this post was submitted on 24 Apr 2024
71 points (100.0% liked)

Selfhosted

40644 readers
318 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hey everyone,

I am completely stripping my house and am currently thinking about how to set up the home network.

This is my usecase:

  • home server that can access the internet + homeassistant that can access IoT devices

  • KNX that I want to have access to home assistant and vice versa

  • IoT devices over WiFi (maybe thread in the future) that are the vast majority homemade via ESPHome. I want them to be able to access the server and the other way around. (Sending data updates and in the future, sending voice commands)

  • 3 PoE cameras through a PoE 4 port switch

  • a Chromecast & nintendo switch that need internet access

Every router worth anything already has a guest network, so I don't see much value in separating out a VLAN in a home use case.

My IoT devices work locally, not through the cloud. I want them to work functionally flawless with Home assistant, especially anything on battery so it doesn't kill its battery retrying until home assistant polls.

The PoE cameras can easily have their internet access blocked on most routers via parental controls or similar and I want them to be able to send data to the on-server NVR

I already have PiHole blocking most phone homes from the chromecast or guest devices.

So far it seems like a VLAN is not too useful for me because I would want bidirectional access to the server which in turn should have access from the LAN and WiFi. And vice versa.

Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).

I figure if my network is already penetrated, it would most likely be via the WiFi or internet so the attack vector seems to not protect from much in my specific use case.

Am I completely wrong on this?

top 27 comments
sorted by: hot top controversial new old
[–] [email protected] 18 points 7 months ago* (last edited 7 months ago) (3 children)

Like many other security mechanisms VLANs aren't really about enabling anything that can't be done without them.

Instead it's almost exclusively about FORBIDDING some kinds of interactions that are otherwise allowed by default.

So if your question is "do I need VLAN to enable any features", then the answer is no, you don't (almost certainly, I'm sure there are some weird corner cases and exceptions).

What VLANs can help you do is stop your PoE camera from talking to your KNX and your Chromecast from talking to your Switch. But why would you want that? They don't normally talk to each other anyway. Right. That "normally" is exactly the case: one major benefit of having VLANs is not just stopping "normal" phone-homes but to contain any security incidents to as small a scope as possible. Imagine if someone figured out a way to hack your switch (maybe even remotely while you're out!). That would be bad. What would be worse is if that attacker then suddenly has access to your pihole (which is password protected and the password never flies around your home network unencrypted, right?!) or your PC or your phone ...

So having separate VLANs where each one contains only devices that need to talk to each other can severely restrict the actual impact of a security issue with any of your devices.

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago)

And, circling back to ports, you can make firewall rules that prevent devices from talking across VLANs on certain ports. Your Nintendo Switch doesn’t need SSH access to your KNX server, to re-use your previous example, so you block your console’s VLAN from being able to talk to your server VLAN at all.

The best way to do it is to block literally everything between VLANs, and then only allow the ports you know you need for the functionality you want.

[–] [email protected] 3 points 7 months ago (1 children)

Just for an anecdote on functional vlans, I once knew someone that had their WAN sent into a managed switch, set it on a vlan with their router elsewhere in the network

[–] [email protected] 1 points 7 months ago

I had my home setup like that for years. ONT <-> Switch <-> Opnsense <-> Back to Switch

[–] [email protected] 2 points 7 months ago

In larger networks VLANs let you do network segmentation across switches, which you can't really do otherwise.

I wouldn't bother at home.

[–] anamethatisnt 15 points 7 months ago (1 children)

I consider client devices to be a big risk factor and if I can keep them from having direct access to the Backup NAS and the IoT I consider that a big win. A simple ransomware attack on a client device would find any NFS/SMB shares the client can access and start encrypting - having the Backup NAS on a separate VLAN that only the server can access stops most of those from affecting the backup and makes restoring a lot easier. I would definitely recommend having an offline backup of the NAS as well in case of the server being breached.

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago)

Yeah, 100% agree on the client devices. One of my VLANs is for the kids' devices. I don't trust their schools' admins or their shitty BYOD policies, so I just let them access Plex (via Nginx reverse proxy); Pi-hole; and the internet.

[–] [email protected] 8 points 7 months ago* (last edited 7 months ago) (1 children)

It all comes down to what you trust each type of device to do and how you want to handle their traffic.

I have seven VLANs, with each one's traffic being treated very specifically. The subnets for each VLAN route to specific interfaces on a virtualised OPNsense firewall, which is where my traffic handling and policy enforcement takes place.

Also remember VLANs are just plain useful for segregating traffic, particularly broadcast traffic, without having to invest in separate switching/routing for each subnet. Having a single managed switch that limits the broadcast domains for you is a really efficient way to (physically) setup your network.

[–] CMahaff 4 points 7 months ago* (last edited 7 months ago) (1 children)

Out of curiosity, what switch are you using for your setup?

Last time I looked, I struggled to find any brand of "home tier" router / switch that supported things like configuring vlans, etc.

[–] [email protected] 2 points 7 months ago

Believe it or not, a Netgear. Specifically this one. I don't have any fibre connected gear (yet!) and 180W of PoE+ was more than enough for my few PoE cameras and WAPs.

[–] AA5B 8 points 7 months ago* (last edited 7 months ago) (1 children)

Yes, you should not be thinking about security in terms of an outside intruder here. Think about untrustworthy or potentially compromised devices.

  • WiFi smart devices are notorious for calling home, possibly collecting data, even if you’re trying to use them locally.
  • There have been botnets from unsecured video cameras, and even some compromised from before import.
  • TVs report back what you’re using them for and when, even playing through hdmi, and some have been caught listening in to your private conversations.

How do you prevent these from happening, or limit what they can do? One way is to put them on a separate vlan without internet access (your HA or other hub can listen on multiple VLANs and be the gatekeeper) and without access to your computers.

