Should I or should I not use a VLAN? I have trouble understanding the benefits for home use
Hey everyone,
I am completely stripping my house and am currently thinking about how to set up the home network.
This is my usecase:
home server that can access the internet + homeassistant that can access IoT devices
KNX that I want to have access to home assistant and vice versa
IoT devices over WiFi (maybe thread in the future) that are the vast majority homemade via ESPHome. I want them to be able to access the server and the other way around. (Sending data updates and in the future, sending voice commands)
3 PoE cameras through a PoE 4 port switch
a Chromecast & nintendo switch that need internet access
Every router worth anything already has a guest network, so I don't see much value in separating out a VLAN in a home use case.
My IoT devices work locally, not through the cloud. I want them to work functionally flawless with Home assistant, especially anything on battery so it doesn't kill its battery retrying until home assistant polls.
The PoE cameras can easily have their internet access blocked on most routers via parental controls or similar and I want them to be able to send data to the on-server NVR
I already have PiHole blocking most phone homes from the chromecast or guest devices.
So far it seems like a VLAN is not too useful for me because I would want bidirectional access to the server which in turn should have access from the LAN and WiFi. And vice versa.
Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).
I figure if my network is already penetrated, it would most likely be via the WiFi or internet so the attack vector seems to not protect from much in my specific use case.
Like many other security mechanisms VLANs aren't really about enabling anything that can't be done without them.
Instead it's almost exclusively about FORBIDDING some kinds of interactions that are otherwise allowed by default.
So if your question is "do I need VLAN to enable any features", then the answer is no, you don't (almost certainly, I'm sure there are some weird corner cases and exceptions).
What VLANs can help you do is stop your PoE camera from talking to your KNX and your Chromecast from talking to your Switch. But why would you want that? They don't normally talk to each other anyway. Right. That "normally" is exactly the case: one major benefit of having VLANs is not just stopping "normal" phone-homes but to contain any security incidents to as small a scope as possible. Imagine if someone figured out a way to hack your switch (maybe even remotely while you're out!). That would be bad. What would be worse is if that attacker then suddenly has access to your pihole (which is password protected and the password never flies around your home network unencrypted, right?!) or your PC or your phone ...
So having separate VLANs where each one contains only devices that need to talk to each other can severely restrict the actual impact of a security issue with any of your devices.
And, circling back to ports, you can make firewall rules that prevent devices from talking across VLANs on certain ports. Your Nintendo Switch doesn’t need SSH access to your KNX server, to re-use your previous example, so you block your console’s VLAN from being able to talk to your server VLAN at all.
The best way to do it is to block literally everything between VLANs, and then only allow the ports you know you need for the functionality you want.
Just for an anecdote on functional vlans, I once knew someone that had their WAN sent into a managed switch, set it on a vlan with their router elsewhere in the network
I consider client devices to be a big risk factor and if I can keep them from having direct access to the Backup NAS and the IoT I consider that a big win. A simple ransomware attack on a client device would find any NFS/SMB shares the client can access and start encrypting - having the Backup NAS on a separate VLAN that only the server can access stops most of those from affecting the backup and makes restoring a lot easier. I would definitely recommend having an offline backup of the NAS as well in case of the server being breached.
Yeah, 100% agree on the client devices. One of my VLANs is for the kids' devices. I don't trust their schools' admins or their shitty BYOD policies, so I just let them access Plex (via Nginx reverse proxy); Pi-hole; and the internet.
It all comes down to what you trust each type of device to do and how you want to handle their traffic.
I have seven VLANs, with each one's traffic being treated very specifically. The subnets for each VLAN route to specific interfaces on a virtualised OPNsense firewall, which is where my traffic handling and policy enforcement takes place.
Also remember VLANs are just plain useful for segregating traffic, particularly broadcast traffic, without having to invest in separate switching/routing for each subnet. Having a single managed switch that limits the broadcast domains for you is a really efficient way to (physically) setup your network.
Believe it or not, a Netgear. Specifically this one. I don't have any fibre connected gear (yet!) and 180W of PoE+ was more than enough for my few PoE cameras and WAPs.
Yes, you should not be thinking about security in terms of an outside intruder here. Think about untrustworthy or potentially compromised devices.
WiFi smart devices are notorious for calling home, possibly collecting data, even if you’re trying to use them locally.
