My home network is firewalled and reasonably secure (all permanent devices and IOT devices have MAC addresses tracked and registered) but I’d like to improve it even more:

  • Home devices (servers, printers, laptops, etc) with registered MAC addresses which can’t be accessed from my registered IOT devices or from unregistered guest devices.

  • QOS rules for all guest devices.

Using a HEX to run the network with unifi AP hardware.

  • the_boxhead
    link
    fedilink
    English
    611 months ago

    I’d split your network into 3 vlans. One for home, one for IoT and one for guest access (probably over WiFi). That way your firewall can handle the access rules.

    • @NogamiOP
      link
      English
      111 months ago

      That sounds like a good starting point. I’ll need to read up on setting up VLANs.

  • @Synthead
    link
    English
    3
    edit-2
    11 months ago

    What do you mean by “tracked and registered?” What is your goal for “securing even more?”

    MAC addresses are visible to anyone sniffing traffic for a wireless LAN, even if they haven’t joined your network. If you are having anonymous folks join your network and you’re granting them access based on MAC addresses, then you could consider this a security risk. They can sniff a MAC, spoof it, and join your network.

    Two devices with the same MAC address may cause some routing issues, but it will likely work well enough to have privileged access and be a bad actor. Plus, there are tools that can spoof a network disconnect request as your access point to temporarily kick off the legitimate client.

    The easiest way to handle this would be to host two access points. You can typically serve both with one physical piece of hardware. One would be for your private stuff, and you can pretty much give it a full-trust model. Join the network, get the privileges. The other would be for guests. Join that, and you just get Internet access. You can separate these networks with VLANs to achieve this.

    • @NogamiOP
      link
      English
      111 months ago

      It’s just my home network so only people who have the wifi password are getting on. This is more a learning project than rock-solid production security.

      Ideally I’d like to keep IOT things on a separate VLAN so if one has an exploit it doesn’t have access to my regular home lan with servers and printers and such.

      And I’d like to QOS the devices from family who visit over the holidays so they don’t crush my network with downloading and such.