Hi, folks. I’m trying my best to do my homework before I come here with questions, but even when trying to be selective about what I’m searching for, it’s often a fire hose of information that’s hard to take in.
I’m trying to prepare for exposing self hosted services to the internet with a reasonable amount of security. Tailscale isn’t going to be a great option for my use cases due to added friction for additional users as well as the total number of users I expect to have, so my goal is to segregate my 1-2 servers from the rest of my home network, so that if they’re compromised, the rest of my network is fine. Based on what I’ve read, I think I want my regular VLAN 1 to be my network as is, and then I can make a separate VLAN for my NAS and, eventually, a mini PC that are hosting services. I want to be able to talk to those devices from VLAN 1 but not the other way around, and I think I can do that with VLAN rules.
I’m trying to follow this Home Network Guy guide, but as it relates to what I’m trying to do, I have a few questions. My network setup is partially constrained by the layout of my apartment and where I can find electrical outlets, so I can only change it so much. Basically, it’s internet in->Verizon’s provided router->living room switch->office switch. The living room switch is sort of a repeater just to make everything reach, but it also connects game consoles, which also double as media streaming machines, like streaming Jellyfin from our own NAS. The NAS, my desktop, and my work PC are all connected to the office switch, and eventually a mini PC will live here full-time as well; as stated above, I want just the NAS and mini PC on their own VLAN. I think what I need to do is put a firewall between my router and the living room switch to define the VLAN rules and tag packets, and then replace the office switch with one that understands VLAN tags. So my questions are:
- In that guide, he has a firewall mini PC that costs about $540. A quick search on Amazon results in similar machines ranging from $100 to almost $600. It’s not going to break the bank in either case, but I don’t want to buy something I don’t need, and I can’t tell what “too much” or “not enough” is.
- I’d prefer not to replace the Verizon router if I don’t have to, because I’m not sure how much of my service depends on it, so assuming that’s possible to leave untouched, would it then connect to the firewall’s WAN port or LAN port? If it’s not serving as the router itself, I’d imagine LAN, and then I’d need at least two LAN ports on the firewall device, but I just wanted to be sure.
- There are two hops before any packet makes it to its destination in the office; do both switches need to be managed switches for the VLAN tags to stay intact? Or just the office switch?
- Is there anything in the above that I’ve gotten so wrong that it somehow invalidates my questions, and I’m further away from understanding this than I think I am?
Thanks for any help you folks can offer!
You must log in or register to comment.
a switch that’s 802.1Q capable, and plug your gateway to it. From here start tagging and enable VLAN tagging everywhere
In that guide, he has a firewall mini PC that costs about $540.
That’s pretty high for what you really need, imho. I purchased my stand alone firewall box from eBay. It’s been quite a long time ago, but if I remember correctly, it ran about $275+/- USD. Specs:
- Mini Fanless (tho I did add a fan)
- Intel® Celeron® CPU J3160 @ 1.60GHz
- Current: 1600 MHz, Max: 1601 MHz
- 4 CPUs : 1 package(s) x 4 core(s)
- AES-NI CPU Crypto: Yes
- QAT Crypto: No
- Upgraded to 32 GB RAM (overkill) and 4 TB SSD (overkill)
I installed pFsense on it, but OpnSense would work too, I’m just not really familiar with OpnSense. I run Suricata (IDS/IPS), ntopNG (traffic analysis), pfBlockerNG (filters), TailScale (as an overlay), and a couple other ancillary packages that just make things easier. I have noticed no bottlenecks, or slow down, even for the box’s age. pFsense, imho, makes VLANS pretty straight forward. I have segregated my network into multiple VLANS so that I can isolate iOT devices, mobile devices, cams, servers, etc. The firewall appliance doesn’t really need to be some big honkin’, spec’d out box to do it’s job.
do both switches need to be managed switches for the VLAN tags to stay intact?
Managed switches are the way to go.
Thanks. Do you have any sense as to why those linked firewall devices even need to hit that $500+ range when there are $200 options? Is it just for some advanced use case that normies like us are unlikely to need?
For one, he spec’d a Protectli VP2420. You are going to pay for the Protectli brand name. They are great boxes no doubt, but you could most likely find the same spec as the Protectli VP2420, in something cheaper. Two, I think on eBay, things are priced by how much the vendor thinks he can get. If it’s a bid scenario, they probably have a minimum purchase price set. Most often, I just select the ‘Buy It Now’ option and save myself the hassle of getting into an endless bidding war which is usually manipulated by the vendor using multiple eBay accounts or ‘friends’. That is, unless I think I can save several hundred dollars on something.
Perusing eBay, wow, yes prices have gone up. It’s been quite a while since I’ve bought any new devices. However, I think you could get away with a suitable firewall device for around the $300 +/- if you did some shopping.
I am pretty sure both switches will need to be managed because you will need a trunk between the firewall and the first switch and a trunk between the first switch and the second switch. A trunk needs to be defined on both ends, and with an unmanaged switch in between the firewall and managed switch I am fairly sure that’s not possible.
There are two types of ways VLANs communicate, and that’s through trunk ports and access ports. Trunking ports basically bundle all the VLANs together and send them to the next destination, such as another switch. Access ports are for giving access to end devices for a specific VLAN.
So I am fairly sure you’ll need a trunk between Firewall and Living Room Switch and a trunk between Living Room and Office Switch. It’s been a minute since I did work with VLANs myself though, so others feel free to correct me.