That being said, for similar requirements, I found managing the more complex network to be too much hassle, and went back to a simple flat network

[–] [email protected] 2 points 7 months ago (2 children)

Yeah, for that threat model, a VLAN is not needed in my opinion:

  • esphome devices are for sure not data collecting and pihole will block most of the phone homes with a good block list, where possible (like simple smart devices) they are flashed with a local open source version. Still the vast majority are KNX and Zwave which are local only

  • video cameras are local-only always and have completely blocked internet access via the router

  • This is probably the biggest threat unpreventable in other ways. Though definitely citation needed for them actually being caught recording conversations lol. People think phones do that too, but it is simply a lot easier (and more importantly, cheaper with a much higher ROI) to make a complete data picture through search/watch history + proximity to other devices.

[–] [email protected] 1 points 7 months ago

Pihole by itself can't really block all the traffic as some device may be set to use different DNS server from factory. And with DNS over HTTPS, to block phoning home, you'd most probably have to completely block internet access for that device.

I'm looking at VLANs as groups of devices which shares the same access policies. So e.g. you create VLAN for cameras, create rules for accessing the NAS, HA, etc. and then just assign each camera to that VLAN. You don't need to recreate same rules for every new camera.

[–] [email protected] 7 points 7 months ago (1 children)

In general terms, if you are not sure if you need a VLAN, you do not need a VLAN.

It dramatically complicates your home networks (yes, plural at that point), which is fine if IT serves a purpose.

But if there isn’t a compelling reason for them you are just imposing a management cost for no benefit.

[–] just_another_person 6 points 7 months ago

Disagree here, since OP's case is strong enough for a VLAN if they want segregated traffic.

[–] [email protected] 4 points 7 months ago (1 children)

It looks like you’re not understanding what a VLAN is. It is a virtual LAN, it’s near physical separation of traffic.

In your example, your IoT devices and HA would sit in their network. Your PCs and phones on another, reaching outside through PiHole. Your *arr suite in a third, only routed outside through a VPN. You get the gist. And then you set rules on how these subnets talk to each other in a router, like you would do if they were physically separate.

[–] [email protected] 3 points 7 months ago (2 children)

Yes, that is why I gave an example of how i thought it worked, but i have a single physical server with *arr suite, HA, reverse proxy, and all of my other services.

If it is a near physical separation of traffic, how can 1 device with 1 MAC and 1 IP be isolated on multiple parts of the VLAN?

[–] Dran_Arcana 2 points 7 months ago* (last edited 7 months ago)

You would expose a single port to multiple vlans, and then bind multiple addresses to that single physical connected interface. Each service would then bind itself to the appropriate address, rather than "*"

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

~~Oh, it can’t. You’d need more ETH ports.~~ One for each VLAN a device is connected to. You can find multiport low speed expansion cards for cheap, even more so used. Many people think it’s a worthy investment. You learn a valuable skill and have a more resilient, secure network.

Of course that assumes you have spare expansion connectors on your server. I might be wrong, but I’m pretty sure you can find ETH boards for that “Wi-Fi” M.2 connector, so that’s an option if you don’t have PCI. That way you can at least segregate Internet and local traffic.

Edit: apparently you can. Time for me to update my knowledge.

[–] [email protected] 2 points 7 months ago (1 children)

Yes, you create virtual nics tied to the physical one.

[–] [email protected] 1 points 7 months ago

Thanks, I’ll look into it!

[–] [email protected] 3 points 7 months ago

If you want to learn about VLANs and spend some time setting everything up (and more time each time a new device joins your network) then you should go for it.

I for myself decided it’s not worth it for my little home network and instead just use a /16 net and group devices into different ranges. E.g. computers are xxx.xxx.1.yyy, phones are .2.yyy, etc. All unknown devices get a .99.yyy from the DHCP, so they are easily identified.

All public facing stuff is in some Docker container, so there’s at least a small hurdle should something/someone get access.

Cameras are mirrored into Apple HomeKit via Home Assistant, so I can use Apple Home to watch them from afar. Or VPN into my home network.

[–] [email protected] 3 points 7 months ago (1 children)

Vlans are really only useful with firewalls. If you setup VLANs by themselves it does nothing (mostly)

[–] [email protected] 2 points 7 months ago

Unless you have a shit ton of hosts, to limit broadcast domains.

[–] CMahaff 1 points 7 months ago* (last edited 7 months ago)

Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).

I think of it like this: grouping several physical switch ports together into a private network, effectively like each group of ports is it's own isolated switch. I assume there are routers which allows you to assign vlans to different Wi-Fi access points as well, so it doesn't need to be literally physical.

Obviously the benefits of vlans over something actually physical is that you can have as many as you like, and there are ways to trunk the data if one client needs access to multiple vlans at once.

In your setup, you may or may not benefit, organizationally. Obviously other commenters have pointed out some of the security benefits. If you were using vlans I think you'd have at a minimum a private and public vlan, separating out the items that don't need Internet access from the Internet at all. Your server would probably need access to both vlans in that scenario. But certainly as you say, you can probably accomplish a lot of this without vlans, if you can aggressively setup your firewall rules. The benefit of vlans is you would only really need to setup firewall rules on whatever vlan(s) have Internet access.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
DNS Domain Name Service/System
HA Home Assistant automation software
~ High Availability
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
IoT Internet of Things for device controllers
NAS Network-Attached Storage
NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency
PiHole Network-wide ad-blocker (DNS sinkhole)
Plex Brand of media server package
PoE Power over Ethernet
SMB Server Message Block protocol for file and printer sharing; Windows-native
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network

[Thread #709 for this sub, first seen 24th Apr 2024, 09:15] [FAQ] [Full list] [Contact] [Source code]