Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Hints for network setup including IoT
« previous
next »
Print
Pages: [
1
]
Author
Topic: Hints for network setup including IoT (Read 1264 times)
Tosch
Newbie
Posts: 12
Karma: 0
Hints for network setup including IoT
«
on:
April 13, 2023, 12:56:04 pm »
Hello everyone,
As a reader I am very impressed with the remarkably positive and helpful support here. This is not a given in such forums, anymore!
I would like to get your feedback on the following setup that I am currently implementing (image attached).
The hardware is already there (and I have decided on OPNSENSE + Omada)
Single-family home, 3 floors. Cables for access points are installed
My main motivation for the network is not increased security compared to a standard home network (with the exception of 1 "VPN" and exception 2 "IoT Untrusted", see below). Therefore, my focus in the setup is mainly on stability, performance, and user-friendliness for the rest of the family.
Some background on the devices:
On my UNRAID, I have a NAS and Docker running, which are important for other network participants (e.g., Plex or a surveillance camera solution "Frigate"). It should therefore function as a fast NAS in the LAN, be able to interact with HASS, and make some Dockers accessible from the internet (UNRAID has its own firewall and VLAN management, which has worked well so far with port forwarding)
Home Assistant (HASS) runs on a separate Intel NUC, which we use extensively (including voice commands via Alexa, etc.). It also needs to be accessible from the internet and be able to interact with numerous LAN/HOME user devices (access the web GUI, but also detect presence, etc.)
Two special segments that I marked in the network plan:
IoT Untrusted: I use Home Assistant completely to control our IoT locally. This also includes WLAN-capable parts that might be easier to hack or that the manufacturer might want to phone home (e.g., Xiaomi air purifiers or almost all vacuum cleaners)
VPN Streaming: We sometimes watch international content. For this, I have installed a FireTV Stick with a VPN client and kill switch. However, this binds us to this device. Ideally, I would like to have a dedicated VLAN that sends all devices to the outside world over a VPN (including kill switch)
My questions:
A) Physically
Does the setup make sense, especially with regard to performance?
In the current version, my OPNSENSE build has still 3 NIC ports available. Should I connect certain devices directly there instead of to the main switch or should I group some of them together and connect them to the main switch as a LAG? I still have (presumably?) unnecessary switches -managed and unmanaged. Are there sensible uses for them to increase performance (possibly all OMADA devices like controller, 2x APs on one switch and only then into the main switch?, HASS/IPTV/UNRAID via an intermediate switch, etc.)?
The 4 WIFI cameras run 24/7 and send data to UNRAID from time to time. Although I do not notice any performance limitations in the rest of the network, if I am already rebuilding everything... do you think I should use a simple Omada AP only for the cameras and connect it to UNRAID with an unmanaged switch?
B) Logically
I know that it would probably be wiser to further divide the LAN/home VLAN and possibly separate IoT and guests, as well as UNRAID, media, etc. However, I don't want to deal with multicast problems and have to provide IT support to family members when they want to send something from their phone to the TV via Chromecast on the Fire Cube, etc.
I would then regulate specific candidates on the device level in the firewall, right? For example, HASS towards "IoT Untrusted" or UNRAID and HASS towards the Internet, etc. Or should I rather put all IOT devices in one VLAN and apply untrusted device rules at the device level (Xiaomi should never call home and certainly not spy on other network devices)?
Do you think the rest is fine and doable? Any other suggestions for a VLAN segmentation?
For "LAN/HOME" everything untagged or tagged?
Thank you very much!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Hints for network setup including IoT