Post

Securing Your Home Network with VLANs

Posted
By Manuel Laggner
6 min read
Securing Your Home Network with VLANs

In this article, I will walk through how to set up a robust and secure home network using VLANs (Virtual Local Area Networks) to segment different types of devices and services. We will use OPNsense as our firewall/router, managed switches, Proxmox for virtualization, and VLAN-aware access points to create the following segments:

  1. Wi-Fi Devices: Smartphones, multimedia devices, printers, etc.
  2. Home Automation Devices: IoT devices, PV (Photovoltaic) inverter, heat pump, cameras, etc.
  3. Server/Services Network: Internal services like file servers, databases, etc.
  4. DMZ (Demilitarized Zone): Public-facing services like web servers, gaming servers, etc.
  5. Guest Network: For our guests at home.

Each of these segments will be isolated using VLANs to ensure security, performance optimization, and clear separation of different types of traffic.

Prerequisites

Before you begin, ensure you have the following components:

  • OPNsense Firewall/Router: A powerful open-source firewall that supports VLANs.
  • Managed Switch(es): A switch that can support VLAN tagging. If you use POE capable access points, you probably want to use a POE switch.
  • VLAN-Aware Access Points: Access points capable of broadcasting multiple SSIDs as VLANs for your wireless clients.

Step 1: Setting Up VLANs in OPNsense

OPNsense will serve as the central hub of your network. It will manage routing, firewall rules, and VLAN configurations. Let’s first create the VLANs on the OPNsense firewall.

1.1. Create VLANs in OPNsense

  1. Go to Interfaces > Devices > VLAN.
  2. Click the + button to create a new VLAN.
  3. Define the VLAN tag (a unique identifier for each VLAN) and assign it to a physical interface (e.g., em0 or igb0).
    • VLAN 1: Wi-Fi Devices (e.g., smartphones, multimedia, printers). This will be the default VLAN.
    • VLAN 20: Home Automation Devices (e.g., IoT devices, PV inverter, heat pump).
    • VLAN 30: Server/Services Network (internal services like file servers).
    • VLAN 40: DMZ (for public services like web servers, cameras).
    • VLAN 50: Guest (for guest devices).

1.2. Assign VLAN Interfaces

  1. After creating the VLANs, go to Interfaces > Assignments and assign the new VLANs to virtual interfaces.
  2. Click on the + sign to add a new interface for each VLAN and select the appropriate VLAN interface.
  3. Enable each interface and give them proper names for easy identification (e.g., LAN-WIFI, LAN-HOME-AUTO, LAN-SERVICES, LAN-DMZ, LAN-GUEST).

1.3. Configure DHCP for Each VLAN

For each VLAN, you can configure DHCP so that devices in those VLANs get IP addresses automatically.

  1. Go to Services > ISC DHCPv4.
  2. Select the VLAN interface (e.g., LAN-WIFI), enable DHCP, and configure the IP range for each VLAN.

Example for Wi-Fi Devices (VLAN 1):

  • IP Range: 192.168.1.100 - 192.168.1.200

Repeat this for each VLAN, adjusting the IP range accordingly.

1.4. Set Firewall Rules

After creating the VLANs and DHCP configurations, you need to set firewall rules to control traffic between the VLANs.

  1. Go to Firewall > Rules.
  2. For each VLAN interface, configure rules to allow or deny traffic. Typically:
    • Allow intra-VLAN traffic (devices within the same VLAN can communicate).
    • Allow outbound traffic to the internet.
    • For the DMZ, restrict access to internal networks but allow public-facing traffic.

Example for DMZ (VLAN 40):

  • Allow inbound HTTP/HTTPS traffic for public-facing services.
  • Block all traffic to internal networks like your services and home automation VLANs.

Step 2: Configuring Managed Switches

The managed switch will handle VLAN tagging and communication between devices connected to different VLANs. Here’s how to configure VLANs on your switch:

2.1. Access the Managed Switch’s Web Interface

Login to your switch’s web interface, typically through its IP address (e.g., 192.168.1.5).

2.2. Create VLANs on the Switch

  • Go to the VLAN settings section.
  • Create the same VLANs you configured on OPNsense (VLANs 1, 20, 30, and 40).
  • Assign ports to specific VLANs. For example:
    • Ports connected to your Wi-Fi devices should be assigned to VLAN 1.
    • Ports connected to home automation devices should be assigned to VLAN 20.
    • Ports for your server/services network should be assigned to VLAN 30.
    • Ports for the DMZ should be assigned to VLAN 40.
    • Ports for the Guest devices should be assigned to VLAN 50.

2.3. Configure Trunk Ports

A trunk port carries traffic from multiple VLANs. You will need to set up a trunk port to connect the managed switch to your OPNsense firewall (and also from the switch to the access points and Proxmox).

  • On the switch, configure the port connected to OPNsense as a trunk port.
  • Ensure VLAN tagging is enabled for all VLANs.
  • On OPNsense, the interface connected to the switch should also be VLAN-aware.

2.4. Configure VLAN-Aware Access Points

For wireless devices, you will need access points that support VLANs. These devices can broadcast multiple SSIDs, each assigned to a different VLAN.

  1. Login to your access point’s web interface.
  2. Configure multiple SSIDs, each associated with a different VLAN. For example:
    • SSID 1: Home-WIFI (VLAN 1)
    • SSID 2: Home-Automation (VLAN 20)
    • SSID 3: DMZ-Guests (VLAN 40)
    • SSID 4: Guests-WIFI (VLAN 50)

2.5. Test the Network

After setting up the VLANs on the switch and configuring the access points, test your network:

  • Verify that devices connected to the Wi-Fi network (VLAN 10) can access the internet but cannot access devices in the home automation network (VLAN 20).
  • Ensure devices in the DMZ (VLAN 40) are publicly accessible but cannot access internal services.
  • Ensure devices in the Guest network (VLAN 50) can only access the internet.

Step 3: Setting Up Proxmox

Proxmox is an excellent choice for managing virtual machines (VMs) and containers. Let’s configure Proxmox to work with VLANs for your server/services network.

3.1. Create Virtual Networks for Each VLAN in Proxmox

  1. Log in to the Proxmox web interface.
  2. Go to Datacenter > Network and create a virtual network for each VLAN (e.g., vmbr10, vmbr20, etc.).
  3. Make sure each virtual bridge is associated with the appropriate VLAN tag.

3.2. Assign VLANs to VMs

When creating VMs or containers, assign them to the appropriate VLAN. For example:

  • A file server VM could be connected to VLAN 30 (Server/Services).
  • A public-facing web server could be connected to VLAN 40 (DMZ).

3.3. Enable Routing Between VLANs (Optional)

If you want to enable communication between some VLANs (e.g., between your server network and the home automation network), you can configure inter-VLAN routing on OPNsense.

Final words

By using VLANs, OPNsense, managed switches, VLAN-aware access points, and Proxmox, you can create a secure and efficient home network that separates traffic based on use cases. This setup ensures that sensitive devices like home automation systems are isolated from less secure devices like guest Wi-Fi, while also providing easy access to internal services and public-facing resources like web servers in the DMZ.

This network segmentation improves security, simplifies management, and provides better performance for each use case. With proper configuration, you’ll have a flexible and scalable home network setup tailored to your needs.

networking, homeserver
opnsense vlan
This post is licensed under CC BY 4.0 by the author.