Network Segmentation

To enhance home network security and streamline network management, I have implemented a segmentation strategy by creating four distinct VLANs: one for services, one for management, one for homelab and one for guest networks.

I am utilizing a router-on-the-stick configuration for my network, given that I have a managed switch and a router. This setup allows me to implement and manage firewall rules on each VLAN interface, enhancing overall network security.

Services VLAN:

• Purpose: Dedicated to devices and services such as servers, printers, databases, and other essential infrastructure.

• Firewall rules:

  • Deny or limit access from the Service VLAN to the Management VLAN.

  • Allow only HTTP/HTTPS traffic to the internet.

  • Log traffic for auditing and troubleshooting.

Management VLAN:

• Purpose: Dedicated to managing network devices, such as routers, switches, and access points.

• Firewall rules:

  • Allow access only from specific IP addresses or networks that need to manage the equipment.

  • Deny access from non-administrative VLANs to the Management VLAN.

  • Allow protocols like SSH, SNMP, or HTTPS for management purposes.

  • Ensure that all access attempts are logged for security and auditing purposes.

Homelab VLAN:

• Purpose: A dedicated home lab network to explore and experiment with services AD DC, SIEM, and IPS/IDS.

• Firewall rules:

  • Block access from other VLAN except specific IP from Mgmt VLAN.

  • Allow specific external accesses for services like SIEM or IDS/IPS.

Guest VLAN:

• Purpose: Provides network access to guests or visitors without giving them access to my primary network.

• Firewall rules:

  • Block traffic from the Guest VLAN to RFC1918 addresses.

  • Allowing only HTTP/HTTPS to the internet.