Total beginner: How to setup 2 segment Network with VPN for only 1?

[acer_him]

Hello everyone, please bare with my question as i am just starting my networking journey, learning network security and privacy,
--
-- Preface: i learnt from a youtube video, that our home wifi can be very unsafe, and the lady in tutorial "Naomi Blackwell" guided with steps using Protectli hardware/mini-pc, but it was ethernet only setup and without VPN, so it completely serve my family purpose.
--
-- Purpose : i need to set up a firewall for my internet connection at home, and separate the traffic for smart devices /guests, from my family's personal devices (laptops/phones).
--
-- Present Status : At present I am at total noob stage, trying to mentally grasp what all needs to be done.. the hardware and software part of it, and the programming part of it, the best way to serve this purpose in my situation (in most time and cost effective manner).
--
-- So far, i am leaning towards building my own router (using old mini PC, which has built in ETh and option to add 2nd 4 port NIC) or buying one from Aliexpress/protecli (these usually have 4 ports : WAN LAN OPT1 OPT2)..  and add this setup as Physical firewall (and no virtualization, i think with Proxmox etc it will be too much for me at present), thinking of Making my ISP allow bridge mode on my Modem (sadly our ISP are too controlling) and then connecting ethernet cable from ISP-Modem LAN port to this OPNsense mini-pc.
--
But sadly this is where my clarity of concept ends... (maybe too many videos also messed up my head, pointers everywhere except exactly i need to see), i am not sure what to add in front of OPNsense box? Switch? Single Access point for Wifi? 2 old routers as Access points for two separate segments of Wifi? 
--
-- I am trying to write in easy to digest and structured manner, still my words may seem have been too much to digest, but as they say, "A Picture is worth a thousand words", that is why, i spent last 2 hour formulating my idea so far and making a picture/flow chart of 3 possibility, i am pretty sure all of you will be able to quickly understand what i am trying to do.
--
Please see pictures of 3 possible flow charts (2nd will be cheapest for me, but as many YT videos and documentations i have searched, i think it maybe number 3, as i will have to buy new switch AND wifi-6 router/AP)
--
Please correct me wherever i am wrong in those idea, add update as you see right.
First, i need a clear plan (atleast the mental sketch has to be clear, like the hardware setup, after that i will fill fine details like software setup, exact VLAN n ports etc).
--
Do know, i am interested to actually learn and i am willing to work hard for this (if there is a good UDEMY etc course on networking and security, please give me a suggestion for that too)
--
So please, kind point me in the right direction, any and all help will be highly appreciated, Thanks.

[bartjsmit]

Welcome to the networking journey  :D Some quick thoughts:

You should create separate IP subnets for trusted and non-trusted clients. This will allow you to create firewall rules effectively. Say 192.168.78.0/24 for your LAN, 192.168.79.0/24 for your guests and 192.168.80.0/24 for your IoT devices. You can combine the latter two groups for now but consider multi-ssid if/when you're upgrading to "proper" AP's.

Your (re)use of old routers for WiFi is great, but make sure you put them in AP-only mode. If they start routing themselves with associated NAT you will very soon get tangled up.

Don't pick 192.168.1.0 or 192.168.0.0/24 for your internal networks as many public WiFi (coffee shops, etc.) use those ranges and you'll never be able to set up remote access VPN if you use them at home. Use something like 10.63.101.0/24 and 10.73.37.0/24. Pick random obscure ranges out of https://www.rfc-editor.org/rfc/rfc1918

OPNsense can provide DHCP and DNS for these subnets but you can also provision a server for this (e.g. pi-hole). Walk before you run though and apply the KISS principle. The same goes for IPv6, IPS/IDS, etc. Nice to have but not absolutely essential.

The archetype starter courses is Cisco CCNA, since they enforced a lot of the standards during the formative years of networking. Udemy courses used to be slightly cheaper through their smartphone app (at the expense of some slurping).

Bart...

