help me build most secured Home Network to last a decade.

[Ramadhir Singh]

Super stable - like 1 yr uptime with zero issues. The X used to hang once every month or so.

For the new house I shall be moving into though, I am moving to a full unifi setup - UDM pro, 2x unifi switches, 6 unifi APs, cameras etc!

Thats a hell lot of equipment !!

I have spoken with a dealer checking the availability, he said due to lockdown supply is disrupted he will come back by Sunday with detail..
I'm shooting up for 6P/12 ( guess they have build in hardware switch) -- later will add FlexHD access pint sometime end of this year. for switches im going for cheap unmanaged one from netgear.

if you happen to know any dealer please let me know the details, or any suggestion.

EdIt:- my bad, only 12 has hardware switch chip. (source:https://help.ui.com/hc/en-us/articles/219652227--EdgeRouter-Which-EdgeRouter-Should-I-Use-)

Could somebody explain how this adds security?

nothing comes out of the box. we have to configure the firewall as per our need.

 

[rsaeon]

If you're leaning towards Unifi, I'd say look more closely at the limitations. There are some basic scripting that I can do in RouterOS with Mikrotik that's just impossible with Unifi, and that turned me off from Unifi even though they have a super sleek interface. I do have an Ubiquiti 5ghz Nano thing that's powerful enough for long range wifi when I'm at the local park for a morning walk.

As an example for what I mean, let's say I have an IoT device that I cannot allow to use my external IP address, and it must always go through a VPN. But VPN's sometimes go stale and you need to reconnect to get it going again. So a script is in place that checks for newly connected but previously assigned DHCP leases, matching them against the IP Route configured for it, which then matches with the VPN autoconfigured from a pool, and it will disable and renable the VPN connection. And it'll do this every time DHCP expires and is reassigned, essentially keeping the VPN alive. There's another script that monitors VPN's when they go down and reconnects to another one from a pool. The IP route in place prevents internet access through the default main route when the VPN is disconnected or reconnecting.

This sort of stuff is just about impossible with Unifi, if you need scripting.

The other is QoS. Instead of VLAN's, I have subnets configured for different classes of devices. Mobiles/Tablets, Laptops/Desktops, IoT, Printers, Shares. Mobiles/Tablets get the highest priority regardless of the kind of traffic they want, then regular port 80 like traffic from all the other devices and at the lowest priority is everything else. Along with QoS is multiwan, I have multiple LTE failovers whenever the main connection goes down (usually during a power outtage).

One last thing I think is essential is dns destination nat. That's forcing any dns request made by a device on the network to go through my own dns server, which is pihole. Two of them, actually.

My wifi strategy is a single SSID for anything and everything, and have RouterOS determine what can be done based on the subnet assigned through static ip leases. I'm sure by now the wifi password has been spoofed, but the network I have planned accounts for that and limits anything that isn't explicitly defined to a guest network where the most realistic damage they can do is print until the ink runs out. It's not flawless and I know I have a lot to learn about network security. But it works well.

I can't even pretend to say that I know much about RouterOS, but anything I wanted to do was possible in some form, with scripting. And it was a surprise that this could not be done with something as elitist as Unifi. So I'd say look at the limitations and what you deem absolutely essential for your network.

Could somebody explain how this adds security?

You have explicit control on what devices can access what parts of the internal network and/or outside internet. With firewall rules, you can essentially block off all outside requests to your internal network outright. Here's what I have configured:

I have a very rudimentary knowledge about these firewall rules, but I can try and explain. If other members see that my explanation is wrong, please correct me. I would love to learn.

The fourth rule prevents any client that's not from any interface that's been classified as LAN, from accessing the router. As you can see, there's been 285k packets that's been dropped, that's basically people (I'm double nat'ed) and/or my ISP trying to access/snoop my router.

The fifth rule specifies that IoT/Cameras can only access the devices that interact with them. They can't access printers, shares or anything else.

The sixth rule limits what the Guest Network can access. It can't access anything that hasn't been allowed.

The ninth rule blocks fresh connections from outside clients from directly accessing clients in my internal network. No packets here means they have been blocked by the previous rules (these rules are in hierarchical order) or that I configured this rule wrong.

