- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
Home Networking Advice - IP Passthrough (ATT), VLANS, etc
Posted on 2/21/25 at 1:44 pm
Posted on 2/21/25 at 1:44 pm
Over the years I have slowly expanded my home network, and as of now how it seems kind of "messy". I am by no means an expert when it comes to this stuff, but I would like to think I have a fairly good understanding of the basics so I took a stab at drawing up a new setup. I am currently using the ATT (fiber) provided ONT/Modem/Router combo (Wifi turned off). I have this feeding an un-managed 24 port switch, which basically just distributes traffic to everything downstream (PC's, Consoles, Home Assistant server, WIFI AP, etc). No special configuration/settings other than that. I have been wanting to expand my homeassistant network with a few more devices, which made me think I should start segregating some of my network into VLANs. I know what a VLAN is and have a decent understanding of how they work, but have never actually implemented one. It doesn't seem like it would be too difficult though. Was hoping to get some input on what I planned on doing, and get some feedback/opinions from the IT gurus on here.
My plan was to put the ATT router in IP Passthrough (I have to do this using DMZ host because of the modem/router I have) and feed a new Firewall/Router. I would have my main PC/workstation connected directly to the router, as well as a new 24-port managed switch connected to the router. The 24-port managed switch would replace my existing un-managed switch and would be set up with (3) VLANs to segregate networks into: Home Assistant/IOT, Hardwired devices (XBOX, Work Laptop, etc) & WIFI AP network. For now, I am planning to leave the ATT Uverse IPTV boxes connected straight to the ATT Modem/Router, as I currently have them set up through their own dedicated (8-port managed) switch and it took forever for me to get that working. Could potentially migrate to the 24 port managed switch on their own VLAN, but for now I am kicking that can down the road. I may also add a 4th VLAN for IP security cameras later as well once I get everything set up.
My questions:
1) Is there a good basic/budget Router/Firewall (combo or separate devices) that I should look at using? To be honest, the most I have ever done with a firewall is port forwarding and I honestly have no clue what I would need to look for. My only real experience configuring routers is tinkering around in with generic Wifi/Router combos to set a few static IP's and things of that nature. Do I need to set up "special rules" in the firewall to really get protection, or are they typically plug & play minus any port forwarding that might be needed? Rackmount would be cool, but I assume that will come with a higher price tag so I am fine with a desktop style router that I could maybe 3D print a rack mount for.
2) Is it even worth segregating my network into VLANs? Will this create any access issues for devices in the VLANs? I am missing anything configuration wise that may make this setup more complicated than anticipated?
3) With my main workstation connected directly to the router (upstream of managed switch), it should have access to all of the devices in downstream VLANs, correct? Is there any risk to this? I was thinking this would leave me with a "Master Device" that could still see into each VLAN for configuring devices,etc.
Existing network:
Planned changes:
Network Rack (Current State):
Would appreciate any feedback/advice.
My plan was to put the ATT router in IP Passthrough (I have to do this using DMZ host because of the modem/router I have) and feed a new Firewall/Router. I would have my main PC/workstation connected directly to the router, as well as a new 24-port managed switch connected to the router. The 24-port managed switch would replace my existing un-managed switch and would be set up with (3) VLANs to segregate networks into: Home Assistant/IOT, Hardwired devices (XBOX, Work Laptop, etc) & WIFI AP network. For now, I am planning to leave the ATT Uverse IPTV boxes connected straight to the ATT Modem/Router, as I currently have them set up through their own dedicated (8-port managed) switch and it took forever for me to get that working. Could potentially migrate to the 24 port managed switch on their own VLAN, but for now I am kicking that can down the road. I may also add a 4th VLAN for IP security cameras later as well once I get everything set up.
My questions:
1) Is there a good basic/budget Router/Firewall (combo or separate devices) that I should look at using? To be honest, the most I have ever done with a firewall is port forwarding and I honestly have no clue what I would need to look for. My only real experience configuring routers is tinkering around in with generic Wifi/Router combos to set a few static IP's and things of that nature. Do I need to set up "special rules" in the firewall to really get protection, or are they typically plug & play minus any port forwarding that might be needed? Rackmount would be cool, but I assume that will come with a higher price tag so I am fine with a desktop style router that I could maybe 3D print a rack mount for.
