Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


home network design/security

  • Please log in to reply
3 replies to this topic

#1 Vesku225


  • Members
  • 4 posts
  • Local time:09:07 AM

Posted 18 February 2015 - 06:56 AM

Currently I have internet connection via MIFI, desktop with win 7, desktop with Ubuntu +android tablet. I am also planning to build a new computer in near future. May change Internet connection to DSL. 

I would like to divide my home network to 2 or 3 zones.

1.  I would need to ensure that Desktop running the win7 would be very secure.  Programming, online banking etc. connected to 2 external hard drives

2.       Desktop with Ubuntu+possibly VM, I use to download programs and stream so there is a higher risk of computer catching malware and would like to keep other network safe if any malware gets to this computer.

3.       Guest users, kids other family members connecting with different devices including tablets, mac, laptops and other devices running all kinds of OS. 

I would like to make sure my home network is rather secure from outside but also having added security inside between different zones. I am also looking to learn a lot about networks both theory and use the knowledge when building my own, so I consider this as a learning experience, experimenting with subnets, routers, firewalls, different settings and monitor network traffic.

I would like also have as much anonymity when connecting to internet. I am planning to get 2 routers and max 2 hardware firewalls(amount of routers and firewalls may vary  depending on the design) I also have Norton 360 firewall software on win7 desktop. Routers ideally would be able to support both wire and wireless, but at the moment connections would be mainly wireless.  I dont mind having VPN for added security but still bit lost where to add it or should it cover the whole network. Currently not planning to share folders or resources between zones and no remote access from outside the network. 

How would you design the network? Should I have the zone 3 just behind the MIFI and then routers between zones  3 and 1- and zones 3 and 2. Firewalls between MIFI and ZONE 3 and another one between ZONE 3 and ZONE 1. May be an overkill but Im trying to learn at the same time. 



BC AdBot (Login to Remove)


#2 Wand3r3r


  • Members
  • 2,027 posts
  • Local time:01:07 AM

Posted 18 February 2015 - 11:09 AM

Yep way overkill for a home network.  Problem I see here is you are designing a network based on no understanding of what are the risk vectors.  For example what you protecting yourself from with multiple firewalls?  Do different subnets provide security?


You also have an issue with the mifi.  Mifi is a direct wifi connection to the mifi device.  Great for getting [usually limited to 5 connections] wifi devices directly connected to the internet.  Might want to consider just using this as your guest network and bring in a dsl connection for your main network.  I am curious to know how you are going to connect a firewall to the mifi.


Alternatively they do make wifi routers that have guest wifi networks that are isolated from the main network. 


Instead of routers you may want to consider a managed switch and using vlans to protect your devices from each other.

#3 Orecomm


  • Members
  • 266 posts
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:01:07 AM

Posted 18 February 2015 - 01:17 PM

If your primary purpose is to learn, I'd suggest getting a smallish Mikrotik router. While not particularly intuitive they do have a decent web interface and lots and lots of online advice and assistance on a wide range of topics. And they are inexpensive. The RB951 series is a nice smallish home WiFi router, the RB2011UiAS-2HnD-IN is a bit more "industrial". These models have WiFi but I haven't played with that part of the setup so I don't know it's full capabilities, but they can act as a wireless client to your MiFi, so you could choose to use it to isolate a small wired subnet or take on a larger role and isolate your whole in-home network. Mikrotiks allow you to configure individual ports as router ports, rather than the typical one uplink and a four port switch.  I use an RB750GL (no WiFi) to isolate my lab from the rest of the house, similar to what you are doing.  I configured a 192.168.10.x network for the lab and set firewall rules so it can only reach the Internet, not my other LAN, and then only on certain ports (I get a lot of "diseased" computers in the lab to work on.) I log all attempts to outbound access other ports, which helps track down badness in the machine in some instances (usually the C&C servers of malware). I like the Mikrotik (we use them at work as well) because, once you learn a bit, it's pretty easy to work with, particularly the firewall, and the volume of info available on the net is impressive. You do have to be aware of version differences though. It's worth sticking with relatively recent tutorials. This isn't a trivial solution, though. You will probably spend a week or two getting your head around it before you get it working more or less the way you want it to.

#4 Sneakycyber


    Network Engineer

  • BC Advisor
  • 6,136 posts
  • Gender:Male
  • Location:Ohio
  • Local time:03:07 AM

Posted 21 February 2015 - 08:35 PM

As mentioned building a network behind a MIFI is going to be difficult. Depending on to what extend your trying to learn most corporate networks are designed Modem--->Firewall/Router----->Layer 2 switch---->Wireless Access points and computers.  The Vlans can be created on the router and 802.11Q tagging can be performed on the switch. Just starting out you can do everything with a Cisco WRVS4400 you should be able to find a used one. This will allow multiple wireless networks, Vlans, IPSEC VPN, and a SPI firewall. You can even use the built in Switch to separate the VLan's

Edited by Sneakycyber, 21 February 2015 - 08:35 PM.

Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users