Hardware Firewall and VLAN Network Setup

Monday, September 5, 2022

Network security is one of those ‘set it and forget it’ things that we all neglect over time and as I was taking my Google IT Networking certification, I decided it was time to upgrade my own home network. To combat this, I added a Protecli Hardware Firewall using pfsense to configure it, and added a TP-Link switch with a custom VLAN setup to create a locked down private network and a guest network for any guests as well as my IoT devices.

Initial Home Network Layout Design

I began by mapping out an outline of what I wanted my new network configuration to look like. It was important for me to create a protected main network with NAS, as well as be able to securely share my internet with guests and IoT devices. I drew up the rough outline that you see below.

The firewall would act as my primary line of defense and allow me to lock down my network and the managed switch would allow me to create separate VLANs to isolate parts of my network, illustrated by the dashed vertical line on the switch. The VLAN would let me keep my NAS and access points on their own subnet, completely isolated from the guest access point, which all of the IoT devices (including our tv and security cams) would share.

I configured each subnet’s access points to be physically separate access points with their own hidden SSIDs. I printed a few QR codes in a few rooms of our home to enable my guests easy access to it.

Hardware Firewall Installation: Protectli Vault 4-Port

Protecli Vault 4-Port

I purchased the Protectli Vault due to its high reviews and low power so I could run it in my office, while still being able to have multiple OPT ports to configure several internal networks. The model I am using is the 4-port configuration and I installed pfsense as the firewall OS on it. Connecting to it is fairly straightforward.

I configured it using the LAN port and a Cat6 directly to my Macbook Pro using Firefox to access the device like you would with any prosumer switch or modem. I plugged the WAN port straight into my modem and the OPT1 to my internal private network and OPT2 to my internal guest network.

pfsense Firewall Software Setup: Network Rules

To install pfsense, I downloaded the bootloader to a thumb drive. The download is available directly from pfsense and I used balena Etcher to flash the thumbdrive to create the bootable image for the Protecli Vault. I plugged the bootloader into the Vault and started it up to do the pfsense firewall OS install. Once configured I was able to go through the software configuration of the device and setup each of the OPT ports via the LAN port.

For an added layer of security, I avoided using the 192.168.x.x IP addresses and went with a nonpopular 10.42.x.x instead to protect against any automated attacks that look for devices that range. The Protectli defaults to “allow nothing” through for a built in rule system. For each interface (WAN, LAN, OPT1, and OPT2), I had to manually allow which ports and rules I wanted to allow traffic.

Starting with the first exposed interface, the WAN port, I kept the default setting that blocks everything.

Eventually, I will be adding a VPN using the built in pfsense VPN options, but for now I deviced to keep everything locked down. Next up was my internal private network on OPT1. pfsense allows you to set rules based on the source of the traffic, the destination of the traffic, ports, or protocols, as parameters. The rules are top down. I started out with the following settings for my private network in the image below.

The first rule has a green checkmark on the left to indicate an “allow” rule, which allows devices on the OPT1 network to access other devices on the OPT1 network. This allows my NAS, laptop, my wife’s laptop, and my mobile devices like iPad and iPhone to easily connect with each other. The second option allows my OPT1 devices to access devices on the guest network. I configured this to allow me to access my streaming tv setup, home music, security cameras, etc, which are all on OPT2.

Next up was to configure my guest network on OPT2. The rules that I put in place were setup to lock down my OPT1 network. The first two rules have a red X on the left, which is a “block” rule. This blocks access to the LAN network to protect the firwall itself, and also blocks OPT2 from accessing anything on OPT1. The last rule opens up anything else. This allows devices on OPT2 to see each other as well as access the WAN port to access the internet.

Finally, I created a DHCP server for each of the subnets. I configured each subnet with a subset pool from the full /24 subet to allow me the ability to still configure devices with manual IPs on each subnet. For example, my NAS is powered by a Raspberry Pi and has a static IP which makes it easier to SSH into it at any time using Terminal.

Managed Switch VLAN Configuration: Port Based

Finally, I logged into my managed switch to setup the VLANs for each OPT subnet. I am using a TP-Link managed switch. For now, I only needed an 8 port switch, which saved some space in my office as well as reduces the power consumption.

Logging into the switch and configuring the VLAN is straightforward using the admin panel. Due to the simplicity of my home network, I went with a physical port based VLAN setup rather than IP based. I did this because I have separate physical access points and am hardwiring my NAS into the switch. This way I can quickly see which VLAN an eithernet cable is attached to just by looking at the switch.

Physcially, I have OPT1 plugged into VLAN1 and OPT2 plugged into VLAN2 between the Protectli Vault and the switch. Additionally, each VLAN has a physical wifi access point plugged into it. I hardwired my NAS directly into VLAN1. This still leaves me with extra physical ports available for expansion in the near future. The entire setup is very compact, as you can see in the image below. The only difference is that my OPT1 wifi access point is not plugged into the switch. Normally I would have it plugged into port 3 for VLAN1. Additionally, for cable management, I cut all my Cat6 cables to length and crimped the connectors so each cable is only as long as it needs to be to connect each run. And, yes, I still have an older Cat5 in the photo which I have since replaced, which connects my NAS to the switch.

Ciao! I'm Scott Sullivan, an software developer and machine learning nerd. I divide my time between the tranquil countryside of Lancaster, Pennsylvania, and northern Italy, visiting family, close to Cinque Terre and La Spezia. Professionally, I'm using my Master's in Data Analytics and my Bachelor's degree in Computer Science, to create compelling software products that user AI, run lighting, robots, and automation effects for a large Christian theatrical productions to spread the message of Christ's salvation.