Question in the title. Feel free to include details, like what networks have wifi, what kinds of devices are on what, etc etc.

Right now I have 4 VLANs, each with a separate wifi SSID:

  1. Base - servers, workstation, and any trusted devices
  2. Business - work laptop, dock, and phone - enforces network and device isolation - lighter adblocking settings, so that work programs and services aren’t nerfed
  3. Isolated - visiting friends and family use this one - again, enforces network and device isolation
  4. Security - for cameras, doorbell, and other security devices - strongest security settings, isolation, and no direct internet access

Looking forward to hearing what others are doing, to see if I can improve my setup.

  • f3nyx@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    2 days ago

    you have a good balance OP. I’d consider a DMZ if you’re planning on hosting any public services (or even services at all, check out the ffmpeg exploit that happened last week). other than that I wouldn’t recommend you get any more granular.

    the more granular you get with this stuff, the more you have to go through if/when something goes wrong or otherwise doesn’t work. which is great when you have a lot of time on your hands and an obsession with networking, but starts to become a detriment when your interest and time need to be dedicated to other things.

    • 4am@lemmy.zip
      link
      fedilink
      arrow-up
      1
      ·
      2 days ago

      I had a DMZ and the only thing in it was a virtualized OPNSense router that handled all the traffic restrictions in and out of the network.

  • litchralee@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    2 days ago

    I’ll start with an observation that SSIDs, LANs, and subnets are all exercises in logical grouping and isolation. An optimal setup would place similarly-situated clients in the same group, while isolating clients that have no business with each other.

    To that end, I’ll start with how I allocate SSIDs, which expects VLAN-aware APs but nothing fancy like RADIUS authentication. I only have two SSIDs, with one being the “public” network where the PSK WiFi password is distributed to all visitors, and the “private” network which is only used for my own long-term devices. There would have been a third SSID if I had IoT devices in my home, but I later implemented a rule to not allow those. There are no servers that sit on the Wifi network, because of the availability of CAT6 to every space that matters.

    At L2, the two SSIDs map to two VLANs, but there are also VLANs for: the DMZ, internal-only servers, and the IP phones. The rationale for the DMZ being its own VLAN is to concentrate security into L3 (discussed later) and the firewall. The rationale for the internal servers and IP phone VLANs is because those endpoints should keep working even if most everything else on the network is having a problem. There should be no instance where a broadcast storm prevents me from making a phone call or managing the APs.

    Finally, at L3, my setup has one large IP subnet that is divided across the VLANs so that inter-VLAN routing (and firewalling) is necessary between most devices. You’d think this would cause the router to be a bottleneck, but it doesn’t seem too bad in practice, since traffic within a VLAN doesn’t hit the router at all, and traffic destined for the WAN already has to be routed anyway.

    On some VLANs, I will run dual-stack Legacy+IPv6, but I’m in the process of decommissioning Legacy IP where it’s not needed. Remarkably, even the IP phones don’t need Legacy IP anymore and run just fine on IPv6 with SLAAC address assignment.