VLAN Security Benefits vs Ease-of-Use

[bugsysiegals]

I bought a layer 3 Cisco switch to power my security cameras (PoE) and started considering VLAN's to segment my network.  While thinking through the very many pros/cons of different VLAN structures, I never finalized any "best configuration" and instead ended up with my cameras using the Cisco switch which connects to one port of a quad NIC (CAM) and all other Ethernet devices connected to a regular switch which connects to another port on the same quad NIC (LAN). 

 

That said, I setup my AP's to broadcast 4 SSID's (Adults, Kids, IOT, and Guest) with different subnet/VLAN's and created VLAN's on the LAN adapter within pfSense to segment my WiFi traffic from each other and the non-tagged Ethernet LAN traffic.  I finally realized last night the reason I've been unable to connect to my static IP servers while pfSense is down is because unRAID management port is untagged while my laptop/iPhone connect to a SSID which is tagged!  This got me thinking about the complexity of my network and Ease-of-Use vs actual Security Benefits ...

 

• If I die before my wife, she'd be unable to understand and manage any of this.  In fact, she already said she'd be at Best Buy buying a regular router.
• If the pfSense server fails and I needed to use my regular router in the short-term, I'd have to change WiFi SSID/Passwords on very many devices.
• A new pfSense VM or router defaults to 192.168.1.1 and I cannot connect to it unless I plug into an Ethernet port or remove the VLAN tagging of the Adult SSID.

 

I thought it would be nice to separate devices for security, easier firewall management, etc. but the truth is my kids aren't trying to hack my network, nor are their friends, and I'm most likely at risk of somebody hacking one of the devices exposed to the Internet.  That said, I'm considering it would be a much simpler solution to put everything on the same subnet, assign devices into a few Alias's, and use firewall rules to segment things.  In this way, if any hardware fails, I can plug-n-play a regular router and be back up instantly with little to no thought.

 

So ... how are you using VLAN/Alias to secure your devices while keeping things simple and effortless should some hardware fail?  Or like me, would your spouse be shaking their head trying to figure out what you done if hardware failed?

Edited March 23, 2020 by bugsysiegals

[repomanz]

 

On 3/23/2020 at 8:16 AM, bugsysiegals said:

 

• If I die before my wife, she'd be unable to understand and manage any of this.  In fact, she already said she'd be at Best Buy buying a regular router.

 

 

^ I'm in the same boat

I have it all documented (firewall routing, vlan configurations, physical connections, wifi vlans, etc) but she'll probably just flatten it.  I keep telling my youngest son I need him to be my backup admin  

Anything is hackable but if coming into my network it'll be a more difficult chore to pivot around.   Malware like wannacry would run rampant in a flat network if machines were unpatched.

I have friends with massive IOT gear running on a flat network and that just gives me the heebie-jeebies.

[bugsysiegals]

I've setup FreeRadius on pfSense so that each device gets assigned to a VLAN based on its MAC.  This allows me to use one SSID, continue separating devices, and easily change a device to a new VLAN without programming it to a new SSID.  Also, if pfSense goes down, I can bring up a regular router with the same SSID, and all devices will connect seamlessly to 192.168.1.1 flat network until I restore pfSense.