Home VLANs Approach

DHR · 20 Jun 2019 at 22:48

I've had a couple of cloud enabled CCTV cameras and NVR attached to my network for a while, wasn't really paying much attention to it all, it worked for me that's what was important until someone started trying to hit the NVR from outside, inevitable I know :rolleyes:

I've got the ability to have a VPN in place now, but I've got a number of other IoT devices (yi cameras, smart bulbs etc.) which made me consider splitting things off in VLANs, thing is I've not done much VLAN work previously other than those already provisioned.

Category wise I could probably split things into the following:

CCTV / Cameras (Mix of wireless and wired)
Laptop / Mobile / Storage (Mix of wireless and wired)
Gaming / TV (Wireless)
Guest WiFi (Wireless)

Wondering what other people have done if anything?

bledd · 21 Jun 2019 at 08:04

What I would do..

Turn off cloud features, create an openvpn server, VPN in when you want to see cameras.

ChrisD. · 21 Jun 2019 at 09:42

I don’t wear a tin hat and I use a single VLAN and run an Open VPN.

memyselfandi · 21 Jun 2019 at 13:48

I have two main vlans, well three if you include the lab vlan. Smart home devices are on one, normal computing stuff is on the other. Firewall between them will allow traffic if the connection is started from the computing side but not from true smart device side ... So I can control things from my phone but things cannot try and connect to my NASes (for instance). There are separate wireless networks for each vlan as well.

Remote access is via OpenVPN into the computing side.

Jamauk · 21 Jun 2019 at 13:50

That's very similar to how I segregate my network, I'm using UniFi gear which is easy to create different VLANs and just seems to work.

I have several:

CCTV
Phones
Servers
A general LAN for most Wi-Fi devices, PCs and Sky boxes - kept this way so Wi-Fi is on the same VLAN as Sky due to the weird way SkyQ boxes integrate with networks and VLANs and SkyQ iPad apps.
Guest Wi-Fi
Smoke alarm Wi-Fi
Media (TV/Squeezebox/DVD & Blu-Ray)

ChrisD. said:
I don’t wear a tin hat and I use a single VLAN and run an Open VPN.

I have mine setup this way due to a lot of articles in the news about security risks, I seem to remember last year there were connected appliances that were broadcasting network traffic over the internet, there was a recent security breach with a TV that posed a security risk, a TV connecting to Plex for example might seem innocent enough to the firewall on the Plex server, but what other data could this TV be collecting and sharing over the internet.

The way mine is setup, media devices for example don't have internet access (Netflix runs through Sky), Squeezeboxes connect to radio stations through a server, Nest smoke alarms are internet only, Guests have their own VLAN with internet only access and at a reduced speed, CCTV cameras internal only, same with phones - SIP account runs from Asterisk. Perhaps excessive, but I'd rather that than wishing I'd set it up that way originally.

Jamauk · 21 Jun 2019 at 13:54

Just to add to my above post. A lot of VLANs I know, but I've only separated it that much as a learning project so if I screw up setting something up to grant or deny internet access it will only cause issues to a particular set of devices rather than a lot of users/devices.

BigT · 21 Jun 2019 at 17:47

Thing about loads of VLANs is that you have to setup a lot of routes to do things like admin your IoT or IP Phone stuff while on the local network but different VLAN. Good fun for learning but I found it a PITA eventually and so now do more-or-less like @bledd says and I only have one separate VLAN for guest WiFi access because the default behaviour of it being segregated from my main network is exactly what I want. Best thing I ever did really was have an OpenVPN server on my router because then I just connect from outside and it's like being on the local network while not opening everything up.

bledd · 21 Jun 2019 at 20:10

Of course vlans would achieve this, but at home I like to keep my network as simple as possible.

Caged · 21 Jun 2019 at 20:54

There's no routes to set up if you're doing a router-on-a-stick since all your VLANs are directly connected. Yeah you have to write firewall rules but isn't that sort of the point of doing it?

DHR · 30 Jun 2019 at 14:20

After a fair bit of thought I'm thinking of doing the following:

VLAN1 - All client devices, laptop, FireTV etc.

VLAN2 - CCTV / Cameras, traffic to outside world blocked, access via VPN only

VLAN3 - DMZ - For XB1 PS4 etc. (not sure if its worthwhile?)

VLAN4 - Guest Wifi

I like the idea of segregating hue/iot traffic etc. but I'm more concerned about inbound traffic to them than outbound if that makes sense?