I’m going to be overhauling my network over the next few months as I get ready for my new municipal fiber installation. I have a general idea of how to set things up, but I’m not an expert and would appreciate a few extra pairs of eyes in case I’m missing something obvious.

Hardware available:

  • Microtik Routerboard - 5 ports
  • Ubiquiti AP - AC-Lite; plan to add U6+ or U6 Lite once I get faster service
  • some dumb switches

Devices (by logical category; VLANs?):

  • main - computers and phones (Wi-Fi for now, I plan to run cable)
  • media - TVs, gaming consoles, etc
  • DMZ - wired security cameras, Wi-Fi printer (2.4GHz wireless g only)
  • guest - guests, kids computers

Goals:

  • main - outgoing traffic goes through a VPN
  • media - outgoing traffic limited to certain trusted sites; probably no VPN
  • untrusted - cannot access internet, can be accessed from main
  • guest - can only access internet, potentially through a separate VPN from main

Special devices:

  • NAS (Linux box) - can access main, media, and DMZ
  • printer - accessible from main, rest of devices on untrusted don’t need to be (I can tunnel through the NAS if needed); can potentially configure a CUPS server on the NAS to route print jobs if needed

Plan:

Router ports:

  1. Internet
  2. WiFi APs
  3. main VLAN
  4. untrusted (VLAN)
  5. unused (or maybe media VLAN)

WiFi SSIDs (currently have a 2.4Ghz and 5Ghz SSIDs):

  1. main VLAN
  2. guest VLAN
  3. untrusted - hidden SSID (mostly for printer) - 2.4GHz only

If the VPN causes issues, I would like the ability to move individual MACs to another VLAN (say, to media, or a separate, usually unused backup VLAN). Not required, just a backup plan in case the VPN causes issues.

This is my first time configuring VLANs, so I’m not really sure what my options are. Also, I’m not super familiar with Mikrotik routers (I’m not a sysadmin or anything, just a hobbyist), I just got fed up with crappy consumer hardware and wanted something a bit more reliable.

Does that sound like a reasonable plan? Is there something I could improve or suggestions you have?

Edit: DMZ is the wrong term, so I replaced it with “untrusted”. By that I meant a local-only network, so no Internet access. Ideally I could access these devices from my main network, but they can’t initiate connections outside their VLAN. However, that’s not necessary, since I can tunnel through my NAS if needed.

  • atzanteol@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    9 months ago

    I don’t think that’s all that unrealistic

    I mean… That’s a near pathological level of paranoia. So you do whatever you need to do in order to sleep at night.

    That only works if you’re already on the network or at least in close proximity.

    Scanning open ports across the internet works just fine. Here’s a scan of some Google IPs just looking for open port 80.

    $ nmap 64.233.160.0/24 -P -p 80
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-21 09:20 EDT
    Nmap scan report for oi-in-f17.1e100.net (64.233.160.17)
    Host is up (0.054s latency).
    
    PORT   STATE SERVICE
    80/tcp open  http
    
    Nmap scan report for oi-in-f18.1e100.net (64.233.160.18)
    Host is up (0.053s latency).
    
    PORT   STATE SERVICE
    80/tcp open  http
    
    (more below)
    

    Now you just send a payload to each of those checking for known vulnerabilities. Done. I’m a script kiddie now.

    • sugar_in_your_tea@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      9 months ago

      Sure, I know how port scanning works, I’ve used nmap before.

      But you were talking about discovering my IP, not checking for open ports. The only way I can think of to discover someone’s IP when they’re using a VPN are:

      • hacking the VPN
      • malware on a device
      • someone scanning Wi-Fi networks in my physical area with something like Wireshark

      If I don’t use a VPN, just one service I use needs to be compromised, and I use a lot of services.

      I think paranoid would be going to great lengths to prevent the above, e.g.:

      • hacking VPN - I guess Tor?
      • malware - using something like TailsOS that containerizes everything and persists nothing
      • Wi-Fi scanning - don’t use Wi-Fi, or wrap my home in a faraday cage

      I’m not that paranoid. Setting up a VPN on my router takes 10 min or so, and I can have a backup SSID with no VPN in case something gets messed up. On the paranoid spectrum, that’s pretty tame, especially since I’m only really looking at VPNs in a close geographical area to minimize latency (i.e. very low pings, like 5ms).

      But there’s also a practical reason. My state passed some stupid laws requiring some level of ID by social media sites. I’d like an easy way to tunnel to a neighboring state to avoid the restrictions (closest is ~20ms ping away). I definitely want an easy way for my family to avoid that nonsense, so an SSID is a lot easier to use than configuring a device level VPN.