Home Network segmentation with EdgeRouter

By | December 27, 2017

Asus will no longer be updating the codebase for the software that runs my trusty RT-AC66U wifi router. So, what started out as a project to replace the router with an updated model has evolved into a complete revamp of my home network model. Criteria for the new network included the ability to segment and secure the network for home devices, guest wifi and Internet of Things (IoT) devices. I have met the criteria with Ubiquiti EdgeRouter X and UniFi.

I chose two products from Ubiquiti Networks as the core of my revised home network based, in part, on a glowing recommendation by security researcher Steve Gibson at Gibson Research Corporation. There is a fantastic HOWTO written by Mike Potts that is available at his GitHub page here that I used as a reference document. Useful if you choose to design your network with Ubiquiti network products.

Fiber to my home is terminated at the Bell Home Hub 3000 (HH3000) which provides services for Internet and Bell Fibe TV (refer to my updated post on the configuration of the Bell Home Hub 3000 here). All wifi is disabled on the HH3000 except of the hidden 5GHz wifi network that is required for Fibe TV. The Ubiquiti products used in the new design are:

As a refresher, the HH3000 does not support a bridge mode. Rather, it does offer a DMZ configuration. However, in my testing I have found the DMZ setup to be unreliable. Generally, the HH3000 is not the among the best hardware out there. I have reduced the HH3000 down to being a termination point for the fiber circuit provided by Bell. The WAN port of the EdgeRouter is connected to an ethernet port on the HH3000 and the EdgeRouter connects via a pppoe interface. The HH3000 does provide pppoe pass-through without any special configuration.

I have seen some posts where they say that in order for pppoe pass-through to work that you have to setup VLAN tagging (VLAN 35) on the router that makes the call (the EdgeRouter in my case). This is not correct. VLAN tagging is not required. The VLAN tagging required for the Bell head is handled by the HH3000.

My network is segmented into IoT, Guest and HOME LAN networks. The IoT network hosts Phillips Hue devices, Nest thermostat, NestProtect smoke alarm, various smart switches, voice assistants and cameras. Firewall rules isolate the IoT network from my HOME network, however, hosts on the HOME network can reach devices on the IoT network (i.e. IoT hosts cannot initiate connectivity to hosts on the HOME network). The Guest network is setup in a similar manner, with similar firewall rules, except that bandwidth is limited to 50Mbps.

I have not moved my Apple TV and Google Chromecast devices to the IoT network. I have been able to get these devices working across subnets. My understanding is that the EdgeRouter and/or the UniFi must support multicast across subnets. However, I have been unable to get this working. It’s still a work in progress

The HOME network hosts all of the family smart phones, iPads, computers and related devices such as Apple watches. Some devices are hardwired via ethernet to the LAN ports on the EdgeRouter or to the TP-Link L3 switch. The network is logically separated via VLAN’s and therefore I need all of my network hardware to be Layer-3 aware.

There is one physical computer that is hidden away in a closet that hosts my Docker containers:

  • Ubiquiti UniFi controller (management for the UniFi AP)
  • CouchPotato
  • PlexMedia Server
  • Transmission BitTorrent
  • Home Assistant
  • Rsyslog (consolidated syslog for the various hosts)

The other ‘server’ host is a Raspberry Pi 3 with an external SSD drive connected. I use Netatalk to provide AFP file services for my various Mac computers. Each computer is setup save its Time Machine backup to the Netatalk Raspberry Pi host.

DNS

Quad9 is not among the fastest available here in Toronto, Canada (cached response 0.014ms). OpenDNS still has the fastest response time. The reason may be due to infrastructure points-of-presence still being rolled out globally. I expect that the response times will improve over time. I have chosen OpenDNS as my primary DNS and Quad9 as secondary. My firewall rules force all DNS queries on the Guest and IoT networks to Google DNS (cached response 0.004ms). There is no advantage that I can think of for using different DNS on my HOME and other networks. I just like the idea of them being separate 🙂

DHCP

Individual DHCP services are defined for each network segment (HOME, Guest & IoT). All DHCP servers are authoritative.

Firewall

The default action for packets entering the EdgeRouter from the Internet is to drop the packet if the packet does not match any of the defined firewall rules. Packets with a state of ‘established’ or ‘related’ will be accepted. Thus, the only way a packet will be accepted is if the connection was initiated within the HOME, Guest or IoT networks. Likewise, packets entering the home network from the IoT or guest networks will be dropped unless their state is ‘established’ or ‘related’. Hosts on the home network can initiate connections with hosts on the IoT network. Hosts on the IoT and Guest networks cannot establish connections to hosts on the Home network.

Conclusion

Next step for this network would be to figure out how to get multicast services across subnets working for Google Chromecast. Likewise Apple Airplay for the Apple TV boxes. That way, I will be able to move the remaining devices to the IoT network.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.