help me build most secured Home Network to last a decade.

[Ramadhir Singh]

My home network is little dated and its time to update it.
Security is the primary focus, looking for absolute control over the devices in network, should be able to define which client can access internet and what not.
Planing to build something which could last a decade.

my current setup looks something like:

With time, new clients added in network and few are outside my home network unable to access server, as well as open for ISP to snoop into.
It's time to update the network here is what i came up.

Power line already gone and replaced by cat6 to Zone-C (all future device in home will go in that zone ).
Please suggest if anyone finds a mistake or way to optimise it even more.
Not sure at which point i need to plug the pi-hole (coming soon).

Now looking for the main router ans network , which would help me isolate my home network from outer world.

Firewall/router (R)- I'm thinking to get this Ubiquiti USG (https://www.multilinkonline.com/Ubi...i-Security-Gateway-3xRJ45-Gigabit_p_1306.html)
I've seen in one review, that USG gateway don't provide us as much flexibility to configure and it over heats while heavy data transfers.
In that case what other option i do have ? -- (i would like to avoid configuration via CLI, i don't have that level of passion left at this point of life.)

other option ( will continue to list down, for my notes as well):
--> Linksys LRT224

Switch (S) - thinking about this https://www.multilinkonline.com/NET...witch-Desktop-101001000Mbps-GS205_p_1440.html , also was searching 10 GbE switch for future proofing, unable to find any. is it going to be overkill ?

Wireless network:
Will connect a Mi router, lying somewhere around in house directly to ISP router and make it open for guest and neighbours in wifi-n mode. Isolating totally form my home network. wil only keep in on when required.
Later (next year) i will replace the wifi router (AP) with a switch and attach a dedicated wifi AP ( something like UniFi nanoHD -https://store-ui.in/collections/unifi-network-wireless/products/unifi-nanohd-us ), separating wired and wireless networks. I will schedule it somehow to keep wifi during active only 10-12hrs a day.
Wifi point has to be in Zone -B for optimal coverage, going to have only 1 wireless device, n-mode for all mobile/tabs, and isolated ac-mode only for the wireless workstation which need high speed connection to home server. or probably something available which has dual non interfering AC broadcast. all the device in home can run ac network.

Pints to note:
1. Discourage consumer grade equipment and mostly looking for Uni/Cisco/netgear. (open to other stuffs which i'm not aware of but are budget friendly)
2. Don't want to spend a huge enthusiast level budget.
3. Will prefer devices with small form factor, which can disappear in the environment/hide in the cupboards.
4. Power consumption and heat produced - both should be minimal given they will be on 24x7x365.

List of important vidoes/link for future use (self-note):
1.

 

[y2s]

ISP Equipment (s) >> Firewall (Pfsense/Sophos/Untangle - USG may not be enough depending on what features you may want) >> Gigabit Switch >> AP's

As for wifi if your Firewall is set up well you can simply have open wifi (no password) with a captive portal. You can also have isolated vlan's

I recommend Ubiquiti for everything downstream of the firewall. As for the firewall - you can DIY or get purpose built. Make sure the processor supports AES-NI and you'll be fine.

 

[D C]

Check this out for firewall reviews -

Building vlans and isolating devices on network -

and

As for network management, Ubiquiti seems to be most user friendly in the prosumer space, but expensive. TP link has their Omada controller and devices. Don’t know of any others in this space. After that it’s just commercial/enterprise stuff like Cisco, juniper etc. Also not much second hand market for these as compared to other countries.

There are multiple DIY firewall/router solutions also available. They mostly in NUC form on which you can install pfsense/open sense/untangle etc with multiple gigabit ports. Unfortunately not many options here, mostly from aliexpress which is banned right now. Something like this - https://www.aliexpress.com/item/32720469842.html

 

[superczar]

Looking at this, it would appear that everything on your LAN is on the same subnet/ IP range and you don't even want/need VLANs.
What is it that you really want to achieve as against an absolute vanilla home network?