2) Is it even worth segregating my network into VLANs? Will this create any access issues for devices in the VLANs? I am missing anything configuration wise that may make this setup more complicated than anticipated?
3) With my main workstation connected directly to the router (upstream of managed switch), it should have access to all of the devices in downstream VLANs, correct? Is there any risk to this? I was thinking this would leave me with a "Master Device" that could still see into each VLAN for configuring devices,etc.
Existing network:
Planned changes:
Network Rack (Current State):
Would appreciate any feedback/advice.
4
Posted on 2/21/25 at 2:39 pm to CP3
1. Buy a shelf for the rack, bada-bing, your desktop firewall is now rack mounted! The firewall functionality should be fine out of the box, it's what you do to it once you take it out of the box that will likely present the risk. Port forwarding risky ports or large port ranges to subnets rather than hosts, and those hosts being able to be a bridge into the rest of the subnets, etc. I use a Synology router and enabled Threat Protection, which only required I plug in a $8 thumb drive.
2. You can create VLANs with no ACLs in between them, and then the VLAN is just a label. I see this happen all the time when people are "segregating" their networks to reduce the scope of a PCI DSS (credit card) audit. I don't see a NAS, so I assume you're not using the Xboxes as media centers, so all the traffic should probably not be permitted to talk to any other internal network. Figure out which VLAN actually needs to talk to which VLAN and determine the utility by that. I have no knowledge of what your Home Assistant thing is, and I'm leaving work in 14 minutes and don't have time to look it up.
3. Maybe. If you put the gateway into passthrough, consider your master PC on the same VLAN as the gateway. Everything in your house can access that VLAN, because it has to, in order to get to the internet. That's probably your biggest risk (where you do your taxes, etc.) and you'd have to rely on a host based firewall to protect it in that instance. I don't know what you use it for across the house, but if there's anything I'm segmenting, it's that first.
3a. When was the last time the R7000 got a security update (appears to be 2022)? How are you locking down the ability to connect to that and the Deco mesh? I'd honestly address those concerns first. The R7000 is probably done getting security updates, and if you don't have guest SSIDs for wifi established and a way to get them directly out to the Internet (that'd probably be yet another VLAN if they support it.)
Out of time, blow me up JoshJRN!
2. You can create VLANs with no ACLs in between them, and then the VLAN is just a label. I see this happen all the time when people are "segregating" their networks to reduce the scope of a PCI DSS (credit card) audit. I don't see a NAS, so I assume you're not using the Xboxes as media centers, so all the traffic should probably not be permitted to talk to any other internal network. Figure out which VLAN actually needs to talk to which VLAN and determine the utility by that. I have no knowledge of what your Home Assistant thing is, and I'm leaving work in 14 minutes and don't have time to look it up.
3. Maybe. If you put the gateway into passthrough, consider your master PC on the same VLAN as the gateway. Everything in your house can access that VLAN, because it has to, in order to get to the internet. That's probably your biggest risk (where you do your taxes, etc.) and you'd have to rely on a host based firewall to protect it in that instance. I don't know what you use it for across the house, but if there's anything I'm segmenting, it's that first.
3a. When was the last time the R7000 got a security update (appears to be 2022)? How are you locking down the ability to connect to that and the Deco mesh? I'd honestly address those concerns first. The R7000 is probably done getting security updates, and if you don't have guest SSIDs for wifi established and a way to get them directly out to the Internet (that'd probably be yet another VLAN if they support it.)
Out of time, blow me up JoshJRN!
Posted on 2/21/25 at 2:40 pm to CP3
I can say that you are definitely overthinking it.
We have almost 100 IPs in our home and just a VLAN for trusted things and one for non-trusted things then a couple docker and VM bridges inside a server. I can sleep with the risk of someone exploiting my camera to attack my refrigerator.
We have almost 100 IPs in our home and just a VLAN for trusted things and one for non-trusted things then a couple docker and VM bridges inside a server. I can sleep with the risk of someone exploiting my camera to attack my refrigerator.
Posted on 2/21/25 at 2:58 pm to LemmyLives
Wow I appreciate the detailed response. Few answers:
1) So basically any firewall should work? May just see if I can grab a router with one built in. To be honest only thing I used port forwarding on was for Xbox services due to NAT issues.
