medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add docs/tech_docs/home_network.md

Browse Source
This commit is contained in:
medusa
2024-03-27 08:15:18 +00:00
parent 5d3fa2af8a
commit 4e92e67168
1 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
docs/tech_docs/home_network.md Normal file
View File

@@ -0,0 +1,49 @@
To provide a comprehensive turnkey solution for a power user's home network leveraging OPNsense with zero-trust principles, VLAN segmentation, and advanced WAN management, we'll break down the network architecture into a detailed plan. This plan includes VLAN allocation, device roles, and how traffic is managed across WAN links.
### Network Overview:
- **WAN Links**:
- **WAN1 (Comcast)**: Primary internet connection, suitable for sensitive or work-related traffic. Limited by a data cap.
- **WAN2 (T-Mobile 5G)**: Secondary internet connection, unlimited data but CGNAT. Ideal for high-bandwidth or background tasks.
- **VLANs & Segmentation**:
- **VLAN 10 - Management**: For network infrastructure devices (switches, APs, OPNsense management).
- **VLAN 20 - Work & Personal**: For personal computers, workstations, and laptops.
- **VLAN 30 - IoT Devices**: For smart home devices, like smart bulbs, thermostats, and speakers.
- **VLAN 40 - Entertainment**: For streaming devices, gaming consoles, and smart TVs.
- **VLAN 50 - Guests**: For guests' devices, providing internet access with isolated access to local resources.
- **Special Configurations**:
- **802.1x Authentication**: Enabled on VLAN 20 for secure access.
- **VPN & SOCKS5**: Configured for selective routing of traffic from VLAN 20 and 40 through NordVPN or a SOCKS5 proxy.
### Network Diagram:
```mermaid
graph LR
Comcast(WAN1 - Comcast) -->|Primary| OPNsense
TMobile(WAN2 - T-Mobile 5G) -->|Secondary| OPNsense
OPNsense -->|Management VLAN10| SwitchAP[Switch & APs]
OPNsense -->|Work/Personal VLAN20| PC[PCs/Laptops]
OPNsense -->|IoT VLAN30| IoT[Smart Devices]
OPNsense -->|Entertainment VLAN40| TV[Streaming/Consoles]
OPNsense -->|Guest VLAN50| Guests[Guest Devices]
PC -->|VPN/SOCKS5| Cloud[VPN & SOCKS5]
TV -->|VPN| Cloud
```
### Device Roles and Policies:
- **Management (VLAN 10)**: Secure VLAN for managing networking equipment. Access restricted to network administrators.
- **Work & Personal (VLAN 20)**: High-priority VLAN for workstations and personal devices. Protected by 802.1x authentication. Selected traffic routed through VPN or SOCKS5 for privacy or geo-restrictions.
- **IoT Devices (VLAN 30)**: Isolated VLAN for IoT devices to enhance security. Internet access allowed, but access to other VLANs restricted.
- **Entertainment (VLAN 40)**: Dedicated VLAN for entertainment devices. Selected traffic can be routed through VPN for content access or privacy.
- **Guests (VLAN 50)**: VLAN for guest devices, providing internet access only with no access to the internal network.
### Policies:
- **Traffic Shaping & QoS**: Implemented on VLAN 20 and 40 to prioritize critical traffic (e.g., work-related applications, streaming).
- **Intrusion Detection & Prevention**: Enabled network-wide with tailored rules for IoT and guest VLANs to prevent unauthorized access and mitigate threats.
- **Multi-WAN Rules**: IoT and guest traffic primarily routed through WAN2 (T-Mobile 5G) to conserve WAN1 (Comcast) bandwidth under the data cap.
This plan provides a solid foundation for a secure, segmented home network, incorporating zero-trust principles and advanced routing to manage traffic across multiple WAN links effectively. It's customizable based on specific devices, user needs, and network policies, offering a starting point for a sophisticated home networking setup.