If it's simply the ability to add firewall rules to disable Internet access for specific devices (which is what I could gather from your writeup), even a 6K TL-R605 as the router/firewall and vanilla unmanaged switches (1.5K a pop) for the rest of your wired network will let you do that

 

[Ramadhir Singh]

ISP Equipment (s) >> Firewall (Pfsense/Sophos/Untangle - USG may not be enough depending on what features you may want) >> Gigabit Switch >> AP's

As for wifi if your Firewall is set up well you can simply have open wifi (no password) with a captive portal. You can also have isolated vlan's

I recommend Ubiquiti for everything downstream of the firewall. As for the firewall - you can DIY or get purpose built. Make sure the processor supports AES-NI and you'll be fine.

Thanks for reply.
I was looking in Sophos, but they start from INR. 35+ and up. DTY will be too much of hassle, i guess.
I really like the USG (from pricing point as well) , but has a flaw/limitation, it will restrict internet speed at 85mbps, if deep packet inspection is enabled.

I got a video here

- whats your take in this?

How about Ubituiqi Edge routers ?

 

[bobbyprajan]

Look at mikrotik routers and access points. They are very flexible and most things can be achieved by using the gui. Setup Pi-hole and vpn services if worried about security. It is preferable to do these in small steps. It will be difficult to get everything done in one go

In Openwrt you can do most of the stuff in gui. If you can manage CLI, try DD-WRT. Most mid-range and up consumer grade routers can sustain high traffic without issues

Thanks for reply.
I was looking in Sophos, but they start from INR. 35+ and up. DTY will be too much of hassle, i guess.
I really like the USG (from pricing point as well) , but has a flaw/limitation, it will restrict internet speed at 85mbps, if deep packet inspection is enabled.

I got a video here

- whats your take in this?

How about Ubituiqi Edge routers ?

About Edge routers - Depends on the features you enable, they have propreitary packet acceleration built-in which gets disabled on enabling some features like policy routing and QoS

 

[Ramadhir Singh]

As for network management, Ubiquiti seems to be most user friendly in the prosumer space, but expensive. TP link has their Omada controller and devices. Don’t know of any others in this space. After that it’s just commercial/enterprise stuff like Cisco, juniper etc. Also not much second hand market for these as compared to other countries.

thanks linking those videos, going to watch them.
DTY wil be far to complicated, that why was zeroing on Ubi.

other i have noted are

• Mikrotik hEX RB750Gr3
• SonicWall - yet to find more details on them, not much information online.
• Linksys/Cisco starting form $700... out of budget.

 

[bobbyprajan]

thanks linking those videos, going to watch them.
DTY wil be far to complicated, that why was zeroing on Ubi.

other i have noted are

• Mikrotik hEX RB750Gr3
• SonicWall - yet to find more details on them, not much information online.
• Linksys/Cisco starting form $700... out of budget.

RB750Gr3 - If you want to do VLANs, it is slightly complex as it lacks a proper switch chip. It can be done but not straightforward. Also note that it can do hardware forwarding only on one bridge. If you create another bridge you dont get hardware acceleration. Other than that it is a stellar wired router, it can also do IPSec at decent speeds

 

[D C]

thanks linking those videos, going to watch them.
DTY wil be far to complicated, that why was zeroing on Ubi.

other i have noted are

• Mikrotik hEX RB750Gr3
• SonicWall - yet to find more details on them, not much information online.
• Linksys/Cisco starting form $700... out of budget.

Yes, don’t know how I forgot to mention mikrotik. Their hex range is also good, price wise below ubiquiti.
Keep in mind that their RouterOs/SwtichOs has a very steep learning curve, will take some time and error/trial to get things right. But it’s very powerful once configured right.

 

[Ramadhir Singh]

It will be difficult to get everything done in one go

Yes that's the plan.
Since im building it for really long terms i will go very slow.

 

[JMP]

Could somebody explain how this adds security?

 

[y2s]

Thanks for reply.
I was looking in Sophos, but they start from INR. 35+ and up. DTY will be too much of hassle, i guess.
I really like the USG (from pricing point as well) , but has a flaw/limitation, it will restrict internet speed at 85mbps, if deep packet inspection is enabled.

I got a video here

- whats your take in this?

How about Ubituiqi Edge routers ?

