medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa054cb4cb307ea1fdaab9c8d6f598db51147e1e
the_information_nexus/tech_docs/home_network.md
Whisker Jones aeba9bdb34 structure updates
2024-05-01 12:28:44 -06:00

3.3 KiB
Raw Blame History

To provide a comprehensive turnkey solution for a power user's home network leveraging OPNsense with zero-trust principles, VLAN segmentation, and advanced WAN management, we'll break down the network architecture into a detailed plan. This plan includes VLAN allocation, device roles, and how traffic is managed across WAN links.

Network Overview:

  • WAN Links:

    • WAN1 (Comcast): Primary internet connection, suitable for sensitive or work-related traffic. Limited by a data cap.
    • WAN2 (T-Mobile 5G): Secondary internet connection, unlimited data but CGNAT. Ideal for high-bandwidth or background tasks.

  • VLANs & Segmentation:

    • VLAN 10 - Management: For network infrastructure devices (switches, APs, OPNsense management).
    • VLAN 20 - Work & Personal: For personal computers, workstations, and laptops.
    • VLAN 30 - IoT Devices: For smart home devices, like smart bulbs, thermostats, and speakers.
    • VLAN 40 - Entertainment: For streaming devices, gaming consoles, and smart TVs.
    • VLAN 50 - Guests: For guests' devices, providing internet access with isolated access to local resources.

  • Special Configurations:

    • 802.1x Authentication: Enabled on VLAN 20 for secure access.
    • VPN & SOCKS5: Configured for selective routing of traffic from VLAN 20 and 40 through NordVPN or a SOCKS5 proxy.

Network Diagram:

graph LR
    Comcast(WAN1 - Comcast) -->|Primary| OPNsense
    TMobile(WAN2 - T-Mobile 5G) -->|Secondary| OPNsense
    OPNsense -->|Management VLAN10| SwitchAP[Switch & APs]
    OPNsense -->|Work/Personal VLAN20| PC[PCs/Laptops]
    OPNsense -->|IoT VLAN30| IoT[Smart Devices]
    OPNsense -->|Entertainment VLAN40| TV[Streaming/Consoles]
    OPNsense -->|Guest VLAN50| Guests[Guest Devices]
    PC -->|VPN/SOCKS5| Cloud[VPN & SOCKS5]
    TV -->|VPN| Cloud

Device Roles and Policies:

  • Management (VLAN 10): Secure VLAN for managing networking equipment. Access restricted to network administrators.
  • Work & Personal (VLAN 20): High-priority VLAN for workstations and personal devices. Protected by 802.1x authentication. Selected traffic routed through VPN or SOCKS5 for privacy or geo-restrictions.
  • IoT Devices (VLAN 30): Isolated VLAN for IoT devices to enhance security. Internet access allowed, but access to other VLANs restricted.
  • Entertainment (VLAN 40): Dedicated VLAN for entertainment devices. Selected traffic can be routed through VPN for content access or privacy.
  • Guests (VLAN 50): VLAN for guest devices, providing internet access only with no access to the internal network.

Policies:

  • Traffic Shaping & QoS: Implemented on VLAN 20 and 40 to prioritize critical traffic (e.g., work-related applications, streaming).
  • Intrusion Detection & Prevention: Enabled network-wide with tailored rules for IoT and guest VLANs to prevent unauthorized access and mitigate threats.
  • Multi-WAN Rules: IoT and guest traffic primarily routed through WAN2 (T-Mobile 5G) to conserve WAN1 (Comcast) bandwidth under the data cap.

This plan provides a solid foundation for a secure, segmented home network, incorporating zero-trust principles and advanced routing to manage traffic across multiple WAN links effectively. It's customizable based on specific devices, user needs, and network policies, offering a starting point for a sophisticated home networking setup.