Network Growth

[Dexta211]

Good afternoon all,

 

Currently using my ISP router, Virgin Media in the UK. Using their top router, the hub 5 on a 1 gig connection.

 

I have 11 cameras and around 50 smart home devices around the place, in and amongst the usual home devices. I'd say around 80 devices in total.

 

I have a mini PC with multiple lan ports and a n100/16gb ram/512gb SSD. This can run OPNsense, I have before when I was messing about, went back to the ISP router because of the ease of port forwarding, It seemed hit and miss on the OPNsense box.

 

I currently supply my neighbour with internet using the guest network also.

 

My question.

 

I've been researching Vlans, I have a managed switch and can buy a few omada AP's with a poe switch.

 

In a real world setting, would the benefit of separating the iot devices, neighbour internet access and general stuff be worth it with Vlans?

 

I'm not too fluent in linux or freebsd, but I'm learning and am 99% sure that I can figure out the vlan settings.

 

Basically just wondering if the difficulty and cost would actually benefit me in real worls terms?

 

Any opinions would be greatly appreciated!

 

Thanks in advance.

[Eigenvektor]

13 minutes ago, Dexta211 said:

would the benefit of separating the iot devices, neighbour internet access and general stuff be worth it with Vlans?

Depends on what you mean by worth it. What are you hoping to achieve? Learning experience, better security, better network performance?

 

From my perspective the primary benefit would be better security, by separating your neighbors traffic and your IoT traffic from your traffic.

[brwainer]

The two major risks people worry about are untrusted users getting their device infected, which is then a foothold in your network to infect other things, or insecure or maliciously controlled IoT devices being used by bad actors directly. So the general desire is to isolate non-technical people from the rest of the network, and IoT devices from the rest of the network, while still allowing the general function of the IoT devices.

 

If your only untrusted or nontechnical user is already in a Guest network from the ISP router, then they're pretty well isolated already. If you have kids, elderly, or spouse/siblings/etc that can't be trusted to stay away from things that get their device infected, and they can't just use the Guest network, then making a VLAN for them to customize their access may be warranted.

 

Whether the IoT device as a foothold into your network is a credible concern depends on what devices you have - and this isn't just about a device being from an Asian company, plenty of US and European companies produce devices with glaring security problems too. You can research the companies for CVEs (search "name of company" and CVE) to see what security researchers have found - if it seems like the devices you have are from companies that have a history of bad security, maybe creating an IoT VLAN makes sense. The main downside of doing this is that controlling the devices becomes harder. mDNS repeater/reflector software can help your phone find the IoT devices, or you can just place your phone into the IoT network itself - iOS and Android are hardened against malicious environments like public cafe wifi after all.

[Dexta211]

Most of my smart devices are tapo from tp-link, which I think have fairly good security. I have a few others, but none that scream insecure.

The users on my network don't really concern me. Just me, my partner and my son. There are a few services like emby on the network, but nothing that anyone would go too far looking for, just calle to fix.

I guess that the main thing I'm concerned with is network congestion and maybe making it as secure as possible. I've read that smart home devices broadcast quite frequently, which can reduce the performance of the network. But with my number of devices, is that going to be an issue now?

Thanks for the replies so far, exactly what I wanted!

[brwainer]

Yeah if you’re not having performance issues then its really just a matter of preference whether you move towards increasing security or not.