simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

Home network segmentation #75

New issue
Closed
opened 2023-10-08 15:55:14 +02:00 by simon · 1 comment
simon commented 2023-10-08 15:55:14 +02:00
Owner
Copy link

Currently, I only have one network at home. All devices are in it. I propose to split the network into multiple zones.

network

  • trusted network
    • lan/br-lan
    • VLAN 10
    • Subnet 10.80.1.0/24, fd00:80:1::/64
    • SSID: Darknet (change the PSK, as the current one is known on untrusted devices)
  • management network (for manangement services offered by switches etc., wireless APs)
    • management/br-management
    • VLAN 20
    • Subnet 10.80.2.0/24, fd00:80:2::/64
    • no wireless
  • untrusted network
    • untrusted/br-untrusted
    • VLAN 30
    • Subnet 10.80.3.0/24, fd00:80:3::/64
    • SSID: Industriespionage
  • IoT network
    • iot/br-iot
    • VLAN 40
    • Subnet 10.80.4.0/24, fd00:80:4::/64
    • SSID: Krepel

This requires activating VLAN on the switch and have it connect tagged VLAN 1 from the port connected to shinobu to the other ports untagged.

Firewall

trusted → * ACCEPT
* → trusted [established,related] ACCEPT
untrusted → 192.168.0.1/24 DROP # plastic router, might be vulnerable
untrusted → wan ACCEPT
untrusted → * DROP
iot → 10.80.3.1:1883 ACCEPT
iot → *:123 ACCEPT # ntp
iot → * DROP
untrusted → wan ACCEPT # maybe, depends on what devices are in that network

QoS

  • New qdisc for untrusted on enp1s0

TODO

  • Migrate MQTT server for wordlock to shinobu
Currently, I only have one network at home. All devices are in it. I propose to split the network into multiple zones. ## network * trusted network + `lan`/`br-lan` + VLAN 10 + Subnet `10.80.1.0/24`, `fd00:80:1::/64` + SSID: `Darknet` (change the PSK, as the current one is known on untrusted devices) * management network (for manangement services offered by switches etc., wireless APs) + `management`/`br-management` + VLAN 20 + Subnet `10.80.2.0/24`, `fd00:80:2::/64` + no wireless * untrusted network + `untrusted`/`br-untrusted` + VLAN 30 + Subnet `10.80.3.0/24`, `fd00:80:3::/64` + SSID: `Industriespionage` * IoT network + `iot`/`br-iot` + VLAN 40 + Subnet `10.80.4.0/24`, `fd00:80:4::/64` + SSID: `Krepel` This requires activating VLAN on the switch and have it connect tagged VLAN 1 from the port connected to shinobu to the other ports untagged. ### Firewall ``` trusted → * ACCEPT * → trusted [established,related] ACCEPT untrusted → 192.168.0.1/24 DROP # plastic router, might be vulnerable untrusted → wan ACCEPT untrusted → * DROP iot → 10.80.3.1:1883 ACCEPT iot → *:123 ACCEPT # ntp iot → * DROP untrusted → wan ACCEPT # maybe, depends on what devices are in that network ``` ### QoS * New qdisc for untrusted on `enp1s0` ## TODO * Migrate MQTT server for wordlock to shinobu
simon added the
type
feature
affects/style
 labels 2023-10-08 15:55:14 +02:00
simon commented 2023-10-18 23:50:28 +02:00
Author
Owner
Copy link

TODO:

  • SNMP
  • change lan wireless password
  • migrate mqtt
TODO: - [x] SNMP - [x] change lan wireless password - [x] migrate mqtt
simon closed this issue 2023-12-31 16:45:07 +01:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
koyomi
ci-runner
24.05
okarin2
hyper
catering
reuse
yuzuru2
renge2
23.11
nazuna
neomutt
sayuri-mesa-clover
upower
binfmt
ayu
restic-rest-server
No results found.
Labels
Clear labels   
affects/hardware

   
affects/legal

   
affects/reproducibility

   
affects/security

   
affects/style

   
affects/usability

   
blocked by/release 21.05

   
blocked by/release 21.11

   
blocked by/release 22.05

   
blocked by/testing needed

   
blocked by/testing needed/fuuko

   
blocked by/testing needed/sayuri

   
blocked by/upstream
  
resolution
deferred

  
resolution
permanent workaround

  
resolution
upstream wontfix

  
resolution
wontfix

  
type
bug

  
type
chore

  
type
feature

  
type
new machine

  
type
question

  
type
regression

  
type
tracking

No labels
affects/hardware
affects/legal
affects/reproducibility
affects/security
affects/style
affects/usability
blocked by/release 21.05
blocked by/release 21.11
blocked by/release 22.05
blocked by/testing needed
blocked by/testing needed/fuuko
blocked by/testing needed/sayuri
blocked by/upstream
resolution
deferred
resolution
permanent workaround
resolution
upstream wontfix
resolution
wontfix
type
bug
type
chore
type
feature
type
new machine
type
question
type
regression
type
tracking
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: simon/nixos-config#75
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?