You can better protect your home network, your sensitive data & activities by separating your home network into sub-networks (subnets).
A typical home network is a simple single network. A single network that allows connections (wired or wireless) from all computers, mobile devices, peripheral devices and Internet enabled devices like Internet of things (IoT).
Risks of a single home network?
If any one device is compromised or infected with malware, the attacker may be able to spread malware or compromise your other devices.
The attacker may also be able to sniff and eavesdrop your network traffic to steal your critical personal information (e.g. login credentials).
Attacks do not necessary start at your most important devices. In fact, they usually start with devices that have the weakest security protection. Once they get their foot in a device, they can work their way to your other devices within the same network.
Your devices could be infected in several ways:
Internet of Things (IoT)
More and more devices, appliances and innovative things are Internet connected. But not all of them are created equal. Some could have very weak security protection or even no security protection.
These devices could be of high risk to your network.
However, they would only grow in popularity. Incorporating IoT to your home network is just a matter of time, if not already started. Therefore, it’s best to restructure your home network to accommodate them.
Devices that lack firmware updates
Peripheral devices like printers or some simple network devices like hub or switch usually don’t receive much firmware updates from the manufacturer. If these devices have vulnerabilities, the attacker could take advantage of that to gain access to them.
Devices that have outdated firmware
From time to time, vulnerabilities could be found for a particular device (e.g. router) and manufacturer may provide firmware updates to fix the vulnerabilities.
However, if these devices’ firmware are not kept up-to-date in a timely fashion, they could become the attack target.
Wi-Fi access is becoming a must have for every home network. Because of it’s wireless nature, attacker does not need to be into your home to perform their attacks.
Mobile devices joining untrusted networks
It’s typical that we use some public networks for Internet access when we are on the go. But these open public hotspots also have risk to get your cell phone or laptop infected.
And when you bring your infected mobile device home, attackers now have their foot in your network.
Phishing or malicious websites
And of course, if we are not careful about our Internet activities, our computers can be infected by malware through phishing or accessing some malicious websites.
Multiple users / family members
Your home network is most likely used by your family members, kids, relatives, friends and guests. For some you simply don’t have control over their devices. And it’s hard to know if their devices are infected or not. This would also pose a security risk to your home network.
Separate home network into multiple subnets
You can minimize these risks by dividing your single network into multiple sub-networks.
Typically, devices in a subnet do not have access to another subnet. Therefore, the risk of a compromised device would be limited to a single subnet and it would not be able to spread or access to devices on other subnets.
By carefully grouping and dividing your devices into different subnets, you can best protect your important data and online activities (e.g. online banking).
The above network diagram is an example of home network using subnets.
- subnet 1: This is the most important sub-network to protect. Devices and computers here are used to store your most important data and perform your most important online activities. Any potential risky activities should be avoided in this sub-network.
- subnet 2: Wired devices or computers where you may perform more risky activities like browsing unknown websites, checking emails with links and attachments. Any malware infection or malicious website attacks will be restrained within this sub-network and would not affect subnet 1.
- subnet 3: Peripheral devices like printers that don’t get firmware updates or have outdated firmware. These devices typically don’t need Internet access. Therefore, devices in this sub-network can be restricted to NO network access to eliminate their exposure.
- subnet 4: Similar to subnet 2 but is dedicated for gaming devices/consoles.
- subnet 5: Mobile devices that may be used to connect any other untrusted networks (e.g. public open Wi-Fi hotspots)
- subnet 6: A sub-network dedicated for IoT to provide them Internet access but NOT access to your other devices.
- subnet 7: A guest sub-network for your friends and visitors. Similar to subnet 6, they only need Internet access.
How to implement subnets?
It could be overwhelming to restructure the whole home network all at once. But we can do it step by step.
- Part 1: Create initial subnets using pfSense firewall
- Part 2: Setup more subnets using VLANs
- Part 3: Setup Wi-Fi subnets using VLANs
Create phyiscal subnets using pfSense firewall
The very first step is to incorporate a feature packed network firewall as the cornerstone of setting up subnets for the home network.
Firewall requires a minimum of 2 network interfaces, 1 for connecting to WAN, 1 for connecting to LAN (internal home network). Each extra network interface would allow firewall to create an additional physical sub-network. Therefore, a firewall with 3 network interfaces allows you to create 2 physical subnets.
pfSense firewall is recommended.
pfSense (Community Edition) is a free, open source firewall used by many. You can purchase NetGate’s official pre-configured pfSense appliances.
Or you can download the latest stable version at pfsense.org and install it to a compatible hardware device (e.g. mini pc).
