Last Updated on October 16, 2022 by Thiago Crepaldi
A typical home network is a simple single network and if any of your devices is compromised or infected with malware, the attacker may be able to spread malware or compromise all of your other devices.
You can better protect your home network by separating your home network into sub-networks (aka subnets). Devices in a subnet do not have access to another subnet, therefore, the risk of a compromised device would be limited to a single subnet.
There are many ways to subnet your network, and in this post we will focus on segregating your network through Wi-Fi VLANs, which requires pfSense, a managed switch (Unifi USW-24-PoE in my case) and an Access Point (Unifi AP FlexHD). For our example, we will use three different Wi-Fi networks (Home, Guest and Obfuscated). While all Home, Guest and Obfuscated have internet access, none of them will be able to see each other. Obfuscated will use a VPN client connection as gateway, making its traffic encrypted from the rest of the world. We will also discuss about a hypothetical IoT network you could create in which it can have access to Internet but not to your Home or even you can give it access to your Home but block its internet. It really depends on your use case/creativity.
Requirements
- pfSense as main router
- 1 LAN physical port connected to the USW-24-PoE
- 1 WAN physical port connected to the ISP
- (optional) VPN client connection for Obfuscated Wi-Fi network
- Unifi switch, such as USW-24-POE
- Unifi AP connected to the Unifi switch
- Home, Guest and/or Obfuscated Wi-Fi networks
Setup Wi-Fi VLAN subnets on Unifi switch
The first step is to configure VLAN for your WiFi networks. I am assuming you wish to modify your existing Wireless networks (Guest and, optionally, Obfuscated), but creating new Wi-Fi networks are equally simple. Connect to a different network (such as Wi-Fi Home or a wired connection) other than the Wi-Fi you will modify (aka Guest), otherwise you will have connectivity issues during the process.
I recommend using a VLAN between 2 and 254, so that we can use VLAN ID as part of the third IP octet. For example, given VLANs will be created on 10.20.0.0/24 network, for a VLAN ID 100, we can have 10.20.100.0/24 as the VLAN network, which helps identifying connections in future analysis.
Go to Settings >> Networks page and click on Add a new network:
- Name: VLAN_100
- Advanced:
- VLAN ID: 100
Click Apply changes. Next step is associating the Guest Wi-Fi network to this newly created network.
Go to Settings >> WiFi page and click on Edit to modify your existing Guest Wi-Fi:
- Network: Select VLAN_100
Click Apply changes. This causes temporary connectivity issues to this Wifi connection. We need to setup pfSense to work with the new VLAN before things start to work again.
Setup Wi-Fi VLAN subnets on pfSense
Here we need to create an interface for each Wi-Fi VLAN on that same physical interface of your LAN. Follow this post using the following network information as reference:
- LAN Address: 10.20.0.1/24
- VLAN ID: 100
- DHCP Range: 10.20.0.100-10.20.100.199
- NTP/DNS server: 10.20.100.1
- Domain name: lan.domain.com
At this point, you have an operational Guest WiFi over VLAN 100, but the firewall rules created are too permissive, specifically the last one called “Default allow all rule”. Go to Firewall >> Rules >> VLAN100 and delete that rule and add a new one to allow Internet access-only by clicking on Add (add to the bottom).
- Edit Firewall Rule
- Action: Pass
- Interface: VLAN100
- Address Family: IPv4
- Protocol: Any
- Source
- Source: VLAN100
- Destination
- Invert match: checked
- Destination: Single host or alias
- Destination address: RFC1918 or Private_IPv4s
- Extra Options
- Description: Default allow Internet-only rule
Finish by clicking on Save and Apply changes. Now your Guest Wi-Fi network has internet-only access, but it can’t access the Home Wi-Fi network as they are in different broadcast domains and we restricted the firewall rule to allow connections that are not targeting LAN addresses.
If you followed my previous post protecting your network DNS using pfSense, you also need to duplicate the NAT rules (at Firewall >> NAT >> Port forward) from the main LAN which involves port 53.