2) Xbox are just used for streaming apps (Netflix, Prime, Etc) and gaming. No NAS currently, but I’ve been toying with the idea of setting one up. To be honest, the main driver for me wanting to set up VLANs is more just being OCD and having some downtime/something to play with. From a security standpoint I don’t have huge concerns of devices communicating with other groups in LAN. Just seems “cleaner” if I segregated them lol. Like I said I am by no means an expert, and probably have read just enough to think I know what I want to do when in reality I don’t.
3) Master PC is my main computer/workstation. I use it for everything from 3D modeling, internet browsing/email, gaming, CAD, etc. Sounds like maybe I should move that downstream? I was just thinking would be nice to have it able to see everything else to make configuring/seeing some of the IoT/automation stuff.
4) honestly, I just used the R7000 to create a WiFi network for IoT and Homeassistant (ESPhome automation server) because I had it laying around the house not being used. No other reason than that. If it’s out of date/vulnerable I can replace with a newer access point. Or just have the IoT and Home assistant stuff share VLAN with DECO WiFi network. Again, I don’t really have a specific reason for breaking into VLANs other than it just feels like it would be “cleaner” lol. Currently both the DECO and R7000 are just protected with Passwords and have different SSIDs.
I agree I’m definitely overthinking this, and probably don’t need to do any of it. Just bored, needed to make a few minor tweaks to setup anyway, and kind of want a project to tinker with
1) So basically any firewall should work? May just see if I can grab a router with one built in. To be honest only thing I used port forwarding on was for Xbox services due to NAT issues.
2) Xbox are just used for streaming apps (Netflix, Prime, Etc) and gaming. No NAS currently, but I’ve been toying with the idea of setting one up. To be honest, the main driver for me wanting to set up VLANs is more just being OCD and having some downtime/something to play with. From a security standpoint I don’t have huge concerns of devices communicating with other groups in LAN. Just seems “cleaner” if I segregated them lol. Like I said I am by no means an expert, and probably have read just enough to think I know what I want to do when in reality I don’t.
3) Master PC is my main computer/workstation. I use it for everything from 3D modeling, internet browsing/email, gaming, CAD, etc. Sounds like maybe I should move that downstream? I was just thinking would be nice to have it able to see everything else to make configuring/seeing some of the IoT/automation stuff.
4) honestly, I just used the R7000 to create a WiFi network for IoT and Homeassistant (ESPhome automation server) because I had it laying around the house not being used. No other reason than that. If it’s out of date/vulnerable I can replace with a newer access point. Or just have the IoT and Home assistant stuff share VLAN with DECO WiFi network. Again, I don’t really have a specific reason for breaking into VLANs other than it just feels like it would be “cleaner” lol. Currently both the DECO and R7000 are just protected with Passwords and have different SSIDs.
I agree I’m definitely overthinking this, and probably don’t need to do any of it. Just bored, needed to make a few minor tweaks to setup anyway, and kind of want a project to tinker with
This post was edited on 2/21/25 at 3:36 pm
Posted on 2/21/25 at 5:38 pm to CP3
For router:
[link=(asus)]https://www.asus.com/us/networking-iot-servers/business-network-solutions/asus-expertwifi/asus-expertwifi-ebg15/[/link]
Or
[link=(unifi)]https://store.ui.com/us/en/category/all-cloud-gateways/products/ucg-ultra[/link]
Either of these would get you going on your router and vlans.
With these you would also need 1 or 2 APs depending on the size of your house.
I have my network set up with the following VLANs:
Master
IoT (home assistant and MqTT transmissions)
Kids
Cameras
Only the master can establish a connection with the others.
I have the cameras and it blocked from the internet.
The master VLAN uses cloud flares spam filtering DNS and the kids use the cloudflare family dns. I have it set up forcing them to use this DNS. Created a firewall rule for the DNS port to only access the specific DNS. This prevents them from changing the DNS on their devices and accessing the internet.
[link=(asus)]https://www.asus.com/us/networking-iot-servers/business-network-solutions/asus-expertwifi/asus-expertwifi-ebg15/[/link]
Or
[link=(unifi)]https://store.ui.com/us/en/category/all-cloud-gateways/products/ucg-ultra[/link]
Either of these would get you going on your router and vlans.
With these you would also need 1 or 2 APs depending on the size of your house.
I have my network set up with the following VLANs:
Master
IoT (home assistant and MqTT transmissions)
Kids
Cameras
Only the master can establish a connection with the others.
