this post was submitted on 18 Aug 2023
1 points (100.0% liked)

homelab

6648 readers
11 users here now

founded 4 years ago
MODERATORS
 

We're renovating a house and I'm looking to add some smart home devices in the home. This gives me a perfect excuse to renew my current home network setup. I currently have a simple setup: my ISP router + an unmanaged 16port switch with 2 Unifi AC Pro APs (feed using PoE injectors). I want to give the 2 Unifi APs to friends of mine so I'm looking at a total newal of my network.

I have a homeserver which runs 25+ containers, some for home use and some that I expose to the internet as well.

Since I'm adding smart home appliances (most z-wave but I will have to use some Wifi devices as well) to the network, I'd like to isolate these devices and give them minimal access to the internet and my own network. Since this will require me to setup VLANs I also want to setup multiple VLANs for various needs (see below).

As I'm not a network expect (I have basic knowledge) I like SDN setups. I was doubting between Unifi and Omada, after reading many posts I've got the feeling that Unifi isn't the same company it was 5 years ago, the router solutions Unifi is selling don't really seem to fit my needs (dream router/machine). The older Unifi routers feel like a better fit, however I'm worried that they will becom EoL and will no logner receive security updates. After learning that the Omada APs support PPSK without RADIUS - which allows me to use 1 SSID and have clients added to a VLAN depending on their passphrase - I decided to give Omada a chance.

I want to buy a smart doorbell (reolink), I don't plan on recording 24/7 or having any security camera's however I do worry that if I do get them I might hammer my router since the traffic streams will have to be routed between VLANs. However L3 switches are way pricier so I'd like to try with my current setup and upgrade if need be if/when the time comes.

I read that Omada routers are also not that great (I would primarily be using it to configure the routing between VLANs). And was doubting between opnsense or mikrotik, I got the impression that the Mikrotik (while harder to configure initially) is more a set and forget solution with enough capacity for my needs.

I want to buy the following hardware (fanless is a must):

  • MikroTik RB5009UG+S+IN
  • TP-Link JetStream TL-SG2016P (16 ports will be enough, I expect to require 3 PoE ports)
  • 2 * TP-Link EAP650 - I like their small form factor and PPSK

I want to configure the following vlans:

  • VLAN 10: 192.168.10.0/24 - management vlan
    • Contains: pihole, VPN server, network devices, omada controller
    • Access to: all vlans
  • VLAN 20: 192.168.20.0/24 - private services vlan
    • Contains: server containing 25+ containers and home assist server
    • Access to other vlans: 30
  • VLAN 30: 192.168.30.0/24 - shared services vlan
    • Contains: chromecasts, printers, other services I would like to expose to guests and home users
    • Access to other vlans: none
  • VLAN 40: 192.168.40.0/24 - smart home devices vlan (via wifi or wired)
    • Contains: smart home sensors/devices + home assist server
    • Will not have access to the internet
    • Would like to have client isolation if possible/feasible
    • Access to other vlans: none
  • VLAN 50: 192.168.50.0/24 - smart home devices vlan with internet access (via wifi or wired)
    • Contains: hopefully nothing, devices that require internet access to function
    • Would like to have client isolation if possible/feasible
    • Access to other vlans: none
  • VLAN 200: 192.168.200.0/24 - Home users (via wifi or wired, mac address whitelisted?)
    • Contains: home users
    • Access to other vlans: 20, 30, 210, 220
  • VLAN 210: 192.168.210.0/24 - VPN users
    • Contains: VPN users Access to other vlans: 30
  • VLAN 220: 192.168.220.0/24 - Guests users (wifi only or wired)
    • Contains: guests
    • Access to other vlans: 20, 30, 200, 210

I plan to assign 3 VLANs to my home assistant server so it can be reached by the smart home devices and it can be reached by home users, however there might be better solutions to solve this.

I'm also wondering if it would make sense to split my 25+ containers over multiple vnets (putting containers reachable from the internet in a seperate VNET).

Any feedback is greatly appreciated!

you are viewing a single comment's thread
view the rest of the comments
[–] transientpunk@sh.itjust.works 0 points 1 year ago (2 children)

I do worry that if I do get them I might hammer my router since the traffic streams will have to be routed between VLANs.

The key here is to not route traffic across VLANs. Choose one VLAN to host all your network video content (IP cameras and NVR). This way, since all traffic is on the same subnet, all the network traversal can happen on the switch (even layer 2 switches) and not need to ever touch the router.

Also, if you suspect there will be a decent amount of network traffic that needs to cross VLANs, it's usually best to add an additional network interface that's connected to the correct subnet. That way traffic can avoid the router.

[–] Rora@feddit.nl 0 points 1 year ago (1 children)

Thanks, that makes a lot of sense! Will certainly look into getting a NVR in the same vnet as the cams if I ever get them. I was planning to have devices exposed to multiple vlans (e.g. home Assistant). However I wasn't sure if that is good or bad practice (since it opens an attack vector to jump across vlans). I could always opt for a L3 switch if need be.

[–] transientpunk@sh.itjust.works 1 points 1 year ago* (last edited 1 year ago)

No problem.

I actually just learned this lesson recently (in the last week). I have a NAS that I use for my PCs, and it also stores my media collection for Plex, it was natively sitting on the same network as my PCs, as that's where I was most concerned about network speed. I was having it cross VLANs for the Plex stuff, and it was only when I got a Ubiquiti switch that I noticed that traffic was hitting the router when crossing the VLANs but not when the two subnets were the same.

I'm happy that my hard knock lesson can help someone avoid that same mistake.