VLANs and beyond…
After following this long post, you were able to create a new subnet Guest on your Wi-Fi using VLANs, which is completely isolated from Home Wi-Fi and the wired network. Let’s just be honest, there are easier ways to apply guest policies using Unifi controller only without using pfSense and/or VLAN, but we like the coolest way, not the easiest 🙂
Using VPN client connection as gateway
One of the reasons I wrote this post was to show how to use these concepts and techniques to create Obfuscated Wi-Fi networks that not only don’t have access to my Home LAN, but also use a VPN connection as the default gateway. The Obfuscated Wi-Fi network runs side by side with regular Wi-Fi networks (Home and Guest), but it is isolated from it and completely anonymous. This approach is powerful as I can select which traffic should be protected (and potentially slower due to VPN bandwidth limitations) and when to use faster ISP connection on the other Wi-Fi networks.
For implementing Obfuscated, repeat previous steps and create a new Wi-Fi network on your Unifi switch, set its VLAN ID and on your pfSense, create a VLAN interface, configure its DHCP server, DNS, NAT and Firewall rules. Test internet connectivity before making changes that will allow VPN Client connections as gateway and/or restrictions.
The difference between Home and Guest Wi-Fi is that it uses a VPN Client connection as gateway (aka Internet connection). In order to do so, on your pfSense, go to Firewall >> Rules and press Edit at the Default allow Internet-only rule:
- Extra Options
- Advanced Options
- Display Advanced
- Gateway: Select your VPN client connection or your VPN Gateway group if you have multiple VPN client connections for failover/load balancing
- Display Advanced
- Advanced Options
Press Save and Apply changes and you are ready to go.
Isolating IoT
We all have IoT gadgets that are rarely updated, posing an enormous threat to your home network, even if your routers, switches, laptops, phones and tablets are up to date. They can be categorized in 2 types:
- IoT devices that need internet to function, but do not interact with your network
- Examples are Google home, smart devices such as fridge, locks, etc
- IoT devices that do not need Internet, but need to be available on your network
- Examples are Surveillance cameras. They usually are accessed by your home Wi-Fi for recording, but you don’t want them sending your life outside
Isolating IoT from your home
For 1), it is just better to allow the IoT devices to connect to internet and do their thing, but isolate them from your home.
This is exactly what we have done for Guest already, so just repeat previous steps for the IoT and you are done!
Isolating IoT from Internet
For 2), on the other hand, we can use VLAN ID 500 and start off by repeating previous steps for the IoT, but then modify the firewall rule to allow LAN connections only.
On your pfSense, go to Firewall >> Rules and press Edit at the Default allow Internet-only rule:
- Edit Firewall Rule
- Action: Pass
- Interface: VLAN500
- Address Family: IPv4
- Protocol: Any
- Source
- Source: VLAN500
- Destination
- Invert match: unchecked
- Destination: Single host or alias
- Destination address: RFC1918 or Private_IPv4s
- Extra Options
- Description: Default allow LAN-only rule
Press Save and Apply changes to complete.
Summary
During this journey, we’ve improved our network by closely integrating Unifi AP, Unifi Switch and pfSense, allowing VLAN between them.
Next, we discussed that we don’t want to make changes to the Home Wi-Fi network because we want it to be in the same broadcast domain as the rest of your wired devices.
Following, we configured a Guest Wi-Fi network that can reach Internet bu it is isolated from your home network.
We also covered an encrypted Obfuscated Wi-Fi network which is isolated from your Home and use a VPN Client connection as gateway, adding a privacy layer when you want to visit suspicious websites.
Finally, we covered two flavors of IoT Wi-Fi networks that either have Internet access but not LAN connectivity or the other way around, that is, no Internet but LAN connectivity.
Hope you enjoyed it…
Probably a dumb question, but wanted to answer it before I get going here. When creating the VLAN in the Unifi controller, do you want the DHCP set to none so that the PfSense router will assign?
The default in Unifi controller is DHCP Server.