I have the cameras and it blocked from the internet.
The master VLAN uses cloud flares spam filtering DNS and the kids use the cloudflare family dns. I have it set up forcing them to use this DNS. Created a firewall rule for the DNS port to only access the specific DNS. This prevents them from changing the DNS on their devices and accessing the internet.
This post was edited on 2/21/25 at 5:39 pm
Posted on 2/21/25 at 10:14 pm to Dallaswho
quote:
We have almost 100 IPs in our home and just a VLAN for trusted things and one for non-trusted things then a couple docker and VM bridges inside a server. I can sleep with the risk of someone exploiting my camera to attack my refrigerator.
If an attacker can get to a single camera then they can bring down your whole network, doesn't matter what VLAN it's on
Posted on 2/22/25 at 12:33 pm to CP3
Couple thoughts:
Think about access controls between vlans/zones. You have to write/create them, so ideally you want to start with something relatively basic if you can. You may want your "main" vlan to be able to access any other vlan but maybe the iot ones to only have internet access. You can get very granular if so desired like x ip can only access y and z ip on q vlan on port p. But then you have to make sure all that stuff works. You may want to start a bit simpler and expand out from there. Another thought for your untrusted/iot vlan is that you'll probably need a separate wifi network for that too. That means you'll probably want to trunk both/all those vlans to the switch ports the APs connect to and would need your APs to support multiple SSIDs with each on different VLANs. Most of the better ones do but something to keep in mind. Your homeassistant server will definitely need to be able to talk to your IoT devices it controls which means it can either be on the IoT/untrusted network or it will need your firewall rules configured to allow that traffic to pass.
As for hardware unifi stuff is a pretty good balance of price and functionality. A highly featureful yet inexpensive option is the ubiquity erx at $50ish is effectively an enterprise level device. It's not terribly difficult to configure but it's definitely not going to be the easiest.
Think about access controls between vlans/zones. You have to write/create them, so ideally you want to start with something relatively basic if you can. You may want your "main" vlan to be able to access any other vlan but maybe the iot ones to only have internet access. You can get very granular if so desired like x ip can only access y and z ip on q vlan on port p. But then you have to make sure all that stuff works. You may want to start a bit simpler and expand out from there. Another thought for your untrusted/iot vlan is that you'll probably need a separate wifi network for that too. That means you'll probably want to trunk both/all those vlans to the switch ports the APs connect to and would need your APs to support multiple SSIDs with each on different VLANs. Most of the better ones do but something to keep in mind. Your homeassistant server will definitely need to be able to talk to your IoT devices it controls which means it can either be on the IoT/untrusted network or it will need your firewall rules configured to allow that traffic to pass.
As for hardware unifi stuff is a pretty good balance of price and functionality. A highly featureful yet inexpensive option is the ubiquity erx at $50ish is effectively an enterprise level device. It's not terribly difficult to configure but it's definitely not going to be the easiest.
Posted on 2/22/25 at 1:37 pm to LSshoe
quote:
. A highly featureful yet inexpensive option is the ubiquity erx at $50ish is effectively an enterprise level device.
I have this router. I have no issues with it's operation. It is older however and does not have built in support for openvpn or wire guard. If you want your own VPN server elsewhere on your network it's a good router/firewall.
Posted on 2/22/25 at 2:12 pm to mchias1
I've had one for about 5 or 6 years. I did have an issue where the wan port died so i had to reconfigure that to another port but it's still been kicking since then. While wireguard doesn't come native its running a Debian based OS underneath and there's an unofficial WG package for it. There's also an unofficial Tailscale package for it so being the need I am i have both running.
Posted on 2/22/25 at 3:23 pm to LSshoe
quote:
Another thought for your untrusted/iot vlan is that you'll probably need a separate wifi network for that too.
My plan was to have a separate dedicated WiFi AP (with its own unique SSID) tied into the IoT/Homeassistant VLAN, and keep my Deco for main (phones, etc) WiFi that’s on its own separate VLAN. I would have Home assistant on same VLAN as the IOT devices.
I’ll look into the Unifi router. I have no desire for VPN stuff so I think that would work.
Posted on 2/22/25 at 3:50 pm to CP3
Build a pfsense or opnsense box.
