Home network security.
Home network security.
Hello everyone.
I’m looking at ways to set up different subnets in my home network using VLANs and also add a firewall for better security. I’ve thought about a few possibilities:
1. Use a managed switch that supports Layer 2 VLANs.
2. Pair a managed switch with a low-cost firewall.
3. Connect a router/firewall with IDS/IPS capabilities.
4. Link a router/firewall with IDS/IPS plus a managed switch.
Maybe another idea would involve using a Raspberry Pi or something similar.
Which option do you think is most suitable? Thanks!
You didn't clearly state the reason for wanting VLANs, making it hard to give a strong recommendation. I assume you need a fully VLAN-enabled network from your main router through to each client connection. This usually involves the router, switches, and access points. From a VLAN standpoint, none of these components alone provide a complete solution.
IDS/IPS can help but aren't essential, NAT is key for home networks as it blocks unsolicited traffic, though it won't stop phishing attempts. IDS/IPS might not be necessary.
Network security relies on multiple layers—antivirus, VLANs, firewalls, and user training all play a role.
Hi Kanewolf, thanks for your reply.
I need my ISP router to support two networks: Network A and Network B. Each network should have its own dedicated port—port 1 for Network A and port 2 for Network B—connected directly to the router or firewall. The aim is to fully separate Network A from Network B.
On Network B, I also want multiple VLANs, such as one for IoT devices and another for PCs, among others. This should give me more clarity on how to set it up.
Thanks.
It is very likely your ISP router lacks support for VLANs or multiple DHCP servers, which are necessary for managing two separate networks. This is why I emphasized the need for hardware that works with VLANs throughout.
Most ISP routers can handle a guest Wi-Fi network but not a distinct wired connection.
The first thing to consider is whether you really need the ISP router or if it can be replaced. If you use IPTV or an IP phone, changing it from your ISP may be challenging.
If your goal is to block Network B from reaching Network A, you might place a second router between them. Its wan port would link to your ISP router, effectively stopping B from accessing A, though A could still reach B.
The issue lies with your ISP router's inability to handle VLANs. You can connect a router that supports VLANs to your ISP router, but it won't be able to manage network B properly. Your aim is to keep network B secure and isolated, preventing any access from A or unrestricted access from A to B. Please clarify if this was your intention.
If you plan to add another router, my reference to "A" and "B" can be switched if "B" needs more protection. A second home router with the WAN linked to the ISP router will treat the ISP router as "the internet," giving standard NAT protection for B from all other devices connected to it. Network B will operate in a double NAT setup, which is generally not a problem.
Your ISP router might support VLANs. Since I didn't specify a model, it's unlikely an ISP router would be designed for VLANs, making this point less relevant.
My ISP router lacks VLAN support, so I considered using a secondary router with a firewall to separate my networks. This would help block traffic between network A and network B. Additionally, I thought about adding VLANs within network B using the new router or a managed switch. What are your thoughts? Thank you very much.
Return to your initial comment. You can't simply set up a managed switch; you need a router that supports VLANs. You'll require several DHCP servers and distinct address spaces, among other things. It's likely you also want Wi-Fi on channel "B". That implies you need VLAN-aware Wi-Fi equipment. If you're planning to purchase new gear, the UniFI series from Ubiquiti is a good option. It offers a unified dashboard and manages all UniFI devices through that interface. For those who prefer building it themselves, a MikroTik router or any managed switch you already own could be suitable.
Can I link a switch with VLAN features like the D-Link DGS-1100-08 to my ISP router even though it lacks that capability? I was wondering if this is feasible. For instance, the MikroTik RB4011iGS+RM router already supports VLANs on its own, so wouldn’t adding another switch be unnecessary? Thank you for your assistance.
You can. However, the traffic won't be separated in the router. A and B aren't completely isolated. The networks blend together on the LAN side of the ISP router. The VLAN tags are simply disregarded. Therefore, someone on network A could begin tagging traffic to an IP in network B, and both the router and the switch would forward it.
Incorporating a DGS into a MicroTik relies on the number of wired ports required.