A properly designed home network configuration is, necessary if we’re going to run servers (especially public facing ones), IoT devices, client devices in our home. Having all your devices on a “flat” network where any client connected can all communicate with each other really isn’t optimal.

This post will focus on the following key points:

  • why network isolation is important when running local servers
  • hardware
  • my current network setup
  • physical firewall, switch, and wireless access point configuration.

For the purpose of examples in this guide, we’ll assume a local network on 192.168.x.x/16 and basic knowledge of VLANs, subnets and CIDR ranges.

Why bother?

Let’s say you have a standard flat network with an off-the-shelf NAS connected to it on your default network 192.168.0.0/24. Sometimes we have guests over, and they want to connect to the wifi. You don’t refuse, because they’re guests, so they connect - now their device is in your internal LAN, able to see all other devices in your home. To demonstrate this - try using a network scanning tool on Android/iOS such as Fing or the infamous nmap for Windows, Mac and Linux.

Now, let’s assume that guest secretly wanted to steal your data. They’ll run a scan on Fing on their mobile device, or if they have a laptop, nmap 192.168.0.0/24 and it will spit out all the devices with open ports (such as your default gateway router and NAS) along with their internal IP addresses which can be accessed by that guest, because it is on the same network with no additional firewall rules in place.

Whether you trust them or not, their device is unknown - it could be infected with malware without their knowledge. Simply better safe than sorry right? It’s not that hard to setup some network isolation - this way the guest is limited within the guest network. Let’s start with what hardware we’ll need to achieve that.

Hardware

For my network I got the following hardware, with cost effectiveness and scalability in mind:

  • Protectli vault (2 port) firewall appliance (basically a mini PC with 2 network interfaces)
  • TP-Link managed PoE 8 port switch
  • TP-Link wireless access point.

The firewall appliance and wireless AP would replace the ISP-issued wireless router, and the managed switch for extra ports and VLAN capability. For the firewall OS, I went with OPNsense.

Network topology

My current network setup at the time of writing is as follows:

  • LAN (untagged) - subnet 192.168.1.0/24 - network devices
  • VLAN tag 10 - subnet 192.168.10.0/24 - guestnet
  • VLAN tag 20 - subnet 192.168.20.0/24 - iotnet
  • VLAN tag 30 - subnet 192.168.30.0/24 - mainnet.

We’ll go through how to achieve something similar in the next sections. Do not proceed if you cannot afford internet downtime for your home network!

OPNsense firewall setup

Before physically plugging in any ethernet cables to the LAN and WAN interfaces, we need to install and configure OPNsense using a physical keyboard and monitor. I won’t go over the installation, it is the same as any USB iso image install, just plug in the USB and power on the device, install, reboot.

Assigning interfaces

On first boot, we’ll be asked to assign interfaces. When prompted to do so, for auto interface detection, plug in the WAN connection (your ISP modem), configure IPv4/IPv6 via DHCP. For LAN, connect it to port 1 on the switch. Assign the LAN interface a static IP (this will be the new default gateway address, for example 192.168.1.1). The web UI will be accessible via browser over this address. Plug your PC/laptop into switch port 3 (as we will use 2 for the wireless access point) and head to the IP address we set for the LAN interface in a browser - the web UI should come up. We can now connect the wireless AP on port 2 of the switch.

WAN configuration

Depending on your ISP, you’ll need to select the connection type under Interfaces -> [WAN] -> IPv4/IPv6 Configuration Type. In my case it is PPPoE. After entering the credentials provided by your ISP you should now have an active internet connection.

Configuring VLANs in OPNsense

Note: we’ll assume your home private IPs are in the 192.168.x.x/16 subnet range.

For this example we’ll focus on configuring an isolated guest VLAN. The general steps are as follows:

  1. create guest VLAN interface and assignment
  2. configure guest interface static IP
  3. enable DHCP on the VLAN
  4. add firewall rules to allow internet access only.

Adding a VLAN

Under Interfaces -> Other Types -> VLAN add a new VLAN:

  • Device: (leave blank to generate a new one)
  • Parent: LAN
  • VLAN tag: 10
  • VLAN priority: (default - best effort)
  • Description: guest network

Save and apply changes.

Adding a VLAN interface

Under Interfaces -> Assignments add a new interface with the new VLAN device selected, and description GUESTNET - this will be the name of the new interface.

