I’m going to be overhauling my network over the next few months as I get ready for my new municipal fiber installation. I have a general idea of how to set things up, but I’m not an expert and would appreciate a few extra pairs of eyes in case I’m missing something obvious.

Hardware available:

  • Microtik Routerboard - 5 ports
  • Ubiquiti AP - AC-Lite; plan to add U6+ or U6 Lite once I get faster service
  • some dumb switches

Devices (by logical category; VLANs?):

  • main - computers and phones (Wi-Fi for now, I plan to run cable)
  • media - TVs, gaming consoles, etc
  • DMZ - wired security cameras, Wi-Fi printer (2.4GHz wireless g only)
  • guest - guests, kids computers

Goals:

  • main - outgoing traffic goes through a VPN
  • media - outgoing traffic limited to certain trusted sites; probably no VPN
  • untrusted - cannot access internet, can be accessed from main
  • guest - can only access internet, potentially through a separate VPN from main

Special devices:

  • NAS (Linux box) - can access main, media, and DMZ
  • printer - accessible from main, rest of devices on untrusted don’t need to be (I can tunnel through the NAS if needed); can potentially configure a CUPS server on the NAS to route print jobs if needed

Plan:

Router ports:

  1. Internet
  2. WiFi APs
  3. main VLAN
  4. untrusted (VLAN)
  5. unused (or maybe media VLAN)

WiFi SSIDs (currently have a 2.4Ghz and 5Ghz SSIDs):

  1. main VLAN
  2. guest VLAN
  3. untrusted - hidden SSID (mostly for printer) - 2.4GHz only

If the VPN causes issues, I would like the ability to move individual MACs to another VLAN (say, to media, or a separate, usually unused backup VLAN). Not required, just a backup plan in case the VPN causes issues.

This is my first time configuring VLANs, so I’m not really sure what my options are. Also, I’m not super familiar with Mikrotik routers (I’m not a sysadmin or anything, just a hobbyist), I just got fed up with crappy consumer hardware and wanted something a bit more reliable.

Does that sound like a reasonable plan? Is there something I could improve or suggestions you have?

Edit: DMZ is the wrong term, so I replaced it with “untrusted”. By that I meant a local-only network, so no Internet access. Ideally I could access these devices from my main network, but they can’t initiate connections outside their VLAN. However, that’s not necessary, since I can tunnel through my NAS if needed.

  • nehal3m
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    I think the sketched setup is mostly good, segregating untrusted stuff is a great idea. I wouldn’t hide any SSID’s because that makes MITM easier.

    I’d invest in a simple Ubiquiti PoE switch and use your Mikrotik router as a firewall if it supports it. Put it between the modem and the switch and now you can use your switch to control access to the internet through VLANs. Use your ISP’s modem as an uplink, have it setup in bridge mode if possible to prevent double NAT. A Ubiquiti switch integrates well with the AP setup and you can much more easily push out VLANs that work through the wired network as well. It also saves you the injector for the existing AP and makes it easy to add additional ones.

    • sugar_in_your_teaOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Thanks for the feedback! I’ll look into a Ubiquiti switch. My current AP is passive PoE, so I don’t have an active PoE switch yet, so I might as well go managed for that.

      I wouldn’t hide any SSID’s because that makes MITM easier.

      Ok, makes sense. I guess the broadcast opens me up to that.

      I’ll look into adding the printer to a VLAN by MAC, it’s really only the one device that needs Wi-Fi access that I don’t want to talk to the network (it’s outside the security update window).