Hello everyone,
I am currently considering how to set up the network in our house.
In this context, I thought it would be great if some of you could share how you have implemented a high-end network on an individual basis.
I am an IT professional myself, but my focus lies elsewhere. Nevertheless, feel free to get technical—I assume I will understand you.
I am interested in:
- How have you segmented your networks?
- What devices do you use (manufacturer-independent)?
- Which devices (manufacturer-independent) do you group together in which network, and why?
- Which networks do you allow to communicate with each other?
- How have you implemented external access, if desired?
- Do you perhaps have a DMZ?
- In your opinion, what is a “must-have” and what is a “nice-to-have”?
I am currently considering how to set up the network in our house.
In this context, I thought it would be great if some of you could share how you have implemented a high-end network on an individual basis.
I am an IT professional myself, but my focus lies elsewhere. Nevertheless, feel free to get technical—I assume I will understand you.
I am interested in:
- How have you segmented your networks?
- What devices do you use (manufacturer-independent)?
- Which devices (manufacturer-independent) do you group together in which network, and why?
- Which networks do you allow to communicate with each other?
- How have you implemented external access, if desired?
- Do you perhaps have a DMZ?
- In your opinion, what is a “must-have” and what is a “nice-to-have”?
Araknis schrieb:
Okay, then briefly:
Yes, you can.
It basically always works. It works "well" if your device supports 802.1x. It works "less well" if it only has a MAC address.
In general, I would realistically consider such attack scenarios. With VLANs, you can isolate the outdoor ports from the rest of the network. Then you still have certain routes left, for example to the Internet. And then? Your visitor can surf. But to go through so much effort when every second Wi-Fi network in the neighborhood is poorly secured? Personally, I would be more concerned about someone stealing my access point or Gardena gateway on that occasion.That is all correct and clear. I was only asking whether I can solve this anyway, as I do not know of any way. It was not about the likelihood of attack scenarios, but about feasibility.
I conclude that it is apparently not practical to implement.
J
JoachimG.9 Oct 2021 09:32Depending on the switch, firewall, and access points (APs) used, the following setup can work:
For example, a FortiGate firewall with FortiAPs deployed outdoors:
- Disable DHCP on the ports used for the access points and create a dedicated VLAN (outside).
- Set up an 802.1x server to authenticate both APs and clients.
- Enable DHCP on the access points for the clients and configure the FortiGate as the gateway and DNS server, making sure the appropriate routes are set there.
This way, only a client that has successfully authenticated via 802.1x receives an IP from the access point. If the access point is offline, there will be no DHCP on that port. An attacker would need to guess the IP address range, know the VLAN, and have valid 802.1x credentials. Adding a VPN can further enhance security.
On a different port, connect your Gardena gateway, implement a MAC Authentication Bypass (MAB), and apply an Access Control List (ACL). This means that even if an attacker spoofs a MAC address, they can only proceed if they also use the same source IP, destination IPs, and ports as the Gardena gateway. In other words, they would only be able to access the Gardena services.
This is how I would approach it.
For example, a FortiGate firewall with FortiAPs deployed outdoors:
- Disable DHCP on the ports used for the access points and create a dedicated VLAN (outside).
- Set up an 802.1x server to authenticate both APs and clients.
- Enable DHCP on the access points for the clients and configure the FortiGate as the gateway and DNS server, making sure the appropriate routes are set there.
This way, only a client that has successfully authenticated via 802.1x receives an IP from the access point. If the access point is offline, there will be no DHCP on that port. An attacker would need to guess the IP address range, know the VLAN, and have valid 802.1x credentials. Adding a VPN can further enhance security.
On a different port, connect your Gardena gateway, implement a MAC Authentication Bypass (MAB), and apply an Access Control List (ACL). This means that even if an attacker spoofs a MAC address, they can only proceed if they also use the same source IP, destination IPs, and ports as the Gardena gateway. In other words, they would only be able to access the Gardena services.
This is how I would approach it.
To revisit the topic…
Can anyone recommend a router that can provide DHCP within a VLAN?
Additionally, currently a Fritz!Box handles the internet access. If combined with another router, there would be double NAT. Is that really a problem if VPN and similar services are not used? How does this affect VoIP?
I am also considering replacing my Windows Server 2016, which runs 24/7 on a desktop PC, with a NAS. I am interested in a Synology DS920+.
Can anyone assess whether this device would be sufficient to replace a handful of Windows Server roles (as VMs) while also handling Radius and DNS?
Addition: I have a legitimate Windows Server 2016 Datacenter license. That would of course cover all these services if I were to run everything in VMs. Such a dedicated server would, of course, be more expensive. Still, an option?
Can anyone recommend a router that can provide DHCP within a VLAN?
Additionally, currently a Fritz!Box handles the internet access. If combined with another router, there would be double NAT. Is that really a problem if VPN and similar services are not used? How does this affect VoIP?
I am also considering replacing my Windows Server 2016, which runs 24/7 on a desktop PC, with a NAS. I am interested in a Synology DS920+.
Can anyone assess whether this device would be sufficient to replace a handful of Windows Server roles (as VMs) while also handling Radius and DNS?
Addition: I have a legitimate Windows Server 2016 Datacenter license. That would of course cover all these services if I were to run everything in VMs. Such a dedicated server would, of course, be more expensive. Still, an option?
Why don’t you set the Fritz!Box to bridge mode or replace it with a pure modem? That way, you avoid double NAT.
DHCP in the VLAN can actually be handled by any router that supports VLANs.
What do you want to run on the Synology? You should upgrade the RAM. Then Windows will run somewhat smoothly. But it’s not suitable for resource-intensive tasks.
You can ignore Radius and DNS, especially in a home network. Since there aren’t many devices, it’s not a big load anyway.
DHCP in the VLAN can actually be handled by any router that supports VLANs.
What do you want to run on the Synology? You should upgrade the RAM. Then Windows will run somewhat smoothly. But it’s not suitable for resource-intensive tasks.
You can ignore Radius and DNS, especially in a home network. Since there aren’t many devices, it’s not a big load anyway.
Similar topics