61 lines
3.7 KiB
Markdown
61 lines
3.7 KiB
Markdown
# Firewall Segmentation Plan: TP-Link BE9300 Homelab (Revised)
|
|
|
|
## Objective
|
|
To enhance network security by isolating IoT devices from the main trusted network using the TP-Link BE9300's dedicated IoT Network feature. The goal is to prevent a potential compromise on an IoT device from affecting critical systems while ensuring cross-network device discovery (casting) remains functional.
|
|
|
|
---
|
|
|
|
## Phase 1: Network Design & Configuration
|
|
|
|
1. **Define the Networks:**
|
|
* **Main Network (Trusted):**
|
|
* **Subnet:** `19_2.168.1.0/24`
|
|
* **Devices:** Computers, NAS (OMV), Proxmox host, Raspberry Pis, personal mobile devices.
|
|
* **IoT Network (Untrusted):**
|
|
* **Subnet:** To be assigned by the router.
|
|
* **Devices:** Smart TVs, Fire Sticks, Govee lights/sensors, TP-Link/Tapo bulbs, Vivint security system.
|
|
* **Guest Network (Isolated):**
|
|
* **Subnet:** To be assigned by the router.
|
|
* **Devices:** For visitors only.
|
|
|
|
2. **Router Configuration Steps:**
|
|
* Log in to your TP-Link BE9300's admin interface or use the TP-Link Tether app.
|
|
* Navigate to the **IoT Network** settings and enable it. This will create a separate Wi-Fi network and subnet for your IoT devices.
|
|
* Assign a unique SSID (e.g., `HomeLab-IoT`) and a strong, unique password.
|
|
* Enable the **Guest Network** with its own unique SSID and password.
|
|
* **Crucially, do NOT enable the "Device Isolation" feature at this stage.** The default separation of the IoT network may be sufficient and might not break mDNS/casting.
|
|
* Move all identified IoT devices to the new `HomeLab-IoT` Wi-Fi network.
|
|
|
|
---
|
|
|
|
## Phase 2: Enabling Casting & Testing
|
|
|
|
The primary challenge is allowing mDNS (for AirPlay/Chromecast) to function across subnets. The BE9300 does not have an explicit "mDNS forwarder," so we rely on the default behavior of the IoT network.
|
|
|
|
1. **Initial Test (Without Device Isolation):**
|
|
* Connect your phone or computer to the **Main Network**.
|
|
* Open a casting-capable app (e.g., YouTube, Spotify).
|
|
* Check if your TVs and other casting devices (now on the `HomeLab-IoT` network) are discoverable.
|
|
* **If casting works:** The default firewall rules between the Main and IoT networks are suitable. The project is successful.
|
|
* **If casting does NOT work:** Proceed to the next step.
|
|
|
|
2. **Troubleshooting with Device Isolation:**
|
|
* The BE9300's "Device Isolation" feature is likely too restrictive, as it is designed to prevent communication between isolated devices and the main network entirely. This will almost certainly break casting.
|
|
* There is no evidence from the research that the BE9300 allows for the fine-grained rules needed to allow only mDNS traffic. The trade-off is between full isolation (no casting) and the slightly more permissive default IoT network separation (casting works).
|
|
|
|
**Note on Wired Devices:** Research indicates the "Device Isolation" feature may only apply to Wi-Fi clients. Any IoT devices connected via Ethernet may not be isolated from the main LAN, representing a limitation of the hardware.
|
|
|
|
---
|
|
|
|
## Phase 3: Final Validation
|
|
|
|
1. **Test Isolation:**
|
|
* Connect a device to the **IoT Network**.
|
|
* Try to access a service on your Main network (e.g., ping your Pi-hole at `192.168.1.196` or access the OMV web UI).
|
|
* **Expected Result:** The connection should fail. This confirms the IoT network is properly segmented from your trusted devices.
|
|
|
|
2. **Test Internet Access:**
|
|
* Ensure devices on the IoT and Guest networks can access the internet.
|
|
|
|
By following this revised plan, you will be using the specific features of your router to achieve the best possible balance of security and functionality.
|