The last two rules allow the two pihole devices to have priority access to the internet without having to go through the firewall, this speeds up dns requests.

 

[JMP]

nothing comes out of the box. we have to configure the firewall as per our need.

OP, if you don't mind, could you please elaborate why you want to switch WiFi off completely?

 

[Ramadhir Singh]

I can't even pretend to say that I know much about RouterOS, but anything I wanted to do was possible in some form, with scripting. And it was a surprise that this could not be done with something as elitist as Unifi. So I'd say look at the limitations and what you deem absolutely essential for your network.

Can't thank enough for your insight. Thank you so much !!
I had seen ty-videos of RouterOS, and i got overwhelmed, i felt there will be a steep leaning curve -- hence i was more inclined towards uni.

One of the primary requirement for me is - i should be able to control which device has internet connection and which LAN only.
And as you said we never know what kind of devices/IoT's we may have in future.

cant we archive the few of the automated job using cronjob or the json config .
I'm also learning about he edge router interface and exploring possibilities. ( looks like they have a community forum - which can be helpful)

I can always go for any other until i have placed the order of uni. ( yet to get confirmation availability)

By the way, which Mikrotik model you would suggest/using ?
i can only see this model - https://mikrotik.com/product/rb4011igs_rm which is looks of my use ( rack mountable size will he headache, no space to keep them).

 

[bobbyprajan]

By the way, which Mikrotik model you would suggest/using ?
i can only see this model - https://mikrotik.com/product/rb4011igs_rm which is looks of my use ( rack mountable size will he headache, no space to keep them).

I suggest you go with a cheap Mikrotik HAP AC lite first and see if it suits your requirements and is easy enough for you to manage. If that works for you, then go for the RB4011 etc. As somebody mentioned in the thread already its got a steep learning curve

 

[Ramadhir Singh]

OP, if you don't mind, could you please elaborate why you want to switch WiFi off completely?

Honestly, no hard reasons, and "completely off" was little exaggeration.
In a nut shell i wanted to say, when i connect a mobile client (like macbook) it should able to transfer to/from my home server at highest possible speed ( 60+mbps), so the mapped network drive can act like a local HDD.

Mobile/tablets are absolutely low priory devices in our household, and i don't want to interference them with the quality of available wifi quality. Also until we able to kick-out the last android device in our home, im not feeling secure

Mikrotik HAP AC lite

checked it, has only 10/100 port. (https://mikrotik.com/product/RB952Ui-5ac2nD)

 

[D C]

If you're leaning towards Unifi, I'd say look more closely at the limitations. There are some basic scripting that I can do in RouterOS with Mikrotik that's just impossible with Unifi, and that turned me off from Unifi even though they have a super sleek interface. I do have an Ubiquiti 5ghz Nano thing that's powerful enough for long range wifi when I'm at the local park for a morning walk.

As an example for what I mean, let's say I have an IoT device that I cannot allow to use my external IP address, and it must always go through a VPN. But VPN's sometimes go stale and you need to reconnect to get it going again. So a script is in place that checks for newly connected but previously assigned DHCP leases, matching them against the IP Route configured for it, which then matches with the VPN autoconfigured from a pool, and it will disable and renable the VPN connection. And it'll do this every time DHCP expires and is reassigned, essentially keeping the VPN alive. There's another script that monitors VPN's when they go down and reconnects to another one from a pool. The IP route in place prevents internet access through the default main route when the VPN is disconnected or reconnecting.

This sort of stuff is just about impossible with Unifi, if you need scripting.

The other is QoS. Instead of VLAN's, I have subnets configured for different classes of devices. Mobiles/Tablets, Laptops/Desktops, IoT, Printers, Shares. Mobiles/Tablets get the highest priority regardless of the kind of traffic they want, then regular port 80 like traffic from all the other devices and at the lowest priority is everything else. Along with QoS is multiwan, I have multiple LTE failovers whenever the main connection goes down (usually during a power outtage).

One last thing I think is essential is dns destination nat. That's forcing any dns request made by a device on the network to go through my own dns server, which is pihole. Two of them, actually.

