Welcome to my Home Network! Hackers rejoice, this is the map for everything you'd potentially want to infiltrate, and the paths for how to get to each. Let me lead you across my thoughts for how I've constructed it, how it all goes together, and what I know needs to be improved for the future. ![[Home Network Diagram (Public Digest).png]] ### General Notes Belsavis is an isolated network network to triage potentially infected devices. Known-bad devices will not have access to any VLAN on the main network. Offsite backups don't have RAID implemented. Raw storage capacity is the goal for these, as they are already not included in my main [[Backup Strategy]]. Media servers don't have RAID or are RAID 0 for the best throughput capability. This decision is made based on whether drives have been purchased new or second-hand. Is there a better way to make this decision? Let me know! Home backup servers have RAID 5 or 10 depending on quantity of drives and to keep a good balance between parity and performance. Theoretically, I'll never have more than 5000 devices, so 19 VLANS for internal sorting are more than enough. Depending on the purpose of the VLAN, the subnet mask has been restricted for security purposes. I'm not planning on owning more than 1 house, so having 10 site VLANs available should be more than enough for my family until I am dead, with plenty of room just in case someone has quadruplets. I do want to have individual user VLANs implemented one day, to further segment against potential breaches. This would add a decent amount of complexity (for example, to cast video from a personal VLAN to a shared VLAN), and for now I'm happy with how I've addressed security, so this will be a long term project. ### Internal VLANS #### Default VLAN This is the one devices connect to, you guessed it, by default. Anything that doesn't require special rules resides here. #### Smart Devices I'm not a huge fan of how much smart devices talk to each other and to the internet. Where I can, I restrict them from making/receiving requests from the internet. Putting them on their own VLAN keeps them from seeing what else we have on the network, at a minimum. Amazon Firesticks are constantly tripping my firewall rules for pinging other devices, so they get isolated as well, until they are fully removed from the network. #### Full Access VPN This is what I use to connect to various services and individual devices from outside the network. Accessed via WireGuard. Old Firesticks have access to this, but are managed by individual rules as a patchwork measure. #### Family Servers These are servers that the family needs to access, like media streaming, file backup, and file servers. #### Guest For guests who have limited data plans. No access to the internal network. #### Server Access VPN Like the full access, but only for server access. And really only for utilizing services, not for writing changes. This is what I give friends temporarily to access game servers. #### Backup Not utilized to the fullest extent it could be, but the backbone is here to try to prevent traversal in case one of the offsite services is compromised and vice-versa. #### Admin Yours truly's personal administrative VLAN. One device, one address, a minimal attack surface, and a dream. #### Unifi Cameras Currently there's only one, and I separate this from smart devices because i trust Unifi a bit more, and also don't want smart devices having access to the cameras. #### Game Servers Separate from most other things in case something fails and they're somehow made publicly accessible or my friends are compromised. I don't really care if any data on here is lost, though I occasionally backup our Minecraft server. #### Work In case I'm compromised, or in case there are tools IT has available to them that I don't know about, it's just best to keep these separate. Work/life separation, folks. #### Belsavis Is for potentially compromised devices. Includes a honeypot, an address for the questionable device, and my personal triage device. No internet access, no access to other networks. A virtually airgapped network. Keep in mind that there are ways to escape VLAN segmentation for a determined adversary. ### External Sites As my family separates and moves across the country and the world, making sure everyone has access to what they need is crucial. Personal devices have access to backup services like Immich for photos whether or not they're connected to the network. Bridges have been created from my firewall to theirs, ensuring they have access to the services they need when at home, and I have access to make administrative changes to their devices if necessary. I hate Firesticks. Intrusive pieces of shit, frankly. But, they were cheap and for now my family uses them to access media streams when they are outside of their homes. The plan is to obsolete them with custom-imaged Onn boxes or something similar. ### Cloud Just Backblaze backups for now. Costs me about $3-6 a month and worth every penny for the peace of mind that the additional managed location provides me.