Hey everybody, I'm Tom - hope everything is going well for you :)
Almost three months ago I finally went from a FWA connection to a FTTH and it's great.
After this passage I felt the time was right to start monitoring and securing my home network properly.
Here's the setup:
- ISP modem/router (i.e. ZTE H388XF) in bridge mode
- Mini-PC (Intel® N100, 8 GB RAM, 4 × Intel® I226-V 2.5 Gbps RJ45) with OPNsense 24.1.4 installed
The mini-PC interfaces are structured as follows:
- igc0 – WAN (configured via PPPoE to ISP modem/router)
- igc1 – OPT1 (this interface terminates directly into a network wall port, ideally this would be a DMZ port for mixed use)
- igc2 – OPT2 (this interface also terminates directly into a network wall port, where the primary entertainment/gaming PC is connected)
- igc3 – LAN (this cable is connected to a 8-port gigabit switch in the living room, a NETGEAR GS308E)
The NETGEAR switch presents this configuration:
Port 1 – attached to the firewall
Port 2 – smart TV
Port 3 – promiscuous
Port 4 –
free, but this would be the port dedicated to the wireless AP
Port 5 – gaming console
Port 6 –
freePort 7 – IoT bridge for smart lights
Port 8 – secondary entertainment/gaming PC
The idea would be to properly segregate the network so that the wired connected devices do not have access the local network except communications to a small printer connected via wireless, and to also separate the wireless devices connected to the access point because they will only need to browse externally and will not need to have access to the local network.
How do you recommend that I proceed?
Should I aggregate the three LAN interfaces into one or is it better to keep them separate?
Does it make sense to create VLANs or is it enough for me to work well with firewall rules?
I hope I have given you all the information you need, and thank you very much in advance for all the help you can give me.
Looks clean and simple, exactly what you want.
I would reshuffle your interfaces a bit:
- LAN directly connected to your primary PC (ssh, webgui), so you can troubleshoot OPNsense without any dependencies (VLAN, etc)
- OPT1 a VLAN trunk to your switch so you can segment your switch ports (don't use VLAN1, see this forum for further explanation)
- OPT2 DMZ
If your switch supports LACP, you could make a redundant VLAN trunk over LACP for extra redundancy (Home Networking is mission critical 8)) and terminate your DMZ as a VLAN on your switch. You loose an extra port, so this might be less prefered because you don't have that much ports free...
Overall okay what you described, also I agree what netnut advised.
However, I would use 2 (or even all 3, you can do as well a DMZ VLAN) of those ports from OPN as LAGG with LACP towards switch. You will gain redundancy and in a certain way more BW.
On top of the LAGG Vlans, and do the micro-segregation based on Vlans.
Additionally create as well management VLAN on which your network devices will remain and you will set restricted access from certain devices to it by your needs.
This is how I do it. I have as well FW groups created, where all the Vlans (expect management) are binded and share a common pool of common rules such as DNS, HTTPs etc. MGMT VLAN has its own independed set of rules.
I have as well another FW group called MGMT_Access which bind only specific VLANs and in it Alias for specific hosts to access the management ;)
P.S. personally I think sooner or later you will hit the need of VLANs (or will say to yourself damm now I would need to do VLANs based rules). So as you are in the process of designing why not to do it right away.
Regards,
S.
Tom,
You seem to be just beginning your network journey. As such, I would like to know why you think you need a DMZ? While DMZs are not unheard of, they are kind of out of the ordinary for a typical home network. I just want to get some clarity on your use case because it might be something you think you need, but really don't.