I have mine running on an old Dell r210ii and it's rock solid
I have mine running on an old Dell r210ii and it's rock solid
This post was edited on 2/27/25 at 10:24 am
Posted on 2/22/25 at 4:22 pm to CP3
quote:
I have no desire for VPN stuff so I think that would work.
If you run home assistant you will want to have the capability of adding a VPN server. Unless you pay for nabu casa, a local VPN gives you access to your home assistant system.
My HA VM is on my main VLAN. I just opened a MQTT port to allow comms to my tasmota devices.
Posted on 2/22/25 at 4:48 pm to mchias1
I just pay for Nabu Casa. Seems to work well and was easiest option when I set it up
Posted on 2/22/25 at 9:10 pm to mchias1
quote:
If you run home assistant you will want to have the capability of adding a VPN server
By far the best way to do this, IMO. Either that or tailscale. You can even host the server on your pfsense or opnsense box
Posted on 2/23/25 at 9:46 pm to CP3
Paying the subscription to nabu casa is supporting home assistant development so that's commendable as far as I'm concerned.
As for having a separate dedicated AP, that seems a bit of a waste, no? I guess if your APs don't support it you gotta do what you gotta do, but then managed switch you planned to buy should support it from that end. I know unifi APs support it. I can't say it for certain bit I'd imagine many dedicated APs would too. Then you could get coverage through your whole house on both networks
As for having a separate dedicated AP, that seems a bit of a waste, no? I guess if your APs don't support it you gotta do what you gotta do, but then managed switch you planned to buy should support it from that end. I know unifi APs support it. I can't say it for certain bit I'd imagine many dedicated APs would too. Then you could get coverage through your whole house on both networks
Posted on 2/23/25 at 9:57 pm to LSshoe
Well right now my main use WiFi (phones, etc) consists of a TPlink Deco mesh (2 units) for whole home WiFi coverage. It works well, and I just bought it a few months ago so I wanted to keep that for main WiFi.
I’m currently using a separate AP (Netgear R7000) for the IoT stuff, mainly because I had the AP left over in a drawer just sitting there. From a security standpoint it’s really not keeping anything segregated or protected other than being on a separate SSID. Moving this AP and the hardwired IoT/HA devices into a VLAN on the new managed switch was going to be my plan to somewhat keep them away from everything else.
All of my IoT/Homeassistant devices (that aren’t hardwired) are pretty close to the “dedicated” AP, so I’m not too worried about needing widespread WiFi coverage to keep them connected. I think my TP link deco does offer some type of IoT app or separate network feature though as a paid service? Haven’t really looked into it yet but I remember seeing something like that when I was setting it up
I’m currently using a separate AP (Netgear R7000) for the IoT stuff, mainly because I had the AP left over in a drawer just sitting there. From a security standpoint it’s really not keeping anything segregated or protected other than being on a separate SSID. Moving this AP and the hardwired IoT/HA devices into a VLAN on the new managed switch was going to be my plan to somewhat keep them away from everything else.
All of my IoT/Homeassistant devices (that aren’t hardwired) are pretty close to the “dedicated” AP, so I’m not too worried about needing widespread WiFi coverage to keep them connected. I think my TP link deco does offer some type of IoT app or separate network feature though as a paid service? Haven’t really looked into it yet but I remember seeing something like that when I was setting it up
Posted on 2/24/25 at 6:13 am to CP3
Your deco system will make 2-3(forgot if IoT is isolated) VLaN subnets for free and allow you to set rules to bridge them which you shouldn’t need right now because you have cloud access to your stuff. I’m a huge fan of those Deci for their versatility. Each unit can be used stand-alone or part of a mesh and they are all compatible with all other deco pods. I use mine as remote VPN clients after upgrading my WiFi to orbi 963(don’t reccomend, just got it for almost nothing).
Basically zero Deco features are available in AP mode though. That is the downside.
Basically zero Deco features are available in AP mode though. That is the downside.
Posted on 2/24/25 at 8:22 am to CP3
since you are just now dabbling in it, try getting a hEX mikrotik ($45 standalone router) or similar and put OpenWRT on it. It is a fully functioning router OS that can do dang near everything and it is well supported with tons of guides. Very easy starting place yet extremely powerful. You can use it with your existing switch and be on your way.
Page 1 of 1
Popular
Back to top
Follow TigerDroppings for LSU Football News