment things.

One other way of thinking this through is to have Internet-facing devices in one network, the DMZ, and then a firewall between those and the rest of the home network. The firewall is there to put a hard stop on any traffic coming through the DMZ to your inner network, but to allow inner traffic to get out to the rest of the world - but only through the firewall. This is even more secure if you have no default route defined, so that botnet traffic that doesn't know to use your firewall as a way out will be unusable on your network.

Trying to wrap my head around not having a default route. Do you mean no default route on the trusted side?

[deanwebb]

Trying to wrap my head around not having a default route. Do you mean no default route on the trusted side?

Correct. No default outbound route. Set up a proxy for the outbound traffic:

https://www.networkworld.com/article/3252090/how-to-eliminate-the-default-route-for-greater-security.html

There are a number of free Linux products to serve in the capacity of both firewall and proxy.

[dirtyelf]

If there is no restriction on communication, there's no real reason to separate devices by VLAN except for administrative tracking purposes. In customer sites, we'll carve up networks for printers, security cameras, medical devices, and such, then put an ACL restriction on them so that there is no inbound/outbound traffic allowed except for the ports used for standard communications, and limited to authorized servers in the case of the cameras and med devices.

The restriction on communication would really only come into play if some IOT device was compromised somehow. It would then be on the VLAN that only allows for specific traffic related to the application. I realize this is unlikely to actually be effective at real security, but I don't see it hurting anything. Plus I do get the added benefit of some administrative organization.

If the ISP modem opens a port to a specific IP, not much of a use case for segmentation of your inner network. If it opens a port to your whole network, then you'll want to segment things.

I always assumed (probably incorrectly) that a modem was a wide open pipe, port wise, to the internet. I'm not entirely sure what happens behind the scenes, but won't the modem typically blast all traffic to the router which then decides what to do with it based on port forwarding, etc...? How would I know if my ISP's modem opens a port to a specific IP, or if it opens a port to my whole network? Isn't that a router thing?

One other way of thinking this through is to have Internet-facing devices in one network, the DMZ, and then a firewall between those and the rest of the home network. The firewall is there to put a hard stop on any traffic coming through the DMZ to your inner network, but to allow inner traffic to get out to the rest of the world - but only through the firewall. This is even more secure if you have no default route defined, so that botnet traffic that doesn't know to use your firewall as a way out will be unusable on your network.

Most if not all of my devices are internet facing devices. What would be a network device that is not internet facing? A NAS that I only want to access internally?

I think I am having the most trouble with selecting the actual hardware. I think I need a router in my closet, but then I am not sure what to do beyond that. I could put a wired router in there and run my ethernet lines around the house, including to wireless access points... or to a wifi router that I use as an AP? I appreciate the responses... looking forward to improving my network.

[icecream-guy]

How would I know if my ISP's modem opens a port to a specific IP, or if it opens a port to my whole network? Isn't that a router thing?

check out https://www.grc.com/shieldsup
you can scan ports on your local PC from outside.

[deanwebb]

By "Internet-facing", I mean devices whose primary role is to function as a web server, presenting content to the Internet. Other devices that access the Internet for content are not Internet-facing devices - they're the ones that would need to be separated from the web servers, just in case the web server got compromised, so that they would not be at risk.

[icecream-guy]

By "Internet-facing", I mean devices whose primary role is to function as a web server, presenting content to the Internet. Other devices that access the Internet for content are not Internet-facing devices - they're the ones that would need to be separated from the web servers, just in case the web server got compromised, so that they would not be at risk.

yes stopping hackers' east-west lateral movement is a good thing.