My wifi strategy is a single SSID for anything and everything, and have RouterOS determine what can be done based on the subnet assigned through static ip leases. I'm sure by now the wifi password has been spoofed, but the network I have planned accounts for that and limits anything that isn't explicitly defined to a guest network where the most realistic damage they can do is print until the ink runs out. It's not flawless and I know I have a lot to learn about network security. But it works well.

I can't even pretend to say that I know much about RouterOS, but anything I wanted to do was possible in some form, with scripting. And it was a surprise that this could not be done with something as elitist as Unifi. So I'd say look at the limitations and what you deem absolutely essential for your network.



You have explicit control on what devices can access what parts of the internal network and/or outside internet. With firewall rules, you can essentially block off all outside requests to your internal network outright. Here's what I have configured:

View attachment 106153

I have a very rudimentary knowledge about these firewall rules, but I can try and explain. If other members see that my explanation is wrong, please correct me. I would love to learn.

The fourth rule prevents any client that's not from any interface that's been classified as LAN, from accessing the router. As you can see, there's been 285k packets that's been dropped, that's basically people (I'm double nat'ed) and/or my ISP trying to access/snoop my router.

The fifth rule specifies that IoT/Cameras can only access the devices that interact with them. They can't access printers, shares or anything else.

The sixth rule limits what the Guest Network can access. It can't access anything that hasn't been allowed.

The ninth rule blocks fresh connections from outside clients from directly accessing clients in my internal network. No packets here means they have been blocked by the previous rules (these rules are in hierarchical order) or that I configured this rule wrong.

The last two rules allow the two pihole devices to have priority access to the internet without having to go through the firewall, this speeds up dns requests.

This is awesome! I too have similar plans to build a home network like this. Device isolation, force dns to pihole etc.
Does this also prevent some IoT/smart devices bypassing your pihole, which have hardcoded DNS? Any provisions for DNS over HTTPS and DNS over TLS?

Recent changes by ubiquiti has also got me questioning them. Compulsory Ubiquiti account association for device setup has me a bit turned off. Did cause a bit of controversy in the ubiquiti youtube world side.

Thanks

 

[Ramadhir Singh]

guys.. see this . really wtf, -- Ubiquiti trying to be Xiaomi ? pushing ads in their UI..

https://twitter.com/x/status/1376626243865604100

backup image:

today they are getting user to see some ads in there , next step ful fledged google add implementation ?

Recent changes by ubiquiti has also got me questioning them. Compulsory Ubiquiti account association for device setup has me a bit turned off.

this only for the newer "unified" devices right ? edgerouter wont force me to create cloud account or stil we have to do ?

 

[D C]

guys.. see this . really wtf, -- Ubiquiti trying to be Xiaomi ? pushing ads in their UI..

https://twitter.com/x/status/1376626243865604100

backup image:
View attachment 106179
today they are getting user to see some ads in there , next step ful fledged google add implementation ?


this only for the newer "unified" devices right ? edgerouter wont force me to create cloud account or stil we have to do ?

AFAIK, its only unifi devices and happens only when you factory reset the device with the newer firmware oe have a new device with the latest firmware. If you were on old firmware before this change and upgraded firmware, wont ask for ubiquiti account and run with local admin user as previously set. But if you reset on new firmware, it will ask to add a ubiquiti account at setup. And most new purchases come with atleast this update.


You can create a local admin user after setup and delete the ubiquiti account and disable remote access. Plus, with the way Ubiquiti handled their breach which happened in January, I wouldn't trust them much. Better to vpn to home network and then access your router/controller.

Ubiquiti cyberattack may be far worse than originally disclosed

The data breach report from Ubiquiti in January is allegedly a cover-up of a massive incident that put at risk customer data and devices deployed on corporate and home networks.

www.bleepingcomputer.com

Final Thoughts on Ubiquiti – Krebs on Security

You never know with ubiquiti, they have been making questionable changes with their updates, I would recommend not updating instantly and watch some update reviews and changelogs before updating.