Been using Sophos for a couple of years now on a no name Chinese miniPC I got for 10k ish with 4 Port Ethernet (attached pic) - Don't have DPI enabled so can't comment on throughput in that mode - otherwise get full speed ( I am load balancing multiple ISP connections using this set up too)

I actually have been wanting to move to untangle since a while because I believe it is better suited for home use and even easier to use than Sophos IMO. Though the $50 license & effort has kept me at bay. PFsense gets the best community support if you're new to the scene.

There are many different ways you can probably set this up - +1 to Microtik & Pi-hole too . I however am quite satisfied with having a dedicated firewall setup. It's a one stop networking shop. (It's just so much easier then dealing with IP tables or manually updating things, unless of course you are a pro user)

Edit: attaching my network topology for reference. Wifi does not have passwords (I have enabled mac binding & vlan for all my household devices. Guest users get a captive portal (Which many find very cool to see in a home environment) & I can give them OTP's for access to internet. They get IP's on a separate vlan isolating them from the rest of the network).

 

[superczar]

Been using Sophos for a couple of years now on a no name Chinese miniPC I got for 10k ish with 4 Port Ethernet (attached pic) - Don't have DPI enabled so can't comment on throughput in that mode - otherwise get full speed ( I am load balancing multiple ISP connections using this set up too)

I actually have been wanting to move to untangle since a while because I believe it is better suited for home use and even easier to use than Sophos IMO. Though the $50 license & effort has kept me at bay. PFsense gets the best community support if you're new to the scene.

There are many different ways you can probably set this up - +1 to Microtik & Pi-hole too . I however am quite satisfied with having a dedicated firewall setup. It's a one stop networking shop. (It's just so much easier then dealing with IP tables or manually updating things, unless of course you are a pro user)

I have used all 3.
Personally I found sophos to be the best of the lot for a homelab sort of user- and used it for 2-3 years till I decided to simplify the setup.

I am not yet sure what the OP actually wants to do.. and I really do not want to offend the OP - but he should think this through first - As an example, Class A IP addresses on a home network ??

 

[y2s]

I have used all 3.
Personally I found sophos to be the best of the lot for a homelab sort of user- and used it for 2-3 years till I decided to simplify the setup.

I am not yet sure what the OP actually wants to do.. and I really do not want to offend the OP - but he should think this through first - As an example, Class A IP addresses on a home network ??

What did you switch too ? I'm all for a simpler setup. Curious to know the topology of your setup - especially given your HA expertise.

Work uses Sophos at a few locations too so I have had them setup some VPN tunnels to certain clients at home. It's set up such that all requests go thru regular WAN and only certain requests go thru VPN(split tunneling. Clients don't require software of any kind. Been using this to unblock country specific content too - Probably overkill but I have not had to touch the firewall for years now. Have not been able to replicate the stability of this on anything else so far, probably due to a lack of expertise on my part though.

Did a test of Pi-Hole a while back too but did not see the point as already have ad-blocking / logging on the firewall appliance.

Agreed, a lot of OP's requirements as I understand them could also be fulfilled using a basic OpenWRT router. I guess he is looking for all the options.

 

[superczar]

What did you switch too ? I'm all for a simpler setup. Curious to know the topology of your setup - especially given your HA expertise.

Work uses Sophos at a few locations too so I have had them setup some VPN tunnels to certain clients at home. It's set up such that all requests go thru regular WAN and only certain requests go thru VPN(split tunneling). Clients don't require software of any kind. Been using this to unblock country specific content too - Probably overkill but I have not had to touch the firewall for years now). Have not been able to successfully set this up on anything else so far, probably due to a lack of expertise on my part though.

Did a test of Pi-Hole and while back too but did not see the point as already have ad-blocking / logging on the firewall appliance.

Agreed, a lot of OP's requirements as I understand them could also be fulfilled using a basic OpenWRT router. I guess he is looking for all the options.

I switched to an Edgerouter (ER-X) with Orbi Mesh for APs ; and then very recently changed everything to TP Link Omada (Router + APs + virtualized soft controller)

My sophos setup was running as a virtualized instance on a hypervisor - so could have something to do with that but after changing from a soft to a hard router (ER-X), I saw significant improvement in WAN bufferbloat as well as a noticeable (subjective) improvement in web response speed .