[acer_him]

Firstly, thanks for the quick reply, (please excuse typos of last post, i had worked all night)
Actually thanks for multiple things:
-
A) Thanks for pointing me to CISCO CCNA networking course:
-
I am super excited to see all the information i wanted at one place! I always wanted to learn all this, i was the only 8th grade kid in my school using dual boot system with Linux Red hat as primary system, (those days p2p sharing was evolving, kazza to limewire, later torrents etc), but school or family never supported, and then later in life, pressing priorities drifted me away.. Although professionally i work in 3d architecture designing, but i want to get back to networking interest, and since my country is rapidly becoming like North Korea and china, now i am ditching windows, back to linux, i plan to use windows in virtual box for 3d designing and adobe suite. 
-
A part of me almost feels i should talk to you after i do the course, but then it is a 120-hr training, and 1-year certification, and maybe after course i won't need to bug you, lol. But i need to get started.. with basic hardware, then i will keep studying that course, and exploring my own OPNsese router with it, step by step. I found Udemy courses also with same syllabus (and few local institutes to physically go and study also), although i dont plan on becoming Network engineer, but i will definitely do online version of this (maybe side hustle use? but it's really a hobby). For anyone else like me, here is a link of cisco basic CCNA program:
-
https://learningnetwork.cisco.com/s/ccna-exam-topics?ccid=ccna&dtid=website&oid=cdc-ccna-exam-step1
-
-
B) Thanks for the rfc-editor link, : My ISP case, is Tighter! MANY like me are stuck ***
-
Ok, i am trying keep privacy but still should reveal, i am from North India, and here we basically have Duo-poly of two ISP : "Airtel Vs Jio" (almost 45-45 market share), the other ISPs constitute maybe 10-20%, and our ISP put us in a strict "CG-NAT", majority of us don't have unique or static IP (we need to pay extra per month to get lease of Static ip4 address), so most people cannot have remote access (unless they figure a VPN workaround), so trust me, there are MILLIONS like me who are trying to accomplish what i am trying to do here! And yes, by Millions, i literally mean MILLIONS! In India there is no shortage of population, lol. Imagine every other kid here trying to download torrent but his ports wont forward due to CG-NAT. (the only way around is VPN that allows torrents)
-- But on flip side, our ISP are very controlling and misleading,
For example:
The routers+modem  they offer as "free" are actually the only ones that work (they don't let us install own modems, they make their router's MAC id connected to our account.. for security?), plus their routers have firmware access pages locked, even PPOE locked, so you cannot set bridge mode yourself (unless you hack firmware). And when you call customer care, and ask for enabling "Bridge Mode", they mislead by saying Bridge Mode is possible only if your buy a Static IP, upselling their own stuff. So majority people have un-encrypted data going everywhere, and ISP make double money: a) with internet services and b) more by selling your private data, their real bread and butter*.
- (And oh, their router has TR-069 management locked, they reboot from their end, change things from their end, and even when they do enable Bridge mode for some people who fight for it, its strange they enable bridge on only 3rd or 4th LAN port, and may users report that makes situation worse... weird controls...)
-- Anyways,  I will deal with this, I have had to win many fights with them before, I just need to have my plan set first, but again, I am writing this because there are MANY like me, and I hope this forum helps those millions, there is no YT video of people using OPN-sense router with Indian ISP, if you made such video, you will get hundred of thousands of views! (but ofcourse, I am no expert nor planning cheap publicity, but I will link this post to Indian Broadband forums* I have liked OPNsese community more than pfsense for some reason, mostly that fake website history, any-who)
-
Question 1: For my Segmented Network+VPN project, Having ISP modem in Bridge mode will suffice? Or do I actually need to have static IP? (I am not planning remote access anytime soon though* I have 300mbps plan)
-
Question 2: Please confirm the hardware aspect, the flow chart picture that I attached, do you think it will work? Or do I need to buy separate switch also?
Also, I noticed pictures are visible only to people who have account here, so step wise flow chart in words:
-
----> 1) ISP Modem at Home (in bridge mode, wire from its LAN to WAN of MiniPC)
----> 2) "OPNsense on MiniPC with dual NIC, 1st onboard, 2nd in PCIe slot
(configure PPPoE, define network segments (subnets), firewall rules for each subnet, define VPN access for different subnets OPT1, aceess for non trusted clients without VPN on OPT2)
----> 3) AP-1 = Tp-Link WiFi 6 dual-band router (in AP mode, wired to OPT1 serving subnet with VPN, for family, trusted clients)
----> 4) AP-2 = D-Link ADSL router 300Mbps (in AP Mode, wired to OPT2 serving subnet without VPN access, for guests/non trusted clients)
-
Will this hardware be enough? 
--- (need to ask dhcp n ssid stuff later*)
-
I see, most popular YT videos like network chuck, tom from Lawrence etc, they indicate setup: 
1) ISP-Modem ---> 2) OPNsenseMini-Pc ----> 3) Switch -----> 4) WirelessAccessPoint
-
(In this case, I will have to buy switch... and still have 2 separate access points? Or single WAP can serve two different subnets With VPN and Non VPN? Do you prefer this setup?)
-
Practically speaking, all this will have to be physically placed and powered in one area (in a new open cabinet, in centre of house, next to TV), so I am really trying to keep it as concise as possible, at present I have only 1 ISP modem doing everything, (so adding 4 more devices, I will really have to softly pace my family for this! Lol) 
-
Please help me clarify my initial hardware setup, I will definitely keep updating my progress, so this post may move little slow as I arrange hardware etc, but it should definitely reach a SOLVED handsomely status in the end! (I WILL link this to Indian broadband forums, hopefully more people join here). So let's try and make this post useful for everyone.
-
Thanks and Regards.

