securing a current home network

Spirch · January 13, 2020, 3:18am

I have this diagram working as of now, i would like to add some restriction / security to it

the cAP ac is connected by LAN to the hAP ac^2, the hAP handle all dhcp request

I have a bridge in the hAP for all port except the WAN, that bridge got hardware offloading ON because of the NAS

because of the hardware offloading, everything have access to everything (I can’t use the firewall).

I would like to make sure the work laptop can’t see the camera and the NAS

I would like to block one VM from seeing the camera and the NAS, keeping the other one access to them

the main computer / both VM use the same interface on the hAP

the laptop is connected via wifi, everything else use cable

so what can I use to make this work? could vlan work? if yes, how to handle different vlan on the same interface(main pc and both vm)?

Anumrak · January 13, 2020, 7:48am

Hey. To control traffic between devices use firewall filter with drop rules filtered by source addresses. To launch traffic of different networks via single interface use switch before hap ac2 or vlans on machines to start tagged traffic from PC and VMs and stripp tags on hap ac2.

techlord · January 13, 2020, 3:09pm

Hi!
Here is what I would do looking at your diagram

Configure 2 vlans ( ex vlan10 for “internal” and vlan 11 for cameras") and 2 network subnets, one for each vlan (ex 192.168.0.0/24 and 192.168.1.0/24), in the hap ac2
optional - configure 2 dhcp servers for these vlans or only for vlan 10 if you assign static to the camers

\
CAP AC ports:
a) ETH2 - to camera poe switch - access mode, vlan 11
b) ETH1 - trunk mode, vlans 10 and 11
c) ALL wifi SSIDs - vlan 10

HAP AC2:

2 bridge vlans with IPs
physical ports:
a) to CAP AC - trunk mode, both vlans
b) to main PC, NAS, IPTV - access vlan 10
c) any SSID - vlan 10

Basically all your home will be in VLAN 10 with only the cameras in vlan 11. From here it is very simple to create firewall rules in the HAP AC2 to filter between the subnets and allow only the traffic you need.

Spirch · January 14, 2020, 12:04am

thanks i will see if i can manage to do that, i never used vlan before so it’s a good opportunity to learn

just to be 100% sure; vlan in firewall work with hardware offloading, right?

Anumrak · January 14, 2020, 10:39am

You can try to add ethernet interface you want and add a vlan to this interface and see if there is no hardware offloading or it’s there.

mkx · January 14, 2020, 1:54pm

Firewall is never HW offloaded. Intra-VLAN switching/bridging can be HW offloaded if device supports this particular way of configuring it … hAP ac2 doesn’t.