I have this diagram working as of now, i would like to add some restriction / security to it
the cAP ac is connected by LAN to the hAP ac^2, the hAP handle all dhcp request
I have a bridge in the hAP for all port except the WAN, that bridge got hardware offloading ON because of the NAS
because of the hardware offloading, everything have access to everything (I can't use the firewall).
I would like to make sure the work laptop can't see the camera and the NAS
I would like to block one VM from seeing the camera and the NAS, keeping the other one access to them
the main computer / both VM use the same interface on the hAP
the laptop is connected via wifi, everything else use cable
so what can I use to make this work? could vlan work? if yes, how to handle different vlan on the same interface(main pc and both vm)?
securing a current home network
You do not have the required permissions to view the files attached to this post.
Re: securing a current home network
嘿。交通控制设备之间使用firewall filter with drop rules filtered by source addresses. To launch traffic of different networks via single interface use switch before hap ac2 or vlans on machines to start tagged traffic from PC and VMs and stripp tags on hap ac2.
Re: securing a current home network
Hi!
Here is what I would do looking at your diagram
- Configure 2 vlans ( ex vlan10 for "internal" and vlan 11 for cameras") and 2 network subnets, one for each vlan (ex 192.168.0.0/24 and 192.168.1.0/24), in the hap ac2
- optional - configure 2 dhcp servers for these vlans or only for vlan 10 if you assign static to the camers
- CAP AC ports:
a) ETH2 - to camera poe switch - access mode, vlan 11
b) ETH1 - trunk mode, vlans 10 and 11
c) ALL wifi SSIDs - vlan 10
HAP AC2:
- 2 bridge vlans with IPs
- physical ports:
a) to CAP AC - trunk mode, both vlans
b) to main PC, NAS, IPTV - access vlan 10
c) any SSID - vlan 10
Basically all your home will be in VLAN 10 with only the cameras in vlan 11. From here it is very simple to create firewall rules in the HAP AC2 to filter between the subnets and allow only the traffic you need.
Here is what I would do looking at your diagram
- Configure 2 vlans ( ex vlan10 for "internal" and vlan 11 for cameras") and 2 network subnets, one for each vlan (ex 192.168.0.0/24 and 192.168.1.0/24), in the hap ac2
- optional - configure 2 dhcp servers for these vlans or only for vlan 10 if you assign static to the camers
- CAP AC ports:
a) ETH2 - to camera poe switch - access mode, vlan 11
b) ETH1 - trunk mode, vlans 10 and 11
c) ALL wifi SSIDs - vlan 10
HAP AC2:
- 2 bridge vlans with IPs
- physical ports:
a) to CAP AC - trunk mode, both vlans
b) to main PC, NAS, IPTV - access vlan 10
c) any SSID - vlan 10
Basically all your home will be in VLAN 10 with only the cameras in vlan 11. From here it is very simple to create firewall rules in the HAP AC2 to filter between the subnets and allow only the traffic you need.
Re: securing a current home network
thanks i will see if i can manage to do that, i never used vlan before so it's a good opportunity to learn
just to be 100% sure; vlan in firewall work with hardware offloading, right?
just to be 100% sure; vlan in firewall work with hardware offloading, right?
Re: securing a current home network
You can try to add ethernet interface you want and add a vlan to this interface and see if there is no hardware offloading or it's there.
Re: securing a current home network
Firewall is never HW offloaded. Intra-VLAN switching/bridging can be HW offloaded if device supports this particular way of configuring it ... hAP ac2 doesn't.