 

[Ramadhir Singh]

Good to know the insights,
btw called multilinkonline, very helpful guy picked up the phone and explained me in detail related to all my queries.
MikroTik RB4011i, is available comparatively much cheaper then the Ubiquity counterpart.

 

[rsaeon]

I suggest you go with a cheap Mikrotik HAP AC lite first and see if it suits your requirements and is easy enough for you to manage. If that works for you, then go for the RB4011 etc. As somebody mentioned in the thread already its got a steep learning curve

This is the best way. I spent about a year with Mikrotik hAP lite Classic RB941-2nD: https://www.amazon.in/Mikrotik-hAP-lite-classic-RB941-2nD/dp/B00UR758BM/

I wasn't sure if I could overcome RouterOS's steep learning curve and I really wanted Unifi instead. But I had budget constraints and many, many late nights with youtube tutorials and the documentation and the forums helped me understand what I was doing. The forums are not very helpful btw, knowledge of RouterOS is highly valued and highly paid for, so people are reluctant to give it for free on forums. But yes, that little box handled 40+ clients with ease and it had built-in wifi that I configured as a dhcp client for LTE failover with JioFi. Sure, I was limited to 100mbps but for a temporary period of time, it was okay.

I later upgraded to the RB4011iGS+RM mostly because it looked cool. And this brings up the biggest downside of the RB4011iGS+RM, there's no USB! I couldn't do LTE failover with JioFi's like I had planned. So I purchased a Mikrotik hEX S RB760iGS (also because it looked cool) to add purely for the USB support. But I'm fairly certain that the hEX S alone would be able to do everything I wanted out of the RB4011. The hEX S can handle a maximum of six usb connected JioFi's, the limitation is because of something called usb end points and I don't fully understand it.

Does this also prevent some IoT/smart devices bypassing your pihole, which have hardcoded DNS?

Yes, and that's what I love most about this combination of mikrotik and pihole. The Mi routers and the stock Sonoff devices are all blocked off with this.

Any provisions for DNS over HTTPS and DNS over TLS?

From what I understand, those were designed specifically to overcome dns destination nat so they can only be mitigated manually, by specifying a list of DNS servers: https://forum.mikrotik.com/viewtopic.php?t=173792

Recent changes by ubiquiti has also got me questioning them. Compulsory Ubiquiti account association for device setup has me a bit turned off.

This is a little uncomfortable. Their hardware and software have earned them a lot of goodwill, so they must feel that their users trust them for them to enforce this. I can see it being a benefit for their cameras and security services but for their network equipment, that's a little uncomfortable.

One of the primary requirement for me is - i should be able to control which device has internet connection and which LAN only.

As I understand it, this kind of stuff is what Unifi is really good at and it's in their gui somewhere to cordone off IoT devices.

 

[vivek.krishnan]

My the endgame is to reduce/eradicate wifi in home, and switch it off when not required. (switch wifi off completely by end of this year if 5G rolled out in India)
All devices will be wired with exception like mobile devices & tablets - which of course, can again use mobile networks if not need to access home network/files.

I guess i will go with Edgerouter, didn't quite like the unifi controller which is extra invited dependencies. for deeper configuration always SSH is available.

Cheap/chinese stuffs are not an option at all.
just for a ref, my 15yr old linksys router still working amazing and beasts much praised tp-links shits in terms of link stability & range ( wifi G standard). this what a "good" brands deliver, a solid hardware running a busybox. where as it took 4 years for tplink to fix 5ghz issues in archer 7 .. sorry im not in that business.
-----

@Chaos , how is your experience with Edgerouter 4, over Edgerouter X. ?

This is not an advisable route, IMO. I feel you are taking paranoia to the extreme.

If you feel the need to secure your networks even more, please use 802.1x authentication, and would advise to do this implementation with a central server or use something like JumpCloud to manage the users (free upto 10) https://jumpcloud.com/

As far as the Chinese stuff is concerned, you need to review before purchase.

Good to know the insights,
btw called multilinkonline, very helpful guy picked up the phone and explained me in detail related to all my queries.
MikroTik RB4011i, is available comparatively much cheaper then the Ubiquity counterpart.

