I hear about the amazing things people do (mainly Noah) and think, wow I wish I could do that OR hmmm I’ve done that, but I’m not sure I did it securely. . .
Well, what if we all put our heads together and made a guide that community members could reference!?
I started a GitLab wiki/project based on this idea. It is 100% flexible so if you want to contribute and don’t like the approach, let’s change it together!
I chose GitLab because…it seemed appropriate? IDK if you have a better idea/solution let me know .
Something I did earlier this year as part of self-created lab exercise when I was studying for Security+ was to segment my home network. I did so by doing the following:
Put all IoT devices on a segmented WiFi channel on my wireless router.
Put all desktops and laptop on a 2nd segmented WiFi channel.
Isolated my CentOS server from other network traffic by VLANing the ports on the back of my WiFi router.
Bought a 4 NIC NUC and installed an OPNSense firewall between my cable modem and my WiFi router.
Installed pi-hole to stop ads and control some of the phone home traffic, both of which are stealing my bandwidth.
My WiFi router is running DD-WRT with a stateful firewall ( remember a typical home network with WiF that is connected to the internet has two points of entry ).
As for your project, I would suggest starting with some basic logical diagrams that could easily be created with Dia.
A good discussion of DD-WRT and OpenWRT should be included because both projects add so much functionality to many vendors WiFi routers.
Also, not only could this be an educational resource about networking, it is also a good segway into security.
Thank you so much for your thoughtful reply!
I love your ideas, if you personally think you could contribute something to the project, please do so on the gitlab page.
I think having a section on DDWRT/OpenWRT/Tomato is needed, but I think “out of the box” setup should be front facing since that is pretty much the defacto. Once that is quickly addressed (because it is so limiting) there could be additional off shoots to the other programs for people to expand out as they become more comfortable.
To speak to that, when you say,
Put all IoT devices on a segmented WiFi channel . . .
Are you referring to a channel setting on the router in terms of an isolated SSID or like a broadcast channel as shown here:
Like wise, when you reference having your desktops on a seperate channel, I am thinking 2.4 vs 5 GHz rather than SSIDs so please correct me if I am wrong.
I would REALLY love to learn about your item in #3 (VLANning). That is something that I hear referenced a lot by hosts on various podcasts but have no knowledge of personally. I think that documenting the reasoning and process of it would be extremely valuable for people in the community.
If you ever want to connect in real time (mumble or other means) please let me know, I’d love to talk with you further.
I have Dia logical diagram around here somewhere. Let me dig it up.
My specific WiFi router has two separate WiFi channels that it can send and receive on. I set one to 5Ghz and the other to 2.4 and used different SSID’s and passwords.
PM me a good time and we can get on the DL Discord server to discuss segmentation and VLAN’ing.
I see, so far topics list seems to be pretty technical. Maybe it would be easier to instead think of it in terms “what can I do”. Like “streaming media”, “creating email server”, “data backups”, and so on. Not that the basic information should be gone, but showing people topics in a way that tells them what they’ll be able to do after reading article seems more clickable.
Either way, I do have fair share of knowledge about networking and next week I’m gonna have some time, so I’ll see what I can help with. Aside from technical topics, I could write about creating and hosting website, ssh, email, maybe bit more about raspberry pi. The question for me is choosing topics and presenting them in a way that’s different than every single Apache tutorial, so I’ll think about it.
How do you like “Open Social Networks” as a topic? It’s bit less about home networking, as often it’s better to join into existing server rather than creating one.
I would write about your mastodon and pleromas, as well other kinds of content that can be shared on fediverse (PeerTube, PixelFeed). If you think of other platroforms worth mentioning, let me know.
About hosting wiki on GitLab, I think it’s a good start, but if project it were to get bigger both in terms of content and being reachable, it would be nice to have own website eventually.
I would love to have you contribute in anyway you seem fit. If you want to dive into the social network stuff, I made a new project so you can get as detailed and original with it as you want.
I think there would be a place in the home network self-hosting section to bring it up and for sure link to the new project.
I thought about a website, but I really want ANYONE to feel like they can contribute and a gitlab/github format seemed appropriate. Maybe if this seems like something the community really enjoys, there could be a separate “published” website that just displays the master commits and links back to the gitlab so that people know how to contribute.
I recently found out about WT.social. That might be a cool topic as well!
I’ve explored that sub a bit. I was actually looking around /r/homenetworking and they are in the process of creating a new wiki. I reached out to their mods and contributors and they said they will add to this and don’t mind if their stuff is reused or cited as long as attribution is clear.
So I’ve been plugging away at this project and tonight added a bit of incentive. I posted a list of hundreds of games I’ll give away to those that want to pitch into the project. Check out the list here:
Just sent you a PM concerning a network segmentation project I did at home as a project earlier this year while I was studying for Security+ and CySA+ certifications.
Replace my proprietary mesh WiFi system with something that can run DD-WRT. I can probably get away with extending my ISP router’s network but I’d also like to…
Set up an edge router to handle firewall, proxy (blocking), and so on.
I want ac wireless and having b/g/n support would be nice.
Not spend a ton of money doing it.
I have a 2000 sq ft house which isn’t huge but is made of solid concrete hence the need for mesh. The ISP router is on one side of the house in the office and I can get an Ethernet backhaul to middle of the house. I’m thinking one decent router in the office using the ISP router as the WAN and then a wired backhaul to a likely lower spec’d router in the center acting as an access point and maybe one or two others as WiFi-only nodes depending on the signal quality.