Related, I am also fairly sure the router itself will need VLAN support so while it’s understandable to not want to replace it, it may be a requirement and most consumer routers don’t come with VLAN support. Options are finding a router that supports alternative firmware like OpenWRT or DD-WRT which adds VLAN support or go whole hog and set up OPNsense or PFSense and essentially build your own router/firewall.
EDIT: I just looked at the Home Network Guy’s guide you linked to. His guide is helping you build a combination router and firewall with OPNsense. If you really need to keep the Verizon router, check if the Verizon router has an option called “Bridge mode” where you can bridge the connection to your own router/firewall and basically turn the Verizon router into a dummy passthrough device that the network just sort of passes through and otherwise ignores.
There is a section in my advanced settings to bridge the ethernet connection, yes, though both that UI and the manual are a little light on details. Thanks for the heads up.
Yeah, get your new OPNsense device fully set up through the guide, and it will act as a router and firewall. Once it’s ready to go, plug it in with ethernet to the Verizon router (with the ethernet connected to your OPNsense going into the WAN port) and make sure it’s picking up internet from the Verizon router. Once you’re sure it is, then go into your Verizon router’s settings and turn on bridge mode. The internet should auto-reconfigure for your new router to grab the IP from the modem by passing through the Verizon router.
If for whatever reason this doesn’t work, you can regain access to the Verizon router by doing a factory reset (as you won’t be able to view it’s settings as it no longer has an IP on the network in bridge mode). So don’t be afraid of it, worst that can happen is a factory reset. Just back up your settings beforehand (either manually writing them down or exporting a config file) so you can restore them easily.
In most common case you can think VLANs at the firewall end like whole different physical networks. On port LAN1 you have a switch and whatever else you happen to have, on LAN2 similar setup and so on. All the networks can (and should) have their own IP range and it’s the firewall who decides what traffic is allowed, like is a machine in LAN1 allowed to talk with printer on LAN2.
Virtual LAN just bundles that all to one set of cables and network devices with the obvious benefit that you can have benefits of multiple networks for security, access control or whatever but you don’t need extra hardware for each setup. In theory it is possible to break out of VLAN separation, but in practice it’s really not something a home gamer should worry about too much.
What you need is a managed switch (or multiple if needed) so that you can assign ports to different VLANs or a combination of many VLANs in a single port, commonly known as trunk. Some unmanaged switches pass trough VLAN frames as is, but it’s not guaranteed, so safe bet is to get only managed switches.
For the firewall/router, the best option would be to either drop the ISP router totally or if possible use bridged port on it so that you can get ‘raw’ internet to your own device. You can make it work with ‘LAN’ port on your current router too, there’s just one set of port forwarding and firewall rules extra to manage before anything even hits your own network. Instead of firewall PC I’d recommend an actual router. They are often more suited to the task, are physically smaller and tend to consume less energy. Also dedicated firewall/routers are often a bit cheaper (at least less than 600$, I paid ~150€ for my router). I personally have a Mikrotik device and I like it, but there’s plenty decent ones to choose from. PC will work as well, but they tend to have more potentially failing components than dedicated routers.
But in general, at least I can’t see anything fundamentally wrong with your plan. Remember to have fun while setting it up.
It’s all fun until my wife or I can’t connect to the internet for work or leisure! But I’ll definitely run my experiments on a weekend where there can be the least disruption. Thanks for the tips. Do you have links to a handful of devices you’d recommend in place of what I was shopping for based on this guide? Also, I picked one of the ones from that Amazon link at random, and it says it only pulls 6W; dedicated devices can beat that?
Yes, consumer routers are much lower powered because they’re built to be a router so they can simplify it to the basics needed just for routing. The trade-off is that most off-the-shelf consumer routers don’t support V-LANs.
The person you were responding to notes they have a Mikrotic device, which is one of the most popular series of devices for people to put OpenWRT on.(EDIT: Memory was foggy it’s actually devices with MediaTech CPUs is what I am thinking of) The major downside here when it comes to exposing devices to the internet is you lose the strong firewall. Part of why the OPNsense firewall is stronger than what a consumer firewall even with OpenWRT on it is because it isn’t just built to be a router, and being much beefier allows it to handle much more complex firewall rules and things like packet inspection or intrusion detection. OpenWRTdevice has a basic firewall which will do the job, for sure, but I am definitely on the side of using something a little bit more powerful for more firewall features and options. You’d probably still be relatively safe with OpenWRT/, but the low power of the devices may make them less robust depending on how many users you plan on having, in which OPNsense’s beefy nature makes it more robust for more data passing through.EDIT: Those Mikrotik devices OP is referring to are different than what I was thinking of, but they also have a good price point and are dedicated routing appliances thus lower power draw (many of them support Power over Ethernet). Their OS isn’t as open as any of the others though, however it offers a full featured enterprise grade router OS. A good choice for someone who isn’t as savvy off the bat, although you lose the powerful firewall.
https://mikrotik.com/products/group/ethernet-routers
They also have a demo of their RouterOS which seems like it’s very full-featured: https://demo.mt.lv/
Your Verizon router is the farthest “outside” your network. Your firewall will be ‘inside’ it. When you connect them, you’re connecting the router’s LAN (inside) to the firewall WAN (outside).
In that case, if I’ve got some port forwarding set up on the router, it would no longer apply once the firewall is in there, right? And I’d have to port forward from the firewall once it’s in place? Or the firewall is literally just one other hop on the network that the router doesn’t care about, even if the router connects to the firewall’s WAN?
