This is some notes for recent changes I made in my home network. I think it may help some people to design their home network, so I decided to write it down.
About the network
My home network is actually quite complex if you are not familiar with computer networks, but on the other hand I think it is fairly typical since many people now use multiple and similar devices.
Some device types I have:
- personal computing devices, computers, phones etc.
- specialized devices that need internet, like IoT devices, robots, smart home devices etc. but they do not need anything else in the home network
- similar to above, but devices that require some interaction within the network, like wireless speakers -e.g. sonos-, apple tv etc.
- servers, I am using an Intel NUC with vmware ESXi installed, and provision a server from there when needed.
- network attached storage, NAS can be used in many different ways but I only use it for media files, mostly movies, which are streamed by apple tv.
- network devices, some switches and access points as well as router(s)
- octopi installed on a raspberry pi for the 3d printer
- some (electronic) lab devices, like oscilloscope
Some technical requirements:
- VLAN support to segment LANs
- DNS server (or something similar) to resolve local host names
- IPv6 support, some time ago I realized I actually use IPv6 almost always for internet hosts, so this is a must now.
- Support for 1Gbps WAN. It would be good to have support for even higher speeds like 10Gbps but when you have such a WAN bandwidth, then the intranet has to be like that, and this requires a very big change in the network. I did not feel any need for >1Gbps speed yet, so 10Gbps is only a good to have. I have a CAT 6/350 Mhz cabling in the house, so no problem with 1Gbps but I dont know if it can support 10Gbps, I havent tried yet.
- Advanced security features like internet threat management, intrusion detection (IDS) and possibly prevention (IPS). Since security became such a huge topic, I think this should be a must even for home networks.
- Usage statistics is a good to have.
For these requirements:
- VLAN support is the simplest, probably all network devices have full VLAN support
- Local name resolution is simple but only some network devices provide this feature, or you need to install a DNS server software, configure and manage it.
- Theoretically IPv6 is also supported by all new devices, but practically there can be considerable differences in how easy to use them for my needs, particularly when there are multiple VLANs.
- 1Gbps WAN connection and performance to support this, it is relatively easy to find such routers/firewalls, but support for 10Gbps is pretty rare.
- IDS can be implemented with open source software installed separately, but IPS is not straightforward as it has to interact with the firewall.
- Usage statistics can also be implented with open source software installed separately, or it is given by some devices too.
Until now I was using:
- EdgeRouter 4 router/firewall
- UniFi nanoHD access point
- Two HP 1920 series switches
This setup provides everything for VLANs, all IPv6 support I need, 1Gbps WAN and good performance. I tried installing IDS and usage statistics using a mirror port on the switch, it is certainly doable but especially IDS is not easy. I am not sure if IPS can be implemented.
So the main problem is IDS/IPS and 10Gbps WAN support. There are certainly devices providing IDS/IPS features, but there are two problems:
- their performance decreases a lot with IDS/IPS so you need a very high-end/expensive device to operate at 1Gbps
- they require (paid) subscription to use IDS/IPS like features.
The only reasonable device (for home) I found is UniFi Dream Machine Pro (UDM-Pro), which is a very high performance device and it gives IDS/IPS features without subscription. The problem is it cannot be operated from a cli, so you have to use the GUI, but GUI does not have all the features of EdgeRouter 4.
So I decided to try UDM Pro in order to EdgeRouter 4. However, there are some issues. There is also a clear benefit, because I had to keep a UniFi controller software in a server for the access point, now UDM Pro has this already embedded, so I dont need a separate controller and the server to host this.
Limitations of UDM Pro
There is one important and two less important limitations of UDM Pro for my use case:
The important issue is that it is not possible to set (IPv6) prefix ids for VLANs. I am not sure why it is like this, I dont get how you can configure IPv6 firewall rules without knowing the prefix ids. It can naturally run Router Advertisements (RA), but I think it gives a random prefix id to each VLAN.
For RA, it is not possible to set extra options like DNSLL for the search path.
It is not possible to add custom host records from the GUI. There is a way to do this from cli through its API, but it is a workaround.
Because of these issues I decided to use UDM Pro together with EdgeRouter 4.
At first, I thought I can use EdgeRouter 4 for RA and DNS (forwarding). However, RA is not like DHCP, the router that advertises this is the actual router, so it cannot say “use UDM Pro as router”. So I decided to split the functions like this:
- WAN connection, running DHCPv4 and DHCPv6-PD
- Default IPv4 router and firewall for the home network (naturally it does IPv4 NAT)
- IPv6 internet firewall. It explicitly drops all intra-VLAN IPv6 traffic. Because this function is provided by EdgeRouter 4.