I can manage the setup but am having a hard time finding the right routers. Any suggestions welcomed. The NETGEAR Nighthawk Smart WiFi Router (R6700) - AC1750 seems like a decent choice for the main router but am not sure.
Questions:
Is DD-WRT my best option for custom firmware? I’ve used Tomato in the past as well but there seem to be many options so looking for feedback.
Any thoughts on hardware? I’m happy to buy something that I can just flash firmware but was also thinking maybe Raspberry Pis might be an option for the low-end access points.
DD-WRT is good, but personally, I think OpenWRT is a little better. Check both to make sure your specific router is supported. I’m using a Linksys MIMO router in a 2,800 sq ft house, but the router is centrally located and covers the entire house ( and yard ).
As for which router to get, that depends on your needs. If you can centrally local the router, and, it can provide the coverage you need, a single router solution might work.
I’d warn against the ethernet-power adapters, as you have to run encryption to keep your network safe. I’ve heard stories of others being able to see into their neighbors network via the powerline. Running encryption destroys the performance on the pwerline adapters.
There are several good routers out there. Netgear being one of them.
For a firewall, I’d recommend OPNsense ( a fork of PfSense ). I run OPNsense on a 4-NIC NUC ( with Intel 1GB NICS ).
With a 4-port switch on the Linksys router and 4 ports in the OPNsense router, I’ve got options.
I segragate my network into three main subnets. 1) IoT for Roku, Firestick, Chromecast, etc, 2) for phones, iPads, and workstations, and 3) my lab. Three separate VLAN’s where I control who talks to who through the firewall in the Linksys router and the OPNsense firewall. There are two ways into my network and both are behind a firewall.
I originally did this as part of a security project, but I don’t mind the extra protection it provides.
I have my two wifi boxes plugged straight into the pfSense box so they provide nothing but network connections for two networks. Both of them are some cheap no-brand chinese things running OpenWRT. None of them are reaching the internet since their IPs are blocked but they do ofc handle the traffic so not optimal. I don’t run anything worth much on wifi anyway as I like my cables
Def going to kill the wifi network for the cameras as I want them on PoE. Wifi outdoors with storms and crap is just meh. Need to buy a house first so I’m allowed to drill some holes though
wireguard always on so all outgoing traffic is going through vpn
squid acting as proxy so outgoing uses the vpn
dnsmasq for dns and add blocking (not really working anymore since dns over https)
torrent daemon (transmission)
nzb daemon (nzbgetd)
minidlna for sharing video/pictures with tv
lxc and docker for software development
nginx as local webserver, from which I can view the server status and switch the vpn location
automatic backups going encrypted to a cloud service.
Also have a second rpi for home automation which uses a separate wifi channel were the iot devices are connected to, without them having internet connection
For dnsmasq I need to make some time for it to get the adblock working again consistently…
Hi @HansH! Thanks for the reply! You have a lot of cool stuff going on and I’d like to pick your brain about it so that information could be added to the Wiki
What kind of RPi are you using? 3B+?
What is the point of having your home traffic going Out of a VPN? I understand using a VPN to get in but don’t get what you mean by it going out. I use PIA to access different regions but I don’t know if that’s what you are referring to in this case.
Have you tried Pi-Hole for DNS ad blocking? I just started using it and have had a really positive experience.
nzb daemon (nzbgetd)
I’ve always heard about newsgroups but have never been a part of one. I’d be curious to learn if you think it is valuable and why. I looked at the price plans and it seems very reasonable!
minidlna for sharing video/pictures with tv Is
Is there a reason you do this instead of samba?
nginx as local webserver, from which I can view the server status and switch the vpn location
I’d really like to learn more about this, seems to address my first question.
automatic backups going encrypted to a cloud service.
I’ve heard of people doing this before on the Ask Noah Show and in the LUP community. I’d be interested to know your process
Also have a second rpi for home automation which uses a separate wifi channel were the iot devices are connected to, without them having internet connection
Are you using HAS.io? @Mr_McBride mentioned something about segmenting wifi channels for iot stuff and I’d love to learn more about that. I have a vision of using Home Assistant and the magic mirrior project to create a dashboard and some simple automation things in my home but would want to have the right setup (wifi/vlan/etc) in place before getting serious.
The basics of segmenting traffic is to create a security boundary. For IoT devices like Roku, FireStick, a WiFi capable camera, devices were you have little or no security control, the security boundary serves to isolate those devices so that it they become compromised they cannot infect other devices on your network. Something I did not mention is a guest network. If you have the need for allowing untrusted devices access to your network, then a segmented guest network should be considered.
I 2016 there was a massive DoS attack that was carried out by a bot network consisting of IoT devices. This attack used mirai malware to infect IoT devices like camera’s and DVR’s. By isolating this traffic, it makes it easier to control the traffic within that specific segment. One could use QoS or firewall polices to control or limit the traffic.
Think about all of the different types of devices you have on your network, then consider where security boundaries need to be placed. Group devices with similar security needs together.
I could go on for hours…let me know if you have any specific questions.
I work in IT as a Systems Engineer. While I directly support Network Engineers with automation and monitoring needs, I am not a Network Engineer myself. I am currently supporting network automation and monitoring applications, Ansible, and I am a member of a cross-functional automation and scripting team. I support Linux and network automation needs with Python.
As for your needs and requirements, just keep in mind that all things change over time. Start with have and allow it to grow as your projects and requirements grow. If you wait until the network is “ready”, you’ll only be slowing yourself down. Start today !!!
My network segmentation project was part of my learning and studying for Security+.
.
