I know that computer networking is a complicated area and not we’d rather eat fire than learn it, but hear me out. If you’re a semi-experienced person with a bit of patience and the right tools, you can (and should) improve the security of your home network with a bit of effort.
In this age, every electronic device you connect to your home network is a risk: Not just a target for hackers but also for some greedy corporations. If you have an Amazon Alexa connected to your home network, you may want to keep an eye on it. The same goes for your Sonos speakers, or Philips Hue lights. Any IOT device you connect is a risk, but that risk is not difficult to manage.
The idea of partitioning your network is to group some particular devices and supervise their communication to other groups. Not device to device, that would be too big of a task. Group to group, or rather, partition to partition. This would allow you to isolate the risks and have a smaller battle area in case of war.
Prerequisites
Your Wi-Fi router may not be enough to accomplish this task. It would need to have a gateway capability and the ability to create multiple networks, as well as firewall support. If you’re using your ISP’s Wi-Fi router, chances are high that it won’t be enough.
In my case, I’ve invested on Ubiquiti UniFi platform and purchased a USG router with a few access points. The USG lets me create networks, adjust firewalls, define routes, inspect traffic, etc. It’s an older device, and it requires me to host my own UniFi Console, but it works nicely. The newer devices like the Dream Machine have the console and routing functionality inbuilt, and they have access point capability as well. I didn’t get to upgrade yet, as my setup works well enough so far.
You could go for a managed switch and get a firewall device as well. You would hook it up to your ISP router, but define networks on the switch. You can put the firewall device (a pfSense device can work well, or you can use a small Linux machine with pfSense installed on it, but it would ask for two Ethernet ports, I think). Then you’ll need to configure your network to route the traffic over this firewall, so it can control the flow.
I’m no expert on that part and I have to say, my experience with UniFi was nice enough to easily set up it all. But I’m sure there are plenty of other guides that can help you with that part.
Once you have the components ready, let’s move on to the steps to make it happen.
Step 1: Identifying Device and User Groups
In a particular home, you may have the following device groups:
- User Devices: Laptops, phones, tablets, smartwatches
- Work Devices: Work PCs, laptops, phones, tablets
- IOT Devices: Alexa, Google Home, HomePod, AppleTV, Google TV, Fire TV, your TV, smart lights, Wi-Fi speakers (like Sonos), printers, etc.
- HomeLab: Your servers, even if it is a small machine or a Raspberry Pi, tucked in a closet
Then, you have the following user groups:
- Regular Users: Any user who’s connected to the network with their device that lives in your home. You, your partner, kids, etc.
- Guest Users: Friends or relatives visiting
- Admin Users: The person who takes care of networking issues, since it’s them who set it up (probably you, since you’re reading this. Ha!)
Step 2: Identifying Risks
Surprisingly, there are many things can go wrong on a home network. Let’s think of some risks:
- One of the personal devices can be infected with a virus due to an infected USB drive. The virus can basically sniff the network and steal data. You may want to keep your HomeLab or Work devices away from high-risk devices, like your kids’ laptops.
- A smart light you purchased from Amazon because it was cheap gets hacked, well, because it’s not secure enough. Or you may think Alexa could be listening to traffic, so why let it sniff your personal devices’ packets? You may want to keep your personal devices away from those pesky IOT gadgets.
- Your company may be a victim of a ransomware attack, so your VPN-connected work laptop gets compromised. It may spread to other devices in your network, so you want to keep work devices isolated.
- You had a party at your home last week and about 20 people connected to your home Wi-Fi. At least one of them may have an infected Android phone, so who knows where can it spread to? It’s best to keep guest devices away from everything else, and preventing them from talking to each other.
The list can be expanded, but you get the point. When something bad happens, you want to isolate that event from spreading. True, the devices in that same partition would be in danger, but the point is, not everything is in danger.
Now, let’s focus on how we can manage these risks.
Step 3: Partitioning Your Network
In networking, the easiest way to achieve this partitioning is via subnets. If you have a 192.168.1.0 network at home, you split that into multiple subnets, so the eggs would be in separate baskets. Here’s an example:
| Network Name | IP Range | Description |
|---|---|---|
| Infrastructure | 192.168.1.0/24 | The router and other network devices |
| User | 192.168.2.0/24 | Laptops, phones, tablets |
| Work | 192.168.3.0/24 | Work PC, laptops, phones, tablets |
| IOT | 192.168.4.0/24 | Smart lights, TVs, speakers |
| HomeLab | 192.168.5.0/24 | Servers, RPis |
| Guest | 192.168.6.0/24 | Guest users’ devices |
| Admin | 192.168.7.0/24 | Privileged user access |
This is not an exhaustive list, and it’s just an example. You can adopt this as a template if you'd like; partitions in my home network are similar. I suggest keeping a documentation and a diagram of your network somewhere; otherwise you won’t remember the purpose of all this.