- ITM (IDS/IPS)
- provides usage statistics
- DHCPv4 server for home network
- Forwarding DNS for home network, this also provides a way to resolve local hosts
- It explicitly drops all intra-VLAN IPv4 traffic. This function is provided by UDM Pro.
- Default IPv6 router and firewall for the home network, thus runs Router Advertisement protocol. The default IPv6 gateway of EdgeRouter 4 is UDM Pro.
Note: I have a static IPv6 prefix, thus I do not need to know what is assigned from the ISP to UDM Pro in order to run RA on EdgeRouter 4. However, DHCPv6-PD still must be run by UDM Pro for IPv6 routing to work.
So for IPv6, client first go to EdgeRouter, then for external access, packet is forwarded to UDM Pro, which forwards it to ISP. For intra-VLAN IPv6 communication, UDM Pro is not used, and actually configured to reject all such requests. Because there is no NAT for IPv6, for the return, UDM Pro can directly send packet back to client, without EdgeRouter 4 in the path.
There is a slight penalty of doing this, but because there is no need for NAT in IPv6, it is minimal -I believe-.
There are many ways to divide the network into segments. I usually think the LAN segment, and by that I mean a VLAN, in terms of the access requirements, kind of firewall zones. I dont use L2 access controls, but everything is controlled at L3/L4 level by the firewall(s).
At the moment I have the following VLANs:
- MGMT: where all infrastructure related devices have their management IPs, switches, firewalls, vmware ESXi host etc.
- USERS: where the trusted user devices stay. They typically can access to anywhere (any VLAN) on the network.
- INT: where the servers stay. The access requirements for this VLAN may change depending on what server is doing. I also sometimes keep lab devices in this VLAN but it depends on the device.
- NAS: for the NAS only. Although I do not keep anything sensitive on the NAS, NAS is very special since it keeps data. So from security point of view I think it makes sense to control access to it.
- TV: for apple tv or such devices. Actually there is only one reason I made this VLAN. Apple TV naturally only needs internet, so it is like an IoT device, but because I keep media/video files on the NAS, it needs an access to NAS. So it is not like a IoT device, but it is also not like a user device.
- IOT: for all devices that only need access to internet.
- GUEST: for all guests. I also use this network for old devices I own (e.g. old tablets), since such devices have no software updates anymore, this is a security risk for trusted devices in USERS VLAN.
A major problem I still cannot fully solve is some devices require LAN broadcast to work, so they need to be in the same network as the controlling application (typically installed on a mobile device). This is partially solved by enabling multicast DNS on UDM Pro, but still not all devices are working properly with that. So I still have to keep some devices in USERS VLAN, only because of this problem.
Minor problem is I think UDM Pro does not have an IGMP Proxy (not 100% sure). This is used for multicast TV broadcasts which my ISP also offers, but they also offer normal HTTP streaming, so I dont need IGMP Proxy at the moment.
A bad side effect of having two routers/firewalls is I need to somehow keep rules in two different devices, they are different rules but still I need to be careful.
Do you need all these ?
Technically no, you can keep all your devices in one LAN (one VLAN), this is probably the most widely used setup with a single modem offering router/firewall/switch/wireless AP capabilities. Some devices now offer an easy way to setup GUEST networks, for your guests or maybe also for IoT devices.
The problem is if you have a little bit more devices than just a few phones, computers, this is definitely not an optimal setup from security point of view. There is also I think a definite need for something like IDS/IPS in home networks. So it is not difficult to reach a point of complexity like I described above.
I dont know much about the router/firewall offers of different brands, but I think there is a need for such a device. UniFi is nice, but I think UniFi GUI is not simple, and Edge series -although very nice for what they do- only have cli and do not have IDS/IPS. It would be nice if there is a single device that has enough performance for 1Gbps WAN including IDS/IPS, have proper support for VLANs and IPv6, and provides a simple zone-based firewall management GUI (something like Juniper’s ScreenOS).
When UDM Pro GUI (UniFi Network application) supports the limitations I mentioned, I do not need EdgeRouter 4 anymore. I really like EdgeRouter 4, it is a small, silent, high performance device, but I am looking forward to simplify this setup.
To support >1Gbps speeds at home is a little complicated. I should at least upgrade HP switches, upgrade NAS for a model having 10Gbps network interface, also I need a network adapter for PC etc. This is assuming the embedded network cables in the walls support 10Gbps. So it is quite not simple.
UDM Pro has an SFP+ wan port, so 10Gbps WAN is supported but ITM performance is lower than this. What you can do with 10Gbps WAN at home is a different question, but theoretically this is not a good setup I think since ITM will limit the bandwidth.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.