So let’s just reflect which different workloads we normaly have in our home network.
- access to data located on local systems
- access to data in the internet
Then we have human initiated data transfers and device initiated data transfers (SmartHome, IoT, Multimedia Streaming, …). looking at the persons which use my Internet connection there are two groups: my family and guests.
The main questions are now:
- do I trust the devices located in my network ?
- do I trust the different groups ?
If you feel uncomfortable with the answers to these questions this is the time to think about separating the devices.
The good news is that Linux is able to separate network traffic into different virtual networks. Routers like Turris Omnia or other OpenWrt/LEDE based systems also provide you a quite simple access to the configuration via the LUCI Web-Interface.
So what is a good starting point for network separation?
I would propose to have at least three different networks:
- LAN: All devices which you trust and which OS you control.
- DMZ: All SmartHome, IoT and Multimedia (TV, Receiver, Internet Radio, Consoles, …) devices.
- GUEST: Network for your guests.
The router itself will be part of all three networks and will be able to route between them. Let us assume for the time being that it will be set up in a way that the firewall will completely separate the networks. Using masquerading (NAT) the three networks will then be able to access the internet.
Now let us have a look at the configuration of an OpenWrt based router – especially of the Turris Omnia.
The Turris Omnia has got a network switch integrated into its Marvel ARMADA® Embedded SoC. This network switch is able of using VLANs.
cat /proc/cpuinfo | grep Hardware Hardware : Marvell Armada 380/385 (Device Tree)
Let’s have a look at the configuration of the switch. In the default configuration the switch will already have two VLANs configured. The VLAN ID 1 is used for the internal network called LAN and the VLAN ID 2 is used for the connection to your internet provider / the internet modem and is called WAN.
In LUCI you will find the configuration in the Menu: Network -> Switch:
You can see that Port 0 – 3 are all part of a network using VLAN ID 1. The VLAN ID 1 is given to that ports in untagged mode, so if you plug a network cable into that port the device will be able to connect to that network without configuring a VLAN ID inside the OS.
Port 6 is associated to VLAN ID 2 and can be connected to the internet modem.
To be continued …