Software dev here. I had a few classes about networks in school but I’m not too skilled with it. I recently got into building a home network as I will soon be moving in with my gf, and want to make a reliable internet setup for the both of us. Also just want to have a bit of fun doing this. I watched a few hours of videos on YouTube to figure this out, and made a small high level drawing of how I would like to do it. Does this make sense ? Will, for exemple, my main VLAN be able to talk with my home server ? Or my IoT devices be able to talk to Home Assistant on the server ? (The text on the drawing is mostly in French, I figured it’s generic enough to be understandable, tell me if you want more explanation)
Yes, that deployment plan makes sense. I have a similar setup at home, you’ll need to configure separate SSIDs for the different VLANs. I would also recommend separate VLANs for the server devices and cameras, assuming those don’t have wireless devices, no need for WiFi networks for those.
You’ll need to configure rules on PFsense to allow (or block) traffic between your VLANs. For example, you can allow devices on your main network to any other network, but not allow devices on the IoT network to initiate traffic to any other networks.Your diagram is fine, and a pretty standard “Advanced Home Network” we see around here.
Anything can be made to talk to anything across different VLANs by choosing to allow it on pfSense. If everything on one VLAN needs to talk to a server in another, you should evaluate if that server is in the right VLAN, or does it really belong with the others.
The big problem with VLANs in home environments is that you need to make so many exceptions just to get everything to work like you want. If you’re trying to use VLANs as an extra step in security, how much security are you really getting with so many exceptions on pfSense?
Your layout and questions are not at all unusual, I guess I’m just always wondering if VLANs are being pushed too hard onto typical home users who will waste more time trying to tune them than any benefits they actually receive.
You’re into tech, so it won’t be a problem. I do suspect that you’ll become lazy over time and just stick things in the main VLAN with broken promises to “fix it one day” as your personal time diminishes.
So yes, your diagram does make sense. As others mentioned, VLANs depends on how many rules you want to program. Personally, I have home automation on it’s own VLAN anyways, just for security.
You mention “reliable” here… Where, the switch fails, then what? My home setup, off the router, I have 2 switches, and my NVR connected to it. One switch is hardwired network. The other is just the wireless access points. For redundantcy, I designed my network this way, so I can work on the hard wired, and wireless works. Or she complains the wireless network isn’t working, I can just reboot the switch remotely, and not affect her hardwired work laptop, or hardwired apple TV she might be watching.
To further redundantcy, I have a Wattbox, which reboots the modem if we loose internet, as well as I have it scheduled to reboot the modem once a week for redundantcy sake. The switches are on this, so I can reboot them as well. I’m lazy, and I don’t want to go downstairs to reboot this stuff LOL. Ubiquiti has similar power management products.
Really designing a network though, think, “what do I have to do, if this fails?” as well as “is there anything I can do to minimize network downtime?”. Little things make a huge difference in how you manage your network. The less time you have to spend fixing, or troubleshooting it? The more time you can enjoy the little things, like having the issue resolved already, instead of having to get the call of “the internet isn’t working”
Good point for the redundancy, didn’t really think of it. I will try to see if having separate switches for wired/wireless fits in my budget. If it does not I will probably add it down the way since it’s a great idea. Will definitely check out the Wattbox
Looks good. It’s almost like my home setup. Vlan are great for security, but don’t overdo it ; camera in a separate vlan, and that’s it. Give your main vlan access to cameras, and give camera minimal access to the internet for firmware updates.
IOT : if you plan for more than 5 devices, do not use wifi (iot uses 2.4ghz and 2.4 doesn’t scale well with multiple devices). Use a zigbee or zwave gateway instead.
Everything else looks good 👍
Good to know ! I’m a little bit familiar with zigbee but didn’t know it could relief the network load, I thought the devices were also using 2.4g to speak to the hub.
Zigbee hub uses 2.4ghz but not the exact same frequency. Hub is usually connected to network with ethernet cable, much cleaner if many devices.
Look at this. https://www.metageek.com/training/resources/zigbee-wifi-coexistence/