There have been botnets from unsecured video cameras, and even some compromised from before import.
TVs report back what you’re using them for and when, even playing through hdmi, and some have been caught listening in to your private conversations.
How do you prevent these from happening, or limit what they can do? One way is to put them on a separate vlan without internet access (your HA or other hub can listen on multiple VLANs and be the gatekeeper) and without access to your computers.
That being said, for similar requirements, I found managing the more complex network to be too much hassle, and went back to a simple flat network
Yeah, for that threat model, a VLAN is not needed in my opinion:
esphome devices are for sure not data collecting and pihole will block most of the phone homes with a good block list, where possible (like simple smart devices) they are flashed with a local open source version. Still the vast majority are KNX and Zwave which are local only
video cameras are local-only always and have completely blocked internet access via the router
This is probably the biggest threat unpreventable in other ways. Though definitely citation needed for them actually being caught recording conversations lol. People think phones do that too, but it is simply a lot easier (and more importantly, cheaper with a much higher ROI) to make a complete data picture through search/watch history + proximity to other devices.
Pihole by itself can't really block all the traffic as some device may be set to use different DNS server from factory. And with DNS over HTTPS, to block phoning home, you'd most probably have to completely block internet access for that device.
I'm looking at VLANs as groups of devices which shares the same access policies. So e.g. you create VLAN for cameras, create rules for accessing the NAS, HA, etc. and then just assign each camera to that VLAN. You don't need to recreate same rules for every new camera.
It looks like you’re not understanding what a VLAN is. It is a virtual LAN, it’s near physical separation of traffic.
In your example, your IoT devices and HA would sit in their network. Your PCs and phones on another, reaching outside through PiHole. Your *arr suite in a third, only routed outside through a VPN. You get the gist. And then you set rules on how these subnets talk to each other in a router, like you would do if they were physically separate.
Yes, that is why I gave an example of how i thought it worked, but i have a single physical server with *arr suite, HA, reverse proxy, and all of my other services.
If it is a near physical separation of traffic, how can 1 device with 1 MAC and 1 IP be isolated on multiple parts of the VLAN?
You would expose a single port to multiple vlans, and then bind multiple addresses to that single physical connected interface. Each service would then bind itself to the appropriate address, rather than "*"
Oh, it can’t. You’d need more ETH ports. One for each VLAN a device is connected to. You can find multiport low speed expansion cards for cheap, even more so used. Many people think it’s a worthy investment. You learn a valuable skill and have a more resilient, secure network.
Of course that assumes you have spare expansion connectors on your server. I might be wrong, but I’m pretty sure you can find ETH boards for that “Wi-Fi” M.2 connector, so that’s an option if you don’t have PCI. That way you can at least segregate Internet and local traffic.
Edit: apparently you can. Time for me to update my knowledge.
If you want to learn about VLANs and spend some time setting everything up (and more time each time a new device joins your network) then you should go for it.
I for myself decided it’s not worth it for my little home network and instead just use a /16 net and group devices into different ranges. E.g. computers are xxx.xxx.1.yyy, phones are .2.yyy, etc. All unknown devices get a .99.yyy from the DHCP, so they are easily identified.
All public facing stuff is in some Docker container, so there’s at least a small hurdle should something/someone get access.
Cameras are mirrored into Apple HomeKit via Home Assistant, so I can use Apple Home to watch them from afar. Or VPN into my home network.
Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).
I think of it like this: grouping several physical switch ports together into a private network, effectively like each group of ports is it's own isolated switch. I assume there are routers which allows you to assign vlans to different Wi-Fi access points as well, so it doesn't need to be literally physical.
Obviously the benefits of vlans over something actually physical is that you can have as many as you like, and there are ways to trunk the data if one client needs access to multiple vlans at once.
In your setup, you may or may not benefit, organizationally. Obviously other commenters have pointed out some of the security benefits. If you were using vlans I think you'd have at a minimum a private and public vlan, separating out the items that don't need Internet access from the Internet at all. Your server would probably need access to both vlans in that scenario. But certainly as you say, you can probably accomplish a lot of this without vlans, if you can aggressively setup your firewall rules. The benefit of vlans is you would only really need to setup firewall rules on whatever vlan(s) have Internet access.