Hi everyone,

I have lost myself in the networking rabbit hole… Read quite a few posts, watched YouTube videos, … So I thought I could share my plan here and get some feedback, if I am over complicating things.

I have pulled the trigger on a Unifi network and am waiting now on my delivery of my UDM SE, APs and L2 Switches. I wanted to take more control of my network and make it more secure. That being said, the most security will be reached, once I am enhancing my docker networks (which will be done at a later stage). This is setting up the basics.

Networks I want to introduce (Subnets and VLANs):

  • Networking (LAN)
    • Router, UDM, APs, …
    • Anything network related should live in this network
  • Servers (LAN)
    • My NAS, Hypervisor, Pi, VMs, …
  • Trusted (LAN/WLAN)
    • Main home network for PCs, Laptops, Tablets, Phones, …
  • Media (LAN/WLAN)
    • TV, PS4, Alexa, Soundbar, …
    • Reson not putting it on IOT or Trusted, I need the Guest network able to reach it and don’t want them to reach my Trusted network. IOT I want to be quite limited.
  • IOT (WLAN)
    • Vaccum, Photovoltaics, …
  • Guests (WLAN)
    • Anyone visiting

In the following diagram you can see my thoughts on how I intend to configure the Firewall. Who can talk to who…

Maybe this diagram is a little clearer:

https://preview.redd.it/siftt8ydro2c1.png?width=666&format=png&auto=webp&s=0d2e8fcd57d8ce45bcb0bc62e2bdaf71cd6d2213

Old diagram

https://preview.redd.it/qqfce2ii4o2c1.png?width=770&format=png&auto=webp&s=f99ad2bb5817386c723c3749a3418f0076783ba2

Is this overkill? Am I blind and missing something?

Looking forward to your feedback and criticism.

Edit: Indication if just LAN, WLAN or both
Edit2: Second diagram, which might be a bit clearer

  • kester76a@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    My advice would be to consider throttling the bandwidth on the guest network and also block ports and use a restricted dns server with that vlan.

    You can’t vet everyone’s devices so you want to be proactive.