For a large home network (connected via Wireguard to other locations with a similar group of devices), often with guests/visitors, how fine should the granularity be when it comes to creating separate VLANs?
I have the following types of devices:
Admins (me)
Family connecting via wifi
Guests connecting via wifi
TVs (some wifi, some wired)
Roku (streaming) boxes (wired)
AV receiver (wired)
Games (XBOX/PS4; one wired, one wifi)
Video cameras (wired)
MOCA adapter for set top boxes (wired)
Vonage modems (VOIP; wired)
Printers (1 wifi, 1 wired)
Servers (Blue Iris, Home Assistant, Proxmox; all wired)
IoT devices such as environmental sensors (wifi)
Lab for playing/learning (wired into the main LAN)
I have a vague understanding that I can have a VLAN for each of the line items above, or collapse some (or all) of the line items.
Should I seek to collapse them to ease and simplify administation and configuration (simplicity is of large value to me)?
If so, should I collapse them by security concerns, bandwidth concerns, functional (access) requirements, some other type of factor?
I wouldn’t mind if I could limit the environment to 5 or 6 vlans, if that is wise, maybe:
Hi friend!
If understood correctly your objective is separate traffic in different VLANs, make this is not a bad idea and can help to identify which kind traffic cross you router. But it’s important define your network and services.
For example Games, TV and Roku can form in the same VLAN, because in most part of this, it’s important offer good quality and stability. Servers if you have 1 or more, assing a VLAN, for administrative purpose or separte traffic. If you stay in the same LAN with your family define VLAN for this, however, if you interesting for add a VLAN for administrate equips, so the purpose now it’s different. In my opinion using a VLANs depend your network desing and purpose for used that.
I recommend define your network and services with more precision for make a good decision in VLAN assing.
I hope my commentaries can help you.
Your suggestion of looking at the type or purpose of traffic made me think about this differently.
From a perspective of what services or access the different types of connections need I see the following groups of connected devices and users that might correspond to the structure for the VLANs:
Access to only the Internet
Access to the Internet, local printers (on both wifi and wired connections), TV/streaming
Unrestricted access to everything
Or, maybe 4 VLANs:
Internet (which would include Guests/IoT/MOCA/VOIP/Printers/TVs/Streaming/Games)
Users (which would include connection-initiating rights to all devices)
One should view it as, if a device was compromised, what can it then attack… simple question. There is no RIGHT answer,its personal, and what level of comfort you have exposing devices to other devices be they IOT, media, voip, laptops, smartphones etc…
.
PS Erlinden, do you want a cookie??? Most people have multiple device, most come from the east, and guess what, they all access the internet and talk to a third party server and most people access that information via an APP. Not everyone is setup to vpn into their router to look at devices…
So the key is recognizing they need internet access but access to nothing else on the router ( hence use vlan separation and ensure firewall rules are commensurate)
There are various sensors that feed local servers data streams. To that extent, they don't need Internet access.
But, other IoT devices feed their data to cloud-based or manufacturer's cloud-based servers (as well as get updates) and do need Internet access.
My basic understanding is that the primary reasons to VLAN IoT devices is (1) to prevent a hacked device from providing a method of entering one's network, and (2) prevent the sharing of IoT data with unscruplous data-gathering companies, and (3) to reduce network traffic.
So, is the solution to have a separate IoT-with-Internet VLAN as well as an IoT-without-Internet VLAN?
I'm trying to keep things simple and keep the number of VLANs low. This would increase the complexity, so I'm hoping it is not the preferred solution.
Its the only perspective! Trying to reduce the number of vlans, is not a valid requirement, its convenience at best. You create the vlans based on the functions your network will be performing. This is both logical and practical and easy to manage. One of the valid overall requirements for a network is security. So you create the vlans that makes sense for the functions and traffic needs of the network and the level of security you need. Nobody can tell you what your level of comfort is.
I dont understand the question. VLAN are to insure bi-directional security, obviously! So a compromised device on the router cannot attach the device within a vlan. Conversely, if in a vlan a device that is compromised cannot affect any other devices.
For me the limiting factor is more likely to be wifi. VLANS are cheap and easy to make. I can only have so many WLANS running in the house…
So judicious use of 2ghz and virtual wlans for most devices and 5ghz for other uses is one approach.
In order for me to decide, I need to understand the options in more detail than something like: “the more vlans I have the more security I have”
I dont understand the question. VLAN are to insure bi-directional security, obviously! So a compromised device on the router cannot attach the device within a vlan. Conversely, if in a vlan a device that is compromised cannot affect any other devices.
For example: If we prioritize preventing devices from getting compromised, then we lean towards limiting their Internet access. If we prioritize preventing a compromised device from providing access to other devices, then we make more VLANs.
For me the limiting factor is wifi. VLANS are cheap and easy to make. I can only have so many WLANS running in the house…
So judicious use of 2ghz and virtual wlans for most devices and 5ghz for other uses is one approach.
Why is wifi a limiting factor? Creating VWLANs does not create more RF traffic (well, maybe a tiny bit because of the broadcasting of the SSID). But, creating more VWLANs increases the management complexity (as does a higher number of VLANs).
First, No one is going to hold your hand and tell you what is the optimal number of vlans.
Second: The creation of vlans is to segment your network into logical manageable entities/functions and thats a personal choice.
Some may prefer lumping all IOT devices into one vlan, and some might separate thermostats, from smoke alarms, from cameras, hvac etc…
Or lump family in one vlan or separate it out from spouse1 work, family general, kids, guests…etc
Personal decision, there is no right or wrong answer.
Third: Some consider security to be an important component of their network setup, and again personal choice, which devices/users you feel comfortable with being exposed to each other.
As for limiting internet access that has nothing to do with vlans, that is firewall rules, and what devices/users need access to the internet.
Clearly if you have devices that dont need access, then why would you give it to them??..seems obvious from a security standpoint.
Wi-Fi is not a limiting factor in any way shape or form – in fact Wi-Fi when properly implemented is a highly desirable enabling technology. Those technologists who claim otherwise simply are ignorant. If you read and inwardly digest the information contained in the earlier piece I linked for you titled Why Special Purpose Network you would have a proper grasp of WHY?
So you want to get into an argument.
Then tell me how many WLANs can a single ax3 PRACTICALLY provide… ( and remember your the one jumping up and down about network performance !!! )
NOT as many vlans as I have in my house thats for sure…
So one has to use multiple APs to accomplish the number of WLANs required…and hence wifi can be a limitation.
Nope … stop using MikroTik wireless and all your limiting factors go away. Yes multiple AP’s provide the required balance and improved performance … Ubiquiti, TP-Link dedicated Access points provide exceptional value for installations thatn require special purpose networks and yes those kind of installations are more expensive …
Thank you for verifying my post and agreed, yes a ruckus or ubiquiti, density rich wifi solutions are great but another discussion.
Dont worry Joseph… mozerd and I go way back. He actually was one of the early chaps who patiently guided me through using my basic HEX…
I always like to challenge his views and by the way I fully support his security product which helps improve users security to enjoy a safe internet experience..
My road to truth and facts is littered with ‘debates’.
Ruckus is without question outstanding but so is its high price … a much superior value proposition is Ubiquiti or TP-Link especially for those seeking less expensive but very reliable wireless access points when properly configured and secured …
