Switching & Routing (Part 1)

We exist in an ever-changing threat environment, as a typical tech user I’ve got friends who visit my home and know my WiFi password, I’ve got IoT devices that run inside my home network, Alexa, Google Home, Firestick, TV’s, and Printers. Any of these could have a vulnerability.

Unifi USG & Google Home WiFi

So I work from home. Nice right? Great and all but I’m a firm believer of keeping work and home life separate. That’s difficult when you’re sat on a typical home broadband router with 1 WiFi access point.

We exist in an ever-changing threat environment, as a typical tech user I’ve got friends who visit my home and know my WiFi password, I’ve got IoT devices that run inside my home network, Alexa, Google Home, Firestick, TV’s, and Printers. Any of these could have a vulnerability (of course these get patched as per the manufacturer’s recommendations).

How comfortable are you writing code for an organisation working in this way? Though I trust myself enough to not do silly things on my network how can I expect that of anyone who visits? Same goes for what run’s on my work laptop is it going to have a product that scans my home network? I trust my business sure, but I’m subject to their IT security policies.

Finding a way to keep both sides of the fence happy can be tricky. I know that work would probably appreciate it if I segmented their equipment away from my home LAN and I’d be happy protecting my data in my home network.

In the past I’ve run networking for a small business, and I know that logical separation of concerns not only falls under a programming paradigm but also a networking capacity. VLAN seems the most appropriate option here, segmenting network devices so that I’ve got a Guest Network, Home LAN, Work LAN and have inter-VLAN rules to protect the assets either side of the fence seems a good approach in this scenario.

How to achieve such a goal? First port of call is to move away from the stock equipment supplied by broadband suppliers a quick Google search shows why you should consider doing this anyway. Besides that, for a reasonable price, you can obtain either older hardware and set up your own home-brew firewall using something like pfSense (my original approach to this issue). However, I like being inside support and my livelihood relies upon having a stable network connection not just for work but to keep my partner connected while I’m away.

I’ve been running with Ubiquiti’s offering of the USG which is a small dedicated firewall appliance that can sit at the edge of my network. I run speeds of 200Mbps down and 20Mbps up and this firewall has easily kept pace with all of that.

A few other pieces of equipment are required when exploring the Ubiquiti line-up, most notable is the lack of any WiFi capability in the router at all. I’m never a fan of a single appliance performing too many concurrent roles, and so prior to purchasing this I already had my Google Home Wifi which sets up a perfect guest network on the WAN2 port of the USG and has accompanying settings to ensure the guests are isolated in their own. That’s great as the first part of the network segment has been configured and all fits inside of a tiny package.

One thing that you’ve got to be mindful of is ensuring that you either purchase (at additional cost) a Unifi Controller which allows you to track, configure and deploy the USG or multiple USG’s over different networks or have a dedicated device (home server) that can run that software for you.

I’ve got to give credit to Unifi USG their software is pretty easy to get on with for a starting user. The USG itself has console access to be able to access some advanced configuration but for the not so console happy user the Controller software makes deploying configurations and upgrades really easy.

I’ll cover more of that in Part 2

Author: Joey

.NET Software Developer from the UK that built this site to publish some of my thoughts on homelabbing and software development

Leave a Reply

Your e-mail address will not be published. Required fields are marked *