I'm going to be overhauling my network over the next few months as I get ready for my new municipal fiber installation. I have a general idea of how to set things up, but I'm not an expert and would appreciate a few extra pairs of eyes in case I'm missing something obvious.
Hardware available:
- Microtik Routerboard - 5 ports
- Ubiquiti AP - AC-Lite; plan to add U6+ or U6 Lite once I get faster service
- some dumb switches
Devices (by logical category; VLANs?):
- main - computers and phones (Wi-Fi for now, I plan to run cable)
- media - TVs, gaming consoles, etc
- DMZ - wired security cameras, Wi-Fi printer (2.4GHz wireless g only)
- guest - guests, kids computers
Goals:
- main - outgoing traffic goes through a VPN
- media - outgoing traffic limited to certain trusted sites; probably no VPN
- untrusted - cannot access internet, can be accessed from main
- guest - can only access internet, potentially through a separate VPN from main
Special devices:
- NAS (Linux box) - can access main, media, and DMZ
- printer - accessible from main, rest of devices on untrusted don't need to be (I can tunnel through the NAS if needed); can potentially configure a CUPS server on the NAS to route print jobs if needed
Plan:
Router ports:
- Internet
- WiFi APs
- main VLAN
- untrusted (VLAN)
- unused (or maybe media VLAN)
WiFi SSIDs (currently have a 2.4Ghz and 5Ghz SSIDs):
- main VLAN
- guest VLAN
- untrusted - hidden SSID (mostly for printer) - 2.4GHz only
If the VPN causes issues, I would like the ability to move individual MACs to another VLAN (say, to media, or a separate, usually unused backup VLAN). Not required, just a backup plan in case the VPN causes issues.
This is my first time configuring VLANs, so I'm not really sure what my options are. Also, I'm not super familiar with Mikrotik routers (I'm not a sysadmin or anything, just a hobbyist), I just got fed up with crappy consumer hardware and wanted something a bit more reliable.
Does that sound like a reasonable plan? Is there something I could improve or suggestions you have?
Edit: DMZ is the wrong term, so I replaced it with "untrusted". By that I meant a local-only network, so no Internet access. Ideally I could access these devices from my main network, but they can't initiate connections outside their VLAN. However, that's not necessary, since I can tunnel through my NAS if needed.
You do you, I certainly won’t judge your choices or opinions or whatever. I will say that adding a VPN into the mix will add (probably significant amounts of) latency to any connection routed through it. This has the potential to make multiplayer games borderline unplayable depending on the type and its sensitivity to latency in general.
If you’re that worried about being doxxed stand up a site-to-site vpn between your tik and an AWS VPC. Use the right region and you probably won’t have much latency issues, although the transit fees from AWS might bite you.
On the flip side, since the mikrotik can act as a vpn server you could always set up your whole home vpn along with the vpn server, travel overseas to somewhere like Japan, set your upstream vpn’s exit as the same country you’re visiting, VPN in to your house over your phones Japanese cellular carrier data connection, then watch local JP netflix with the knowledge that the traffic is tunneling around the globe to get to you and marvel at the interconnectedness of the modern world. ask me how i know how amazing this is.
Yeah, I'll certainly test it first. I'm planning to get one at a local datacenter, and ping times are only 4ms from my home. I'll be using WireGuard, so router level overhead should be minimal.
But I'll definitely set up a test "secure" VLAN so my wife and I can test it out.
There's other reasons as well, such as this law in my state that requires parental approval for kids to access SM. I don't want my wife or kids to give SM that PII, so I want to protest it at the network layer, at least with a secure SSID, if not the default outgoing network.
Yup, that's also part of the plan. I want to access my NAS anywhere, but I don't want it publicly exposed. I may even want to access my IP cameras and whatnot as well.
So my plan is to set up a VPS and configure my own private VPN, connect my NAS to it, and then from there I can access anything on my home network. My kids like to use my computer to play games, so one common use case is to SSH in to the computers and unlock them while I'm at work (i.e. if they're on vacation or something) so my wife doesn't need to type my password (it's kinda long). I do that already from my phone so I don't have to walk downstairs, but it would be nice to be able to do it from my phone at work.
I also don't trust cloud-connected IP cameras, but want cameras monitoring my house while I'm away, so I'll definitely need my own personal VPN.
Ah, never mind then, ignore everything I said.
Unless I’m misunderstanding, you don’t need a VPS for this. RouterOS supports you enabling a built-in VPN server, which you can then connect to directly, you don’t need to set up a VPS or anything. Then you can just put allow rules in the firewall for traffic from the VPN subnet in to your main subnet, your NASs subnet, your camera subnet, etc. This is how I access my homes resources remotely, the only ports open to the Internet are the VPN ports on my CCR1036.
You'd need a stable, publicly routable address, right? I'm not sure if I'll have that, and I certainly don't have it now. I can get it if I want, but it's cheaper to just get a VPS.
But yeah, if I end up getting an IPv6 address and my ISP doesn't block ports, then yeah, that should work.