Best Practice to securing home network with multiple Lans and connectivity over WiFi

[xxnumbxx]

Untangle Home user here. I have been using untangle for about a month and have had decent success. However, I have a couple questions on best practices and would appreciate any advice from users that are more experienced with networking than myself. Below I have outlined some of my concerns or issues that I currently have.

1. I have had some connectivity issues with wireless devices, intermittently dropping connections. I believe this is due to radio interference from having two separate AP’s that are physically close together. I recently picked up a Unifi AP Pro which I hope to replace both AP’s using VLan tagging. Any advice on getting better connectivity without constantly dropping clients would be appreciated.

2. I am also looking for any recommendations on how to properly allow devices on separate LANs to communicate with each other. For example I want certain devices i.e. Cell Phones(on IoT) to be able to communicate with certain dockers. Also, devices on Secure LAN to be able to communicate with devices on IoT LAN i.e. printers. Currently I have created Filter Rules to allow specific devices to communicate with each other based on Ip and Port rules. My question is whether this is the best way to handle communication across the different networks of if I should be doing this another way? (Firewall rules instead) Looking for the most secure way to handle this.

My network is configured as such that all devices currently go to the default policy which allows NO internet access. I manually tag each device to the two separate LAN policy’s that have different apps and rules setup to manage traffic. Any advice on how to further lock down and/or secure my network would be appreciated. Below is a basic layout of my network.

network_diagram.jpg

[Armshouse]

Hi and welcome. Thought I'd pick this up as nobody has replied, and you did take the time to do a diagram!

1. I have had some connectivity issues with wireless devices, intermittently dropping connections. I believe this is due to radio interference from having two separate AP’s that are physically close together.

Hard to say... Not impossible, but at the frequencies involved, physical proximity may not be the biggest factor. If you're using 2.4GHz stick to the non-overlapping channels (1, 6, 11) and if you're on 5GHz, you have more to choose from if you stick to 20 or 40MHz wide channels. Often, it's more the end device that's the issue than the AP.

I recently picked up a Unifi AP Pro which I hope to replace both AP’s using VLan tagging.

These are decent, I used to have one. The controller software is quite nice too for the most part.

I am also looking for any recommendations on how to properly allow devices on separate LANs to communicate with each other... ...Currently I have created Filter Rules to allow specific devices to communicate with each other based on Ip and Port rules. My question is whether this is the best way to handle communication across the different networks of if I should be doing this another way? (Firewall rules instead) Looking for the most secure way to handle this.

Everyone will probably have their own way of doing this. For me, I use filter rules to stop the IoT devices from contacting the secure VLAN, and a reciprocal rule for devices in the trusted VLAN contacting the IoT side. Like you, I just add allow rules above those for the exceptions. There are a few ways you can achieve that depending on how you've got your devices identified ie hostname, IP, tag etc. I go with tags as I can move those around and once I have a rule that targets that tag, I can add more devices with that tag to pull them into those rules.

I'm not too fussed on the reporting side in that scenario. I could be wrong, but I think traffic that's been filtered doesn't hit the reports engine (or that might just be bypassed traffic, can't remember). So, if you want to have more info on the connections, you'll need to use the firewall app so that you can see reports etc.

I cheat a little in that I can't be bothered to deal with the whole mDNS nightmare. So IoT devices that need to be discovered by their app in order to work, I'll just have a spare phone that sits in that VLAN or I'll just jump onto it from mine and do what I need to. Or for example, I have a Chromecast plugged into the living room TV. The TV is in IoT world and does all its streaming via that, but the Chromecast is connected to the trusted Wi-Fi so it's easy to stream to from trusted devices.

Hope that helps a little, others might have better ideas.

[sperman]

I used to have a netgear router with built in wireless. That required a couple of wireless extensions and my coverage was still spotty. I replaced that with a Unifi WAP6 pro, and all of my wireless coverage issues went away, and the extensions were no longer required. I think you will see a huge difference when you make that upgrade.

[dashpuppy]

I used to have a netgear router with built in wireless. That required a couple of wireless extensions and my coverage was still spotty. I replaced that with a Unifi WAP6 pro, and all of my wireless coverage issues went away, and the extensions were no longer required. I think you will see a huge difference when you make that upgrade.

Wireless repeaters never work properly, its a quick fix that works for a bit then $hit's it's self and never works properly again. The main problem with wifi repeaters is they are repeating a bad signal at most, and adding extra hop's and more latency.

[sky-knight]

Wireless repeaters never work properly, its a quick fix that works for a bit then $hit's it's self and never works properly again. The main problem with wifi repeaters is they are repeating a bad signal at most, and adding extra hop's and more latency.

Proper mesh systems bypass this by having dedicated radios for the backhauls. So you just setup the remote WAP where it can get good signal, and then broadcast from there. That's how Google Mesh, and Netgear Orbi works. They've come a LONG way from the repeater days.

Still, you're not wrong... each step you take means one more run over wifi, and while the backhaul dedicated radios improve the problem, they aren't anywhere near as good as a cable would be in the same circumstances.

[dashpuppy]

All wifi extenders do is add more hops and more issues. LIke i said above, it just extends the weak signal and causes more issues. If you want PROPER wifi coverage, install ap's ( pick your brand ) Aruba Unifi Engeniuse tp-link etc etc. Then hard wire it, POOF problem solved.

[junglechuck]

"I have had some connectivity issues with wireless devices, intermittently dropping connections. I believe this is due to radio interference from having two separate AP’s that are physically close together."

@xxnumbxx,

Kuddos to separating your IOT stuff. As for wireless issues- 1) Using each WAP, scan each band for other WiFi signals in your area. Set your WAPs at frequencies with the least noise interference. 2) Set all your 2.4Ghz radios to the lowest signal, and I would recommend the 5Ghz radios at "medium". Not sure how big your place is, but more access points at lower signal perform better than one WAP blasting signal. 2.4Ghz is practically worthless with today's speeds, but many IOT, printers and old devices still need it. 3) Pay attention to how your WAP's are physically oriented to your space. UBNT has a good explanation of how the signal "looks" from each of their radios. 4) Cabling to your WAPs matters too. Speeds on CAT6 UTP can be affected by electrical RF. I've found CAT6 shielded to be better performing.

[dashpuppy]

"I have had some connectivity issues with wireless devices, intermittently dropping connections. I believe this is due to radio interference from having two separate AP’s that are physically close together."

@xxnumbxx,

Kuddos to separating your IOT stuff. As for wireless issues- 1) Using each WAP, scan each band for other WiFi signals in your area. Set your WAPs at frequencies with the least noise interference. 2) Set all your 2.4Ghz radios to the lowest signal, and I would recommend the 5Ghz radios at "medium". Not sure how big your place is, but more access points at lower signal perform better than one WAP blasting signal. 2.4Ghz is practically worthless with today's speeds, but many IOT, printers and old devices still need it. 3) Pay attention to how your WAP's are physically oriented to your space. UBNT has a good explanation of how the signal "looks" from each of their radios. 4) Cabling to your WAPs matters too. Speeds on CAT6 UTP can be affected by electrical RF. I've found CAT6 shielded to be better performing.

Ap's are designed to be mounted on the roof, so they radiate DOWN for coverage, I cringe every time I see someone wall mount them.

IMO it's always better to have MORE ap's for coverage then have one and max the power out on 2.4 &5g.

Having multiple ap's for different networks is a pita, its better to just buy a proper AP put 2 ssid's on it and vlan it. Using 2 ap's one for xx network and one for xxx network is hard to manage and make perfect.