Hello, I’m planning on creating a home server and getting some cameras.
I would like to have the server, cameras and all IOT devices be disconnected from the internet but still be able to access them within the house from different devices and maybe have limited access to them when outside.
Do I need a specific hardware for this? And what router would support this? I’m still in the planning phase but I’m looking for budget friendly solutions.
Thank you
Vlans firewall rules and something to route between the different networks.
This can all be achieved with pretty much every Linux installation.
Are there any decent interfaces for configuring routing and vlans with linux these days?
OPNsense is excellent. You can run it on a cheap mini PC with multiple Ethernet ports and it makes a great router. I run several VLANs through it.
Edit: It’s based on FreeBSD, not Linux, in case that matters to you.
I do the exact same thing, only over PFSense (no issues with OPNSense at all, I just get along with PFSense better). 6 VLANs and 7 APs around the house, no VLAN can see the other, and all my "smart devices work exclusively local, and if I need to reach them from outside, I VPN into my house over WireGuard. It sounds more complicated than it is. Once it’s all set up, it just works.
Excellent, thanks!
OpenWRT?
deleted by creator
This one of those questions I am overwhelmingly eqipped to answer, but only with the weird proprietary knowledge about software defined networking and microsegmentation that my job has endowed me with…
So I’ll resist the urge to give you that overcomplicated answer and just say get a firewall like others have suggested.
So I’ll resist the urge to give you that overcomplicated
Please don’t, if it wasn’t useful for me someone else might find it useful
For home, use your firewall. Either physical ports on the firewall with dumb switches or vlans with managed layer 2 switches.
There are many ways to do this. Proxmox can do it with ovs if all your devices are virtualized. Pfsense is probably the most straightforward.
The best way to run pfsense is on dedicated hardware. This would work for you https://protectli.com/vault-4-port/
You’ll also then need switches or a managed switch with vlans for each network segment.
Just throwing in the usual comment that OPNSense is a pfSense fork with a nicer interface.
Just throwing in the usual over-complication. The OP can do this with a simple OpenWRT router and by setting a few firewall rules. To be fair there are even some comercial routers from Asus and Netgear with their stock firmware that will allow you to block a device from accessing the internet.
Consumer routers fall apart when you want to do many common networking tasks, like setting up a VLAN on a separate subnet with pinhole access, so when faced with having to buy a significantly more expensive SMB router vs the cheap FOSS solutions others have mentioned, you’re better off just going the FOSS route.
Note: some consumer routers can be flashed with FOSS firmware, but be prepared to waste days tinkering and testing.
Just a few notes:
-
What you’re describing is not what the OP is asking for. He simply wants a quick solution to block a couple of devices from accessing internet.
-
I don’t get your “note” as that’s precisely what I suggested the OP to do. And if you actually read the manual and pick a recommend model it can be as simple as uploading the firmware using the router’s firmware upgrade feature.
-
The scenario you described can be done with OpenWrt on a consumer router and it isn’t that complex to setup. Even older hardware like the Netgear R7800 will be able to handle that.
-
Adding to that that you can also easily make a separate WiFi network (tied to a vlan even) for IoT. OpenWRT makes this very easy.
I have a similar set-up
I use a wireless access point that can expose multiple ssid with different vlans (I think it a fairly common feature)
my router runs openwrt and the iot vlan is in a different firewall zone
use wireguard to remotely access the lan zone
I was attempting this, but TP link doesnt actually care to tag their different SSIDs to vlans and don’t provide the configuration to, I only found that their guest may be tagged on some models. Just a word of caution, I think I’ll have to use IP range filters to achieve this
Does the router creates the VLAN or the access points?
Also to achieve this I have to gave wiregaurd on a device connected to the internet right? I can’t install it on my home server if I wanted it disconnected from the internet, correct?
If you have an AVM Fritz!Box home router you can simply create a new profile that disallows internet access and set the devices you want to “isolate” to that profile. They will be able to access the local network and be accessed by the local network just fine, but they won’t have any outgoing (or incoming) connectivity.
Pfsense and opnsense are also very good for this.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters AP WiFi Access Point DNS Domain Name Service/System IP Internet Protocol IoT Internet of Things for device controllers VPN Virtual Private Network
5 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #625 for this sub, first seen 24th Mar 2024, 13:45] [FAQ] [Full list] [Contact] [Source code]
Good bot
install openwrt on you router.
most routers that arent garbage support it.
What about classic DMZ network and VPN?
The DMZ serves to your LAN only. You use the VPN to effectively become a part of your LAN.
My router’s admin console, OOTB, gives me the option to either deny individual devices (based on MAC, etc.) access to the external internet, or create a second (or third, etc.) WiFi network that, itself, is not connected to the outside.
Perhaps you have similar settings?
Mine doesn’t, what router are you using?
What’s your router? Can you install OpenWrt on it? OpenWrt provides a GUI for the firewall where you can set that a specific device won’t be able to access the internet with a few clicks.
My router doesn’t support OpenWrt, I’m planning on buying a new budget friendly one to support it
Thank you for the
Asus RT-AC65
I havent even bothered with it yet but my router has individual settings for internet access for devices. You can even set them in homeassistant. A other idea might be pihole since it works as dns in my home. But that also makes a lot of it absurd because the phone home function on a lot of these is blocked by pihole anyway.