[cookiemonster]

If I may. Your thinking is quite doable, and some pointers:
-

Question 1: For my Segmented Network+VPN project, Having ISP modem in Bridge mode will suffice? Or do I actually need to have static IP? (I am not planning remote access anytime soon though* I have 300mbps plan)

A1: you don't need a static IP to get this part running. All on the inside of your network(s).
-

Question 2: Please confirm the hardware aspect, the flow chart picture that I attached, do you think it will work? Or do I need to buy separate switch also?

A2: Only one picture attached so going by it. That works with a few observations:
The LAN port for your laptop is single, so if you want more wired devices connecting to it, needs a switch plugged into it.

Also, I noticed pictures are visible only to people who have account here, so step wise flow chart in words:
-
----> 1) ISP Modem at Home (in bridge mode, wire from its LAN to WAN of MiniPC)
----> 2) "OPNsense on MiniPC with dual NIC, 1st onboard, 2nd in PCIe slot
(configure PPPoE, define network segments (subnets), firewall rules for each subnet, define VPN access for different subnets OPT1, aceess for non trusted clients without VPN on OPT2)
----> 3) AP-1 = Tp-Link WiFi 6 dual-band router (in AP mode, wired to OPT1 serving subnet with VPN, for family, trusted clients)
----> 4) AP-2 = D-Link ADSL router 300Mbps (in AP Mode, wired to OPT2 serving subnet without VPN access, for guests/non trusted clients)
-
Will this hardware be enough? 

A3: Enought for what isn't clear to me. Each AP will be connected to the router and each device will be using the services enabled/disabled on the router for them. Enough to separate the network segments from each other, yes.
In regards to "VPN Access" you need to be clearer what you mean by that. There are vpn tunnels in and out, vpn clients and servers.

--- (need to ask dhcp n ssid stuff later*)
-
I see, most popular YT videos like network chuck, tom from Lawrence etc, they indicate setup: 
1) ISP-Modem ---> 2) OPNsenseMini-Pc ----> 3) Switch -----> 4) WirelessAccessPoint
-
(In this case, I will have to buy switch... and still have 2 separate access points? Or single WAP can serve two different subnets With VPN and Non VPN? Do you prefer this setup?)

A4: Think of the switch as a multiplier or splitter in a way. You plug one cable of the switch into the router, and PCs into the various ports of the switch. From the router perspective, all these ports are in the same subnet, and the magic of what is done on the subnet is done at the router. That's the typical home use, where the switch is "downstream" from the router. The Access point that goes into one the ports acts as another splitter but for wireless clients.
In your scenario, each port on the router is a subnet, and assuming default no-bridge, independent from the other. So if you plug each AP into them, they are by default isolated from each other, as are their wireless clients.
It is possible to split the same WAP into segments (assuming same band) but there you are getting into the AP being more router than just AP and will need to find ways to avoid conflicts with services on the router. For now the cleanest, simplest solution is to assume each AP is just that and will be put in bridge mode and let the router do all the work for services.
-