Firewall & VLAN
While the switches do HW offloaded L2 shuffling of packets the core of the network is the firewall. It does the heavy lifting of routing and filtering packets between VLANs & internet. Why I segment the network with VLANs and the choices behind it.
VLAN
I separate different types of hosts into virtual networks to control the traffic between them for security reasons. IoT often runs proprietary firmware with bad security. They therefore need to be controlled to not phone home or reach the rest of the network. Same goes for guest devices (GST) that I have no control over. LAN is for my own devices.
MGT contains management interface for servers and network devices. The largest attack surface is in MGT since they by nature must have services exposed so that I can reach and administrate them. Instead of putting all my devices and services on LAN my stance is that security for MGT must have depth and not depend just on a single layer. Having a separate VLAN for MGT devices gives me much better control over access.
- LAN (VLAN 1) For trusted hosts like workstations, laptops and smart phones.
- GST (VLAN 2) For visiting people and their devices with less trust.
- IoT (VLAN 3) For home automation, sensors, home appliances etc.
- DMZ (VLAN 4) For services & hosts exposed to the internet.
- MGT (VLAN 5) For servers and services.
VLAN Topology
Firewall
The OPNsense firewall does L3 routing and filters packets between VLANs and internet. Services used are DHCPv4/6, Unbound DNS, NTP. The network and its hosts are dual stacked with both ULA for local services/routing and /56 GUA from ISP that is delegated to each VLAN as /64 blocks for internet connectivity.
I don't rely only on firewall rules. MAC addresses can be spoofed and IPs changed freely. If segmentation and access management is thought through and planned correctly less firewall rules are needed. Being on LAN does not give access directly to any hosts on MGT regardless of IP. Even on MGT access is limited to some extent.
Network Topology