I hope you are ok with doing the stuff on Microtik devices. I frankly don't mind using for work, but for home they are a tad too complicated IMO. Which is a problem if I am away from home when things hit the fan.

This is the best way. I spent about a year with Mikrotik hAP lite Classic RB941-2nD: https://www.amazon.in/Mikrotik-hAP-lite-classic-RB941-2nD/dp/B00UR758BM/

I wasn't sure if I could overcome RouterOS's steep learning curve and I really wanted Unifi instead. But I had budget constraints and many, many late nights with youtube tutorials and the documentation and the forums helped me understand what I was doing. The forums are not very helpful btw, knowledge of RouterOS is highly valued and highly paid for, so people are reluctant to give it for free on forums. But yes, that little box handled 40+ clients with ease and it had built-in wifi that I configured as a dhcp client for LTE failover with JioFi. Sure, I was limited to 100mbps but for a temporary period of time, it was okay.

I later upgraded to the RB4011iGS+RM mostly because it looked cool. And this brings up the biggest downside of the RB4011iGS+RM, there's no USB! I couldn't do LTE failover with JioFi's like I had planned. So I purchased a Mikrotik hEX S RB760iGS (also because it looked cool) to add purely for the USB support. But I'm fairly certain that the hEX S alone would be able to do everything I wanted out of the RB4011. The hEX S can handle a maximum of six usb connected JioFi's, the limitation is because of something called usb end points and I don't fully understand it.



Yes, and that's what I love most about this combination of mikrotik and pihole. The Mi routers and the stock Sonoff devices are all blocked off with this.



From what I understand, those were designed specifically to overcome dns destination nat so they can only be mitigated manually, by specifying a list of DNS servers: https://forum.mikrotik.com/viewtopic.php?t=173792



This is a little uncomfortable. Their hardware and software have earned them a lot of goodwill, so they must feel that their users trust them for them to enforce this. I can see it being a benefit for their cameras and security services but for their network equipment, that's a little uncomfortable.



As I understand it, this kind of stuff is what Unifi is really good at and it's in their gui somewhere to cordone off IoT devices.

I think for DoT or DoH, you will need to inspect the traffic anyways.

I would prefer to put everything (including the APs, CCTV etc) under a full block

 

[Ramadhir Singh]

I hope you are ok with doing the stuff on Microtik devices. I frankly don't mind using for work, but for home they are a tad too complicated IMO. Which is a problem if I am away from home when things hit the fan.

my exact feeling and only worry - what if, it need some trouble shooting while we away... it will be complicated to guide family member over the phone.
Mikrotik seems to a walled garden, where in edgerouter, it seems, we can even instal additional applications.
But on other side the pricing is quite contrasting. and that is (along with avilability) making me inclined towards mikrotik.

Anyway - im yet to get the availability of Ederouter, may be will get mid of this week. looks like shipment is halted in between and stock are not available.
once i get update form the dealer i will make the choice.

---------

Suggestion needed: Shall i go with smart/managed network switch (reference: https://www.amazon.in/NETGEAR-Gigabit-Ethernet-Managed-GS108Ev3/dp/B0835FK7BM)
or unmanaged ( ref: https://www.amazon.in/Netgear-8-Port-Gigabit-Ethernet-Switch/dp/B00030GLG4) is fine ?

I feel too many controls at various points will only increase complication.

Any recommendation for budget 10/100/1000 network switch with PoE (5 port is fine)

 

[vivek.krishnan]

my exact feeling and only worry - what if, it need some trouble shooting while we away... it will be complicated to guide family member over the phone.
Mikrotik seems to a walled garden, where in edgerouter, it seems, we can even instal additional applications.
But on other side the pricing is quite contrasting. and that is (along with avilability) making me inclined towards mikrotik.

Anyway - im yet to get the availability of Ederouter, may be will get mid of this week. looks like shipment is halted in between and stock are not available.
once i get update form the dealer i will make the choice.

