While it pains me to say it, the cable Internet service is fairly reliable here. The one BIG exception is when we have power outages. One can imagine that Spectrum has never heard of a UPS to use on their router along the way between each home and their cable plant. When we get power outages here in Madeira Beach due to thunderstorms, it is not unusual for the Internet to go out. Sometimes it is just a few seconds and other times it has gone into the minutes. We had a case in March 2021 where the Internet was down for 6 hours (by far the largest time out of service in the 5 years we have been here). The following is a bit of background on the network changes using UniFi equipment. The second post in this series goes into the LTE network backup device and how the VLANs ensure that things like TVs and other heavy streaming users do not utilize the LTE backup (and hit the data limit I have on my 5 GB/month plan). But first–the gear and VLANs.
Coupled with this issues, I discovered that the UPS in my LAN rack was not working properly. I suspected a dead battery but it has been intermittent. So while it may have been overkill, I decided to pull the UPS out of the cabinet (Cyber Power brand which I now disfavor). I replaced it with an APC UPS with a network interface for monitoring.
At the same time, we also removed two Ubiquiti 24 port POE EdgeSwitches and installed a single UniFi 48 port POE switch. This was to get the switch more in line with the UniFi framework (since I already have the UDM Pro). This lets me setup VLANs a bit easier. I could have still done what I needed with the EdgeSwitches but I traded cost for ease of configuration.
The goal of all this was to allow me to easily setup multiple networks to segment the traffic on my LAN. But first, some background is necessary.
I have many Internet of Things (IoT) devices like WeMo lights switches, Amazon Echos (Alexa), Lutron Caseta switches, a Ring doorbell (hardwired by POE), the Kohler generator, smart thermostats, a sprinkle controller and some other miscellaneous items. A common security practice is to set these devices up so they cannot access the main LAN. This is based on the idea that if there were a security issue in one of these IoT devices (such as its is compromised by the proverbial hacker) they could not access any devices except other IoT devices. So the question is how do we do this?
The answer is VLANs. In the UniFi world, these are setup a unique networks. The UDM Pro abstracts VLANs into different Networks. Each network is served up am IP address from a different network (192.168.X.Y) where each network is a different value (or subnet) of X. With some additional firewall rules, the “sub” networks cannot talk to the main LAN network. There are some exceptions for the main DNS servers (PiHoles) which are on the main LAN. A firewall rule also prevents the sub networks from accessing the ssh and web interfaces on the UDM Pro gateway.
My next post will be about using an LTE backup device from UniFi to make sure if the main Internet goes down everything still has connectivity. Well, almost everything as we do not want Netflix to use LTE as a backup–contrary to the conventional wisdom by others in the house, NetFlix is not critical :).
Nice write up! I started down the same path with VLANs began with a Ubiquiti EdgeRouter-X. Next step will be a VLAN aware switch.
To you point, security was the reason I started. I also wanted to keep work separate from home. I have a Cisco router at my house which creates a DMVPN tunnel to our data centers so I can do certain things for my job. Don’t really want them scanning around my home network with their security tools!