Step 4: Firewalls Up
Now that you’ve set up the groups, it’s time to establish boundaries. The idea is to supervise how these networks talk to each other. You do that by cutting off the communication on the firewall and only letting certain requests with ports and protocols to flow through. You can enforce which way the traffic goes as well.
| User | Work | IOT | HomeLab | Guest | Admin | |
|---|---|---|---|---|---|---|
| User | - | X | Ports | Ports | X | X |
| Work | X | - | Ports | Ports | X | X |
| IOT | X | X | - | X | X | X |
| HomeLab | X | X | Ports | - | X | X |
| Guest | X | X | X | X | - | X |
| Admin | Ports | Ports | Ports | Ports | Ports | - |
Here’s how to read this table: Network in the row is trying to access network in the column. E.g. User trying to access Work, but not allowed. Ports mean only certain ports will be allowed to connect, not everything. Like if you have an Apple TV and you want to use AirPlay, you only enable the port for it from User to IOT.
Most firewalls will ask you to create a prioritised list for these rules. It would look like this:
| Priority | From | To | Port | Protocol | Rule |
|---|---|---|---|---|---|
| 200 | User | IOT | 3005 | TCP | Allow |
| 210 | User | Work | Any | Any | Deny |
| 250 | User | Any | Any | Any | Deny |
The table is ordered by priority and processed top-down by the firewall. That means, whichever rule it matches first will be executed. The easiest way to manage this list is to keep all partitions’ Deny rules at the bottom and keep the Allow rules at the top. You can then have flexibility for edge cases in the middle.
Of course, these rules will depend on what kind of firewall you have. I have an Ubiquiti UniFi USG as my router, and it lets me define LAN IN rules on its firewall settings. I set these up there. Yours might be different, so you’ll need to follow their guidance.
Step 5: Test and Optimise
I suggest making a list of functionality you’ll need on your network and then testing it for each use case. It can be as simple as this:
- internet access from each network
- AirPrint to printer
- AirPlay to Apple TV and Sonos speakers
- Ability to control the lights
- Ability to access your NAS
The most annoying part of this network structure will be when things aren’t working anymore. Like, your iPhone can’t AirPrint to your printer anymore, so your kids can’t print out their homework. Or your smart lights don’t work anymore.
Solving these will mostly come down to identifying the ports and updating the firewall rules. I keep some port lists in my UniFi USG, and I keep them updated. I grouped them in a way to signify their purpose, like “Airplay Ports” or “File Sharing Ports” or “Web Server Ports”. Easier to add a new print here than adding a new rule.
Try to search for specific keywords on Google when searching for ports. For example, Apple has a nice page that lists all the ports they use and their purposes. Synology, Amazon and other vendors tend to provide these as well. It’s arduous work, but rewarding.
Don’t forget: Your users & devices will grow, and so do their needs. You’ll need to keep these rules and lists updated. Don’t be afraid to experiment, but always have a backup way to connect!
Important Notes and Warnings
Admin Network
You’ll notice that I added a network called Admin into the example above. The purpose of it is to create a privileged access route for you to use when you need to make changes. You’re not exempt from these risks, you can cause them as well as others. So, on a day-to-day basis, you act like a user. When you have to make a change, you elevate your permissions by joining the Admin network.
You can do this in multiple ways. You can create an Admin Wi-Fi and join that, or you can allocate a switch port on your managed switch to give you access to that network. The latter would be more secure, but would require an Ethernet port on your device.
This Admin network should always have access to the networking components, and you need to make sure you never accidentally cut it off. For example, if you’re using UniFi Console to make adjustments to your network, make sure your Admin network has access to it. Otherwise, it would be very challenging to access it without some Ethernet port juggling, and gain control of your network again.
Micro-partitioning
Don’t go overboard with the partitioning. It would reduce your network performance without some additional equipment to help with packet routing. Again, this is for basic home use. The requirements of a corporate network is much more different than a home’s.
Moreover, don’t micro-partition your networks by setting firewall rules for machine to machine communication (unless you have a good reason). It would overcomplicate your network and would make diagnosing issues difficult.
Conclusion
These settings may be too immature for an enterprise network environment, but it should work enough on a home network. It won’t solve all your problems, but it would give you an excellent start.
Don’t be afraid to optimise this further according to your needs, but keep a common sense. You’re not building a corporate network, you’re just trying to make your home network secure. Keep that in mind.
Stay safe and secure.