Best Practices VLANs?

[IcarusOPN]

I've got a basic set up and am experimenting with opnsense on my home network.

arris cable modem -----> Protectli (opnsense) ------> Orbi 6 as an AP ----->another Orbi Satellite

So far everything works.

On my network I have about:

3 Smart TVs
1 laptop
3 smart thermostats
4 smart speakers
1 gaming system
1 tablet and mobile

Any suggestions on best practices to separate the devices?

I'm reading about VLANs?

Eventually I want to do this in my office as we have cameras, voip phones etc.  So any soft of advice on how to segment my network is appreciate.

Sorry I'm new to all this an learning.

[AlienMindbender]

I've got the following:

• LAN (PC, NAS with private data, Laptops when on Ethernet)
• RLAN (restricted LAN: smart TV, sockets for guests - no access to my NAS or building control)
• BCS (building control system = KNX, photovoltaics, alarm)
• DMZ (externally reachable DNS, Web and Mailserver)
• private WLAN (just like LAN)
• IoT WLAN (Echo Dots...)
• TV WLAN (separate to allow for bandwith control)

But "best practice" is always a balace between having a safe setup and still keeping it simple (KISS), and the above is admittedly not simple any more.

I would basically just separate everything of value (private data, NAS) from everything I do not trust (smart TVs, whatever-WLAN-gadget...).

Your access points need to support VLAN tagging and multiple SSIDs for that.

[IcarusOPN]

I've got the following:

• LAN (PC, NAS with private data, Laptops when on Ethernet)
• RLAN (restricted LAN: smart TV, sockets for guests - no access to my NAS or building control)
• BCS (building control system = KNX, photovoltaics, alarm)
• DMZ (externally reachable DNS, Web and Mailserver)
• private WLAN (just like LAN)
• IoT WLAN (Echo Dots...)
• TV WLAN (separate to allow for bandwith control)

Nice setup!
Curious about the RLAN. Is that setup through opnsense? Just a VLAN?
I have all my IoTs connected to my guest account. I don't think my Orbi has the ability to create more than 1 guest wireless. What type of wireless point are you using that does this?

[Greelan]

My setup involves a management LAN for network gear, then VLANs for 1. trusted devices, 2. IoT type devices, and 3. guests. Finally I have another VLAN for external facing services or other services I don’t trust, in which each host is entirely isolated (at both the layer 2 level as well as layer 3) except for the limited exceptions I allow

Very much agree that it is always a balance between security and complexity

[AlienMindbender]

Curious about the RLAN. Is that setup through opnsense? Just a VLAN?

My box has 5 NICs. I have each WAN, LAN and DMZ on a dedicated NIC. RLAN and all WLANs share one NIC via VLAN. BCS and CAM share another NIC via VLAN.

I have all my IoTs connected to my guest account. I don't think my Orbi has the ability to create more than 1 guest wireless. What type of wireless point are you using that does this?

You need an AP that supports Multi-SSID and VLAN tagging, plus you need something that will take care of the tagged packages (like a Smart Switch and / or an OPNsense box). I am currently using three Grandstream GWN7605.

[Tubs]

Any suggestions on best practices to separate the devices?

I would separate the devices in some categories by access needs and by trust.
And then create groups out of it by finding the right balance between simplicity and the security level you want to achieve.

• does only need connection to internet. No connection to or from other devices. (e. g. IoT, guest devices)
• Connection to or from other devices required
• sensible devices worth to protect (e. g. server)
• trusted devices (e. g. PC, phone)
• untrusted devices (e. g. guest phone and PC,
• required connection speed (routing PC to NAS might be slow)
• ...

I personally do not separate wired and wifi devices. As my wifi AP can handle multiple SSID and VLAN I use only one network (VLAN) for wired and wifi devices of the same category.

[IcarusOPN]

Any suggestions on best practices to separate the devices?

I would separate the devices in some categories by access needs and by trust.
And then create groups out of it by finding the right balance between simplicity and the security level you want to achieve.

• does only need connection to internet. No connection to or from other devices. (e. g. IoT, guest devices)
• Connection to or from other devices required
• sensible devices worth to protect (e. g. server)
• trusted devices (e. g. PC, phone)
• untrusted devices (e. g. guest phone and PC,
• required connection speed (routing PC to NAS might be slow)
• ...

I personally do not separate wired and wifi devices. As my wifi AP can handle multiple SSID and VLAN I use only one network (VLAN) for wired and wifi devices of the same category.

Thank you! This makes sense to me. I'm going to try this weekend