Click Save, then click the newly created GUESTNET interface. Configure the following, leaving everything else default:

  • Enable: checked
  • Lock: checked (optional)
  • IPv4 Configuration Type: Static IPv4
  • IPv4 address: 192.168.10.1

Save and apply changes.

Turn on DHCP for the new VLAN

We don’t want to manually assign IP addresses for each guest device that connects. Under Services -> ISC DHCPv4 -> [GUESTNET]:

  • Enable: checked
  • Range: 192.168.10.100 to 192.168.10.200

A note on the range - it can be set from 192.168.10.2 (as the gateway is on 192.168.10.1) to 192.168.10.254. However leaving some space outside of the DHCP range makes sense, in the case we want to set static IPs for special devices.

Save and apply changes.

Firewall rules

As of now, we have the GUESTNET VLAN on the subnet 192.168.10.0/24. By default OPNsense blocks all traffic on the interface, so we need to add firewall rules to allow internet access while blocking access to other local networks. This can be done with 2 rules and an alias.

First we’ll create an alias (grouping) of all local (RFC1918) networks. Under Firewall -> Aliases create a new alias:

  • Name: RFC1918_Networks
  • Type: Network(s)
  • Content: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
  • Description: All local (RFC1918) networks

Next we’ll add a rule to allow access from anything on the guest network to anything on a non-local network. This isolates In Firewall -> Rules -> GUESTNET add a new rule:

  • Action: Pass
  • Quick: checked
  • Interface: GUESTNET
  • Direction: in
  • TCP/IP Version: IPv4
  • Protocol: any
  • Source / Invert: unchecked
  • Source: GUESTNET net
  • Destination / Invert: checked
  • Destination: RFC1918_Networks
  • Description: allow internet access

Save, don’t apply changes yet.

This rule is effectively GUESTNET -> firewall -> NOT local networks as we invert the destination (logical NOT), therefore allowing access to internet only. However because we are blocking all local networks, the local DNS server is also blocked and therefore hostnames will not resolve to IPs. We must add a second rule (above the newly created rule) to allow access to the DNS server only:

  • Action: Pass
  • Quick: checked
  • Interface: GUESTNET
  • Direction: in
  • TCP/IP Version: IPv4
  • Protocol: TCP/UDP
  • Source / Invert: unchecked
  • Source: GUESTNET net
  • Destination / Invert: unchecked
  • Destination: GUESTNET address
  • Description: allow DNS server access

Save and apply changes. GUESTNET should now be an isolated network with internet access only.

So far in the physical world we should have:

  • firewall:
    • WAN - ISP modem
    • LAN - switch port 1
  • switch:
    • port 1 - firewall
    • port 2 - wireless AP
    • port 3 - PC/laptop

Switch and access point VLAN setup

We now need to access the web UI for the managed switch in order to route our VLAN traffic. To find its IP address, we can either go into the OPNsense web UI and under Interfaces -> Diagnostics -> ARP table find the IP address of the switch, or run nmap 192.168.1.0/24 from our PC/laptop. If the switch has not been assigned an IP yet, physically reset it and the LAN DHCP server should give it a new IP. We can later set a static IP in the web UI.

Once in the switch web UI, find a setting for VLAN 802.1Q - this is the standard for VLAN aware devices. Whatever switch we have, it needs to be setup in this way for the purposes of a guest VLAN:

  • VLAN 1 (default LAN) - untagged on all ports
  • VLAN 10 (guest) - tagged on ports 1 and 2

Note: TP-Link switches have a PVID setting for each port. This just means what VLAN tag will be set by default for untagged traffic. For this example we don’t need to worry about this as both ports will carry tagged traffic to/from VLAN aware devices.

Access point setup

Mileage may vary between hardware but generally it is straightforward. In my case I enabled multi-SSID mode and assigned each SSID to its corresponding VLAN tag. In our guestnet example, we would have 2 SSIDs:

  • LAN - untagged
  • GUESTNET - VLAN tag 10

We also want to set its static IP in 192.168.1.0/24 subnet, and ensure the port it is connected on is a trunk port, i.e. carries tagged VLAN traffic.

Conclusion

Hopefully it makes sense to implement some network isolation on a home network. Especially if we are going to run lots of servers and IoT devices, it really is a prerequisite. We’ve only scratched the surface of networking, as all this is local. Things really start to get complicated once we get into exposing public facing servers (we’ll leave that for another post).

With local networking out of the way, next we’ll look at some of the local services I’m running in my homelab!