simon
/
nixos-config
1
1
Fork 0
Code Issues 8 Pull Requests Projects Releases Activity

Home network segmentation #75

New Issue
Closed
opened 2023-10-08 15:55:14 +02:00 by simon · 1 comment
simon commented 2023-10-08 15:55:14 +02:00
Owner

Currently, I only have one network at home. All devices are in it. I propose to split the network into multiple zones.

network

  • trusted network
    • lan/br-lan
    • VLAN 10
    • Subnet 10.80.1.0/24, fd00:80:1::/64
    • SSID: Darknet (change the PSK, as the current one is known on untrusted devices)
  • management network (for manangement services offered by switches etc., wireless APs)
    • management/br-management
    • VLAN 20
    • Subnet 10.80.2.0/24, fd00:80:2::/64
    • no wireless
  • untrusted network
    • untrusted/br-untrusted
    • VLAN 30
    • Subnet 10.80.3.0/24, fd00:80:3::/64
    • SSID: Industriespionage
  • IoT network
    • iot/br-iot
    • VLAN 40
    • Subnet 10.80.4.0/24, fd00:80:4::/64
    • SSID: Krepel

This requires activating VLAN on the switch and have it connect tagged VLAN 1 from the port connected to shinobu to the other ports untagged.

Firewall

trusted → * ACCEPT
* → trusted [established,related] ACCEPT
untrusted → 192.168.0.1/24 DROP # plastic router, might be vulnerable
untrusted → wan ACCEPT
untrusted → * DROP
iot → 10.80.3.1:1883 ACCEPT
iot → *:123 ACCEPT # ntp
iot → * DROP
untrusted → wan ACCEPT # maybe, depends on what devices are in that network

QoS

  • New qdisc for untrusted on enp1s0

TODO

  • Migrate MQTT server for wordlock to shinobu
Currently, I only have one network at home. All devices are in it. I propose to split the network into multiple zones. ## network * trusted network + `lan`/`br-lan` + VLAN 10 + Subnet `10.80.1.0/24`, `fd00:80:1::/64` + SSID: `Darknet` (change the PSK, as the current one is known on untrusted devices) * management network (for manangement services offered by switches etc., wireless APs) + `management`/`br-management` + VLAN 20 + Subnet `10.80.2.0/24`, `fd00:80:2::/64` + no wireless * untrusted network + `untrusted`/`br-untrusted` + VLAN 30 + Subnet `10.80.3.0/24`, `fd00:80:3::/64` + SSID: `Industriespionage` * IoT network + `iot`/`br-iot` + VLAN 40 + Subnet `10.80.4.0/24`, `fd00:80:4::/64` + SSID: `Krepel` This requires activating VLAN on the switch and have it connect tagged VLAN 1 from the port connected to shinobu to the other ports untagged. ### Firewall ``` trusted → * ACCEPT * → trusted [established,related] ACCEPT untrusted → 192.168.0.1/24 DROP # plastic router, might be vulnerable untrusted → wan ACCEPT untrusted → * DROP iot → 10.80.3.1:1883 ACCEPT iot → *:123 ACCEPT # ntp iot → * DROP untrusted → wan ACCEPT # maybe, depends on what devices are in that network ``` ### QoS * New qdisc for untrusted on `enp1s0` ## TODO * Migrate MQTT server for wordlock to shinobu
simon added the
type
feature
affects/style
 labels 2023-10-08 15:55:14 +02:00
simon commented 2023-10-18 23:50:28 +02:00
Poster
Owner

TODO:

  • SNMP
  • change lan wireless password
  • migrate mqtt
TODO: - [x] SNMP - [x] change lan wireless password - [x] migrate mqtt
simon closed this issue 2023-12-31 16:45:07 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
okarin2
hyper
catering
reuse
yuzuru2
renge2
23.11
nazuna
neomutt
sayuri-mesa-clover
upower
binfmt
ayu
restic-rest-server
Labels
Clear labels   
affects/hardware
   
affects/legal
   
affects/reproducibility
   
affects/security
   
affects/style
   
affects/usability
   
blocked by/release 21.05
   
blocked by/release 21.11
   
blocked by/release 22.05
   
blocked by/testing needed
   
blocked by/testing needed/fuuko
   
blocked by/testing needed/sayuri
   
blocked by/upstream
  
resolution
deferred
   
resolution
permanent workaround
   
resolution
upstream wontfix
   
resolution
wontfix
  
type
bug
   
type
chore
   
type
feature
   
type
new machine
   
type
question
   
type
regression
   
type
tracking
No Label
affects/hardware
affects/legal
affects/reproducibility
affects/security
affects/style
affects/usability
blocked by/release 21.05
blocked by/release 21.11
blocked by/release 22.05
blocked by/testing needed
blocked by/testing needed/fuuko
blocked by/testing needed/sayuri
blocked by/upstream
resolution
deferred
resolution
permanent workaround
resolution
upstream wontfix
resolution
wontfix
type
bug
type
chore
type
feature
type
new machine
type
question
type
regression
type
tracking
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: simon/nixos-config#75
There is no content yet.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?