Not woodworking, for a change:
We have recently switched to an ISP that rolled out gigabit fiber in our neighborhood. While I really like their service and the fact that they have no bandwidth cap, having no visibility in what is going on on the connection makes me uneasy, particularly since a roll-call in our household yielded a total of thirty things that have an IP address. And some of these things I don’t really trust…
“Trust Us, You Are Fine…”
We used to have a WiFi access point from the Cupertino Fruit Company and it did its job reasonably well in terms of moving data from A to B.
However, in accordance with Fruit Company’s philosophy, it is impossible to gain insight as to who is sending what kind of traffic across the WAN: Even figuring out who is currently connected via WiFi is a challenge. — Add to that the growing number of “Internet of Things” devices made by manufacturers who do not always seem to have their ducks in a row security-wise and you’ll understand why there is reason for concern.
The Plan
Requirements
After some pondering, I came up with the following requirements:
In order to minimize the damage that a rouge/hacked Internet of Things device can do to “trusted” devices, such as our file server or my husband’s desktop computer, the “untrusted” devices should be relegated to a separate network. — Note that in each trust category some of the devices use a wired ethernet connection while others connect via WiFi.
We also have occasional house guests and a VoIP phone for business, and both of these deserve special attention as well.
Implementation
VLANs!
The underlying mechanism that allows you to separate clients as outlined above are VLANs, or Virtual Local Area Networks. In a LAN (your in-house network), usually every device can talk to every other device. VLANs allow you to draw boundaries that clients cannot cross.
This is achieved by “tagging” each ethernet packet with a VLAN ID (just a number that you pick) and you can teach your networking equipment to only allow ethernet packages with certain VLAN ID to enter/exit certain parts of your network.
Managed Switch
For wired network clients VLAN tagging can be handled by the switch that all the devices are plugged into: Setting up rules inside the switch such as “every incoming untagged packet on port 7 is supposed to get tagged with VLAN ID 10. Reject all incoming packets with VLAN tags already set on that port, and don’t send anything out on port 7 that isn’t already tagged with VLAN ID 10”.
What you need in order to do this is called a “managed switch”: Typically switches are “unmanaged”, meaning they are plug and play and don’t require any configuration. But then you can’t have VLANs either…
Separate WiFi Networks
The easiest way to separate WiFi clients into different VLANs is to create multiple WiFi networks and map each of these WiFi networks to different VLANs. For example the WiFi network “internetofsht” could be associated with VLAN ID 20, which means that every device connecting to this WiFi network automatically ends up in that VLAN.
In order to make this work you have two options: One is to deploy multiple access points and have your managed switch do the VLAN tagging: For example the WiFi access point for “internetofsht” might be plugged into port 3 on the switch, and the switch might be configured to tag all incoming packets with VLAN ID 20, and only forward outgoing packets with such a tag onto port 3.
However, there is a better approach to this: You can use a WiFi access point that supports hosting multiple separate WiFi networks and that also performs the appropriate VLAN tagging.
Routing and Firewalling
Now that we have things neatly carved up into multiple VLANs, we need someone to control and direct traffic: There is traffic from clients on various VLANs that needs to go out onto the internet. There is also some traffic between clients on different VLANs that should be allowed, and some other traffic that should be blocked.
For this you need a firewall/router.
The Hardware
As you can imagine, we have at this point clearly left the realm of consumer-grade hardware. — So this is going to be really expensive, right? — Well, not necessarily.
The Switch
At the end of the day this is still a home network. So we don’t need ten gigabit equipment. — And used/refurbished gigabit switches are readily available on eBay.
Usually switches last a long time, and companies replace them not because they fail, but because they outgrow them: Either they run out of ports on the switch or the corporate network got a speed bump to from one to ten gigabit ethernet.
A quick count of all the wired devices I need to service showed that a switch with sixteen ports would suffice. And since this is a residential setup, the switch should ideally be fanless (silent) and not too large (we don’t want a 19″ wide rackmounted switch).
Turns out the Dell PowerConnect 2816 fit the bill perfectly.
The WiFi Access Point
Unfortunately getting a capable WiFi access point used off of eBay is not really an option: Gigabit ethernet was introduced almost twenty years ago, so buying a switch that is a few years old is not an issue. But WiFi standards evolve much faster and are still evolving.
However, I have heard good things about the Ubiquiti Networks Unifi AC Pro WiFi access point and it ticks all the boxes. — It even scores extra points for using PoE (Power over Ethernet), which means it doesn’t require a separate power cord. And while the AC Pro can be considered enterprise-grade its price is still within the realm of “reasonably priced”.
The only caveat with the AC Pro is that you cannot just point a web browser at its IP address to configure it. It depends on Ubiqiti’s Unifi software, which either runs on Ubiqiti’s Unifi Cloud Key device, or on pretty much any other platform that can run Java. — Since we also need a Router/Firewall device, this would be a good place to also run the Unifi software on and avoid the requirement of connecting a Cloud Key.
The Router/Firewall
I briefly considered buying one of two turn-key options: One was to stay within the ecosystem go with a Ubiquiti Unifi Security Gateway. The other option was going with one of Netgate’s devices that run pfSense. — While staying within Ubiquiti’s universe is probably a good option, my company has been using pfSense for a couple of years and while I am not the one maintaining it, the people who do sing high praises of it.
However, I did not quite like any of Netgate’s devices: They either seemed too expensive or too underpowered to handle a gigabit link. Therefore I ended up building my own device to run pfSense on, which also allowed me to recycle some parts that I already had.
The Costs
So how much did the entire project come out to? — Definitely way more than your run-of-the-mill consumer-grade router, but definitely not quite “an arm and a leg” territory yet:
- Refurbished Dell PowerConnect 2816 off eBay: USD 55 incl. tax and shipping
- Ubiquiti AC Pro Access Point: USD 135 incl. tax and shipping
- Parts for the pfSense firewall I needed to purchase: USD 170 incl. tax and shipping.
This adds up to a grand total of USD 360. — A little under twice as much as the access point from the Cupertino Fruit Company when including tax.
But then I also learnt a lot in the process, which was an extra bonus…
Wait, There’s More!
ÎUPDATE: My second post in this series is now out.