Again, FWIW, I was pretty happy with Sophos too. In terms of pure capabilities/ features, Ubiquiti or Omada routers do not even come close - I mean sophos is a full blown UTM solution vs these vanilla routers.
It is just that (I think) it was overkill for a home network and was possibly doing more harm than good for my needs.

What I needed was relatively simple - policy routing for VPN (which I think is what you are also using) + some basic ACL (access control rules to block IoT) + VLAN support
But most importantly, Load Balancing with fast Failover + good WAN-LAN NAT throughput

All 3 needs were served by Ubiquiti ER-X (and now Omada)
I'd go back to Sophos if I ever felt the need for DPI.. which a fast x64 machine will handle a lot better than a weak router CPU- but hey, why would a household need DPI on the traffic unless of course, the user wants to do it for kicks

 

[vivek.krishnan]

Class A IP Pool! WTF?

Anyways, what you need is

A good routing device. I would suggest to opt for those chinese multi gigabit LAN card devices OR run a server (which you are already doing) and run pfsense/opnsense/untangle/routing of choice on that. Sophos home edition also possible, but limited to 50 IPs

wifi - mesh ideally but standard ones will also do. @superczar has got some new tplink devices and they are stellar.

Do not think of open wifi in any case. Its not suggested. Setup a guest network and use VLANs if you want to isolate from the main network, else just use AP isolation if you dont want them talking to other wifi devices.

Could somebody explain how this adds security?

Frankly it doesn't IMO

You keep the wifi secure by putting a strong password

you keep internal server and systems secure by keeping them on a seperate LAN or VLAN from LAN users. Firewalls for external users.

you keep internet access secure by blocking unknown devices if they still can connect.

 

[superczar]

Class A IP Pool! WTF?

Anyways, what you need is

A good routing device. I would suggest to opt for those chinese multi gigabit LAN card devices OR run a server (which you are already doing) and run pfsense/opnsense/untangle/routing of choice on that. Sophos home edition also possible, but limited to 50 IPs

wifi - mesh ideally but standard ones will also do. @superczar has got some new tplink devices and they are stellar.

Do not think of open wifi in any case. Its not suggested. Setup a guest network and use VLANs if you want to isolate from the main network, else just use AP isolation if you dont want them talking to other wifi devices.

+1.. if OP has a server already, all he needs is to add a NIC (or a few)
BTW the sophos edition I was using was free for home usage and did not have a 50 device limit - Sophos XG is what it was called i think.

 

[vivek.krishnan]

+1.. if OP has a server already, all he needs is to add a NIC (or a few)
BTW the sophos edition I was using was free for home usage and did not have a 50 device limit - Sophos XG is what it was called i think.

Yes, my bad. Checked and XG is free with all bells and whistles. Much earlier it was not so.

 

[Ramadhir Singh]

wifi - mesh ideally but standard ones will also do

My the endgame is to reduce/eradicate wifi in home, and switch it off when not required. (switch wifi off completely by end of this year if 5G rolled out in India)
All devices will be wired with exception like mobile devices & tablets - which of course, can again use mobile networks if not need to access home network/files.

I guess i will go with Edgerouter, didn't quite like the unifi controller which is extra invited dependencies. for deeper configuration always SSH is available.

Cheap/chinese stuffs are not an option at all.
just for a ref, my 15yr old linksys router still working amazing and beasts much praised tp-links shits in terms of link stability & range ( wifi G standard). this what a "good" brands deliver, a solid hardware running a busybox. where as it took 4 years for tplink to fix 5ghz issues in archer 7 .. sorry im not in that business.
-----

@Chaos , how is your experience with Edgerouter 4, over Edgerouter X. ?

 

[Chaos]

-----

@Chaos , how is your experience with Edgerouter 4, over Edgerouter X. ?

Super stable - like 1 yr uptime with zero issues. The X used to hang once every month or so.

For the new house I shall be moving into though, I am moving to a full unifi setup - UDM pro, 2x unifi switches, 6 unifi APs, cameras etc!