---------

Suggestion needed: Shall i go with smart/managed network switch (reference: https://www.amazon.in/NETGEAR-Gigabit-Ethernet-Managed-GS108Ev3/dp/B0835FK7BM)
or unmanaged ( ref: https://www.amazon.in/Netgear-8-Port-Gigabit-Ethernet-Switch/dp/B00030GLG4) is fine ?

I feel too many controls at various points will only increase complication.

Any recommendation for budget 10/100/1000 network switch with PoE (5 port is fine)

This is exactly why I dont have a full pfsense kinda setup at home. However, if you are at home, should not be a big issue. Still, RouterOS has a slightly steep learning curve.

I would suggest to opt for a Sophos XG same as what @superczar suggested, there are lots of people who can help

Switch - if you can go for managed - please do. VLAN segregations are far better and even the TP Link Decos can use it. Which means even if the guest password is leaked, change it while the internal one stays safe.

 

[rsaeon]

That is a valid concern, but it's really not that dire.

I had a m0n0wall setup on a Duron 1GHz system that was connected to a regular UPS for my parents that I left running for seven years before the system stopped working. To be fair, that system was already ancient technology when I installed it in 2009. But it worked for seven years, and when it eventually died, my parents were able to just plug the internet cable directly into the wifi router and perform a hard reset (by holding a toothpick in the reset hole for thirty seconds, this was necessary because I had previously configured the wifi router as an access point). And when that wifi router eventually died, they just replaced it with another one.

When I was I finally able to return home and troubleshoot the system, it turned out the SD card that I was using in an SD to IDE adapter had become corrupt. The motherboard and processor still work fine. The original wifi router was beyond saving though.

With robust enterprise level hardware from Ubiquiti or Mikrotik, you can expect it to run unattended for lengthy periods of time, this RB4011 was last turned off because I was relocating it to a different part of the house:

And that is with multiwan configured for two seperate networks and two seperate internet connections (LAN1 -> WAN1+LTE and LAN2 -> WAN2). LAN1 has 40+ clients, and LAN2 has 200+ clients.

 

[vivek.krishnan]

That is a valid concern, but it's really not that dire.

I had a m0n0wall setup on a Duron 1GHz system that was connected to a regular UPS for my parents that I left running for seven years before the system stopped working. To be fair, that system was already ancient technology when I installed it in 2009. But it worked for seven years, and when it eventually died, my parents were able to just plug the internet cable directly into the wifi router and perform a hard reset (by holding a toothpick in the reset hole for thirty seconds, this was necessary because I had previously configured the wifi router as an access point). And when that wifi router eventually died, they just replaced it with another one.

When I was I finally able to return home and troubleshoot the system, it turned out the SD card that I was using in an SD to IDE adapter had become corrupt. The motherboard and processor still work fine. The original wifi router was beyond saving though.

With robust enterprise level hardware from Ubiquiti or Mikrotik, you can expect it to run unattended for lengthy periods of time, this RB4011 was last turned off because I was relocating it to a different part of the house:

View attachment 106344

And that is with multiwan configured for two seperate networks and two seperate internet connections (LAN1 -> WAN1+LTE and LAN2 -> WAN2). LAN1 has 40+ clients, and LAN2 has 200+ clients.

That is an excellent idea, and reminded me of a solution I had made for an ASUS N13 B1 which was running ddwrt and would sometimes not boot up - I had a standby el cheapo router which could be used to swap out the N13

 

[Ramadhir Singh]

Got an update on ubiquity from the dealer, not good news. No stock of edgerouter, or most of the uni product. They don’t know when stock will come, may be not before August.

On brighter side, microtik is available. Guess god wants me to take this path...

 

[D C]

Got an update on ubiquity from the dealer, not good news. No stock of edgerouter, or most of the uni product. They don’t know when stock will come, may be not before August.

On brighter side, microtik is available. Guess god wants me to take this path...

Could you dm me the ubiquiti dealer contact info?
Thanks

 

[Ramadhir Singh]

Could you dm me the ubiquiti dealer contact info?

Done! Please check dm.

 

[mach9]

Excellent thread and kudos to you guys adding value and insight to this! This is why TE is great.

On a lighter note - I sheepishly admit I have work to do on network security! Can i outsource it to any of you guys?