NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)
Hey Everyone,
I'm in the process of re-doing (re-designing) my entire Home Network. I've decided to go the VLAN route for both Wired and Wireless devices. From a security standpoint, I would li...
b1ggjoe wrote:
My other concer is the NAS. I know that I can have it physically connected to different VLANs since it does have 4x Gigabit NICs.
I can have it be a part of my private lan on one Nic, then another NIC be a part of the IoT VLAN and restrict access from the IoT side so only the streaming devices like the NVIDIA Shield TV and Amazon FireSticks have access, based on MAC ID ACLs?
Of course if Netgear releases the required VLAN features for the Orbi...that would be awesome!!
BJ
You can multihome your NAS or route the traffic. If your router isn't up to the challenge (resources/speed), then you can multihome. If you multihome, put the primary interface on your private VLAN and use that VLAN gateway as the default gateway. Then setup the other interface on the IOT VLAN. Not sure if you can then restrict it based on user/IP but I would look into that only allow the IOT/guest devices that need access. Firewalling it off and routing is better if your gateway can handle it.
Don't get your hopes up on Netgear/Orbi offering VLANs per SSID. They have competing products that play in that space. I saw somewhere (but I couldn't find it searching earlier) that the consumer version wouldn't support this and pointed the OP to their netgear WAC line of products. Right now Orbi is only supporting one SSID for your personal use and one for guest. That seems to also be the case with all the other "mesh" consumer products I've seen so far.
The real answer to our goal is to get Meraki, Aruba, Ubiquiti, or similar APs, create a VLAN trunk on your switch and connect the AP. They all operate in AP mode with a dedicated gateway. That will allow the SSIDs to be on different VLANs. They work amazing well but that is too complicated for most consumer users and users want wireless everywhere. Orbi has the benefits of being supposedly easy for people to deploy without wires and covering a large area without a huge decrease in speed like the extenders cause. They were not designed with our use cases in mind.
Yeah, makes sense big time. I may just have to look into those other APs then, as you suggested. As for Firewalling off the NAS, I'm wondering if I should insert a small Firewall appliance, like an Untangle u25x in front of the NAS on the IoT VLAN NIC, or maybe use a built-in security feature such as this:
Then I can get really crazy with the Firewall rules and access controls.
What do you think?
BJ
b1ggjoe wrote:
Then I can get really crazy with the Firewall rules and access controls.
What do you think?
BJ
I'm a pretty new user of pfsense (netgate sg-3100 + 32GB SSD ). I've been running it a couple months now. I'm an administrator of Check Point, Cisco ASA, SonicWALL firewalls, etc. and pfsense was simple to setup compared to most of those. The feature set is amazing with it's package manager and the community support is superb. LOTs of free pfsense training videos and if you buy their hardware, you get a fantastic book and access to their hangouts which are essentially training videos on how to implement certain features. You can get delayed (free) feeds from Emerging Threats, Snort for use in Snort/Suricata and GeoIP from MaxMind for pfblockerng. Plenty of free threat intelligence feeds or DNS filtering services to add more security that put PiHole to shame. (PiHole interface is amazing but I digress)
Netgear doesn't want you to know what I think... they keep deleting my replies! I'll send another PM.
What's weird is that when you first make your posts, I do see them in the email notification, but they dissapear from here. Very weird.
Wow, Pf-Sense sounds amazing. Maybe I will put a Pf-Sense appliance in front of that QNAP NAS, within the IoT VLAN. Both their SG-1000 and SG-3100 are reasonbly priced.
Hopefully, since 4K movies will be streaming outbound from the NAS, there won't be an issue with any Firewall overhead.
Man, it's too bad I can install PF-Sense on my SonicWALL TZ210 and utilize that hardware. It seems at least more powerful than the SG-1000.
Hmmm...what to do...
BJ
b1ggjoe wrote:
What's weird is that when you first make your posts, I do see them in the email notification, but they dissapear from here. Very weird.
Wow, Pf-Sense sounds amazing. Maybe I will put a Pf-Sense appliance in front of that QNAP NAS, within the IoT VLAN. Both their SG-1000 and SG-3100 are reasonbly priced.
Hopefully, since 4K movies will be streaming outbound from the NAS, there won't be an issue with any Firewall overhead.
Man, it's too bad I can install PF-Sense on my SonicWALL TZ210 and utilize that hardware. It seems at least more powerful than the SG-1000.
Hmmm...what to do...
BJ
My posts have been disappearing on me all day... only forum I've ever had that happen to me. Very odd... Even if I repost... It stays for a few and then goes away. I've gotten wise and composed in notepad which is why my formatting and grammar is terrible. ;)
4K is only what?.. 25Mbps? So, the sg1000 should do it but if you have the budget, splurge on the sg3100. The sg1000 is only good for about 125Mbps from what I've seen in tests and that is no where near what modern internet connections top out. The sg3100 is good for gigabit. If you decide to build your own, take the hardware requirements serious and ensure you select something with the aes-ni. If you are in no rush, there are rumors tha a device between the 1000 and 3100 will be announced soon.