- Multiple cores CPU at 2.0GHz+
- 4GB+ RAM
- 10GB+ Hard drive space
- 3 or more Intel PCI-e NICs
- for future compatibility (pfSense v2.5+), CPU requires AES-NI encryption support
A good mini PC to use please check out Qotom Q330G4 with 4 NICs. This would allow you to setup 3 physical subnets. I have been using an older version of Qotom mini PC, running pfSense firewall for couple years without problems.
Subnet access control
With pfSense firewall rules, you have the flexibility of defining how devices within a subnet can access other resources, for example:
- access only devices within the same subnet.
- Internet access only.
- access devices on a different subnet.
- combination of the above rules.
As shown in figure 3, with the appropriate firewall rules defined, we can limit devices in subnet 2 with Internet access but no access to any devices in subnet 1.
And for devices (secure desktop) in subnet 1, we can allow them access to devices in subnet 2 so that print jobs can be sent to the printer in subnet 2.
Follow the guide to install pfSense using USB flash drive to complete the initial installation and setup.
A typical pfSense installation uses 2 network interfaces, one for Internet access (WAN interface), one for local network (LAN interface).
The default access control for the LAN interface is full access. That is, devices in LAN interface has Internet access and can access devices in all subnets that you may create later. So you can use this LAN interface as subnet 1.
Configure subnet 2 using 3rd network interface
Once you have sucessfully installed pfSense with 1 WAN and 1 LAN setup, use pfSense web gui and follow steps below to setup the third network interface as subnet 2 with Internet access ONLY.
Step 1: create the 3rd interface
- go to Interfaces > Assignments
- at Available network ports, an available (unassigned) NIC should be selected automatically
- click Add
A new interface, default name ‘OPT1’ would be created
Step 2: Enable new interface and assign a private static IPv4 address
- Click on OPT1 to configure the interface
- check the Enable interface checkbox
- select Static IPv4 for IPv4 Configuration Type
- Go to section Static IPv4 Configuration, enter 192.168.99.1/24 for IPv4 address. This would be the IP address for this firewall to serve as the gateway for this subnet
- click Save, then Apply Changes
Step 3: Setup DHCP server for OPT1 to automatically assign IP addresses to devices
- go to Services > DHCP Server > OPT1
- check the Enable DHCP server on OPT1 interface checkbox
- for Range, specify a range of IP address that can be use for automatic assignment (e.g. from 192.168.99.201 to 192.168.99.254)
- click Save near end of the page.
Step 4: Setup firewall rules to allow Internet access only
Other than the LAN interface automatically created by pfSense installation, all new interfaces created manually will have no access to anything by default.
Before defining the actual firewall rules, we will first create an IP alias to represent all the private IP addresses (used by all private subnets).
- go to Firewall > Aliases > IP
- click Add
- enter ‘Private_IPv4s‘ as Name
- select Network(s) as Type
- add following 3 networks:
- enter 192.168.0.0 / 16
- click Add Network and enter 10.0.0.0 / 8
- click Add Network and enter 172.16.0.0 / 12
- click Save then Apply Changes
Now let’s create firewall rule to allow Internet access:
Firewall rule: allow Internet access
- go to Firewall > Rules > OPT1
- click Add button
- for Address Family, select IPv4+IPv6
- for Protocol, select Any
- for Source, select OPT1 net
- for Destination,
- check Invert match checkbox
- select Single host or alias
- then type ‘Private_IPv4s’ as the Destination Address
- for Description, enter ‘allow Internet access’
- click Save, then Apply Changes
Now you can use this OPT1 interface for subnet 2 with access to Internet. However, they won’t be able to access subnet 1.
Notes about double NATs
pfSense firewall also serves as a router. When you have 2 routers (ISP router and pfSense) in a network, that creates double NATs.
To put it simple, it works completely fine for general Internet use like browsing, emails, cell phones & most gaming.
However, it may have problem when some services you use require port forwarding. If you don’t need port forwarding, you probably won’t find any issues.
Approach 1: If you do need port forwarding, the easiest approach is to configure port forwarding on both ISP Router and pfSense firewall.
Approach 2: configure ISP router to use a DMZ address to point to the pfSense firewall. For this approach, you only need to configure port forwarding at the pfSense firewall.
Approach 3: Use some more advance techniques (out of scope for this post) including bridging the ISP router, or replace ISP Router completely by directly connecting the Internet connection to the pfSense firewall. However, take the following into consideration especially when this is your first time setting up pfSense firewall:
- require more in-depth knowledge in networking.
- most likely require involvement of technical support from the ISP provider to reset the connection. This could be frustrating and time consuming when you have to do it back and forth multiple times.
- some functionalities could be lost if the service provider also offers TV/Phone service through the ISP provided router.
- the ISP provider may refuse technical support if you encounter difficulties, until you switch back to their original ISP provided router.
pfSense is a nice great powerful firewall. Once you have it setup as part of your network, there are other awesome features you can utilize to better your network.