 People like networking welcome to the homelab show episode 41 network segmentation v-lands and subnets and This is kind of fun because me and Jere bouncing this topic around last night and yes, that's how much time we put into Thinking ahead. We have actually a long list of things I mean, I'm not trying to discount it and we're pulling from our hat of stuff we do for a living So it's not like we are really it It's joking when we say we only put a day's thought into it because we actually have a careers worth of thoughts and then We say what is that thing out of our career that we would like to discuss that would help people and sometimes that's what drives a show episode so Yeah, that's that's so true because usually it's one of the other right it's Something that comes together last minute, but it's also something that we've been doing for decades So we don't need to prepare because we we do it every day Versus new things that we know nothing about that we dive into and learn like crazy before we do a video That we do have to prepare for so there's a little a mix of both I think So absolutely, there's there's a big mix of these here and either way We like to share the knowledge bring this to you and this is you know, just a lot of fun This is me and Jay share our passion with all of you So we're excited to see so many people as we to comment There's so many people waiting on the live stream because we're we started for those you listening to the live stream two minutes later than usual So yeah, all right And this is as I said homelab show episode 41 network segmentation VLANs and subnets And it is sponsored by our friends at Linode who also you know Their network engineers know a little bit about this stuff here when you build your servers in Linode There is a series of segmentation everything that goes on some of its visible some of its invisible The way you get your IPs on there But either way all the different fun projects we talk about in here are really easy to set up in Linode They have a series of kind of predefined scripts to make your life like one click kind of easy But if you want to go deeper you of course can use these one-click scripts to build these and then take them back apart and learn How to reassemble these different servers and ideas and all these fun projects that we talk about here on the homelab show on their Platform it is where you will be downloading this if you listen to this podcast You've downloaded from a Linode server and this is something Jay maintains actually specifically the infrastructure around the web thing So if it's down tag Jay and blame him on Twitter, so But it's never been down because of a Linode they actually have an amazing uptime amazing support staff We want to thank Linode for sponsoring the show there's an offer code down below if you'd like to get started with Linode and Yeah, I just want to jump into this topic because there's so much I have to say and we're gonna try to keep it as concise and on topic as possible, so that's definitely a Sometimes it's the desire to wander is there because you know I seen Jay when we were doing a note one of the things that gets mentioned like you know How much of the OSI layer do we start talking about like that and don't get me wrong? it's it's always the challenge when you're coming up these videos is how narrow in scope we want to keep things and We'll try to keep it as concise to some of security now a little bit of what's driving this is three videos I just released on my YouTube channel the comments and feedback and I realized there's an overlap of people who listen to the Homelab show that do also follow me and Jay on YouTube and I was Kind of going okay I see where some of the confusion is and some of the confusion is into Segmentation or maybe how do a VLAN works and I was joking around with Jay that the S in VLAN stands for security Right. There's no S in VLAN folks It's the security is not done because of the VLAN But the VLAN is part of how you segment your network So let's start with defining a few things and one of the things that came out of it And I do I will link to that video on specifically it was for setting up PF sense good secure home Firewall rules, but the rules and concepts really apply to whatever fire while you're using doesn't have to be PSN's This this talk here is all platform agnostic. It's all about concepts and the first one that It's a valid one because you'll sit there staring at a blank piece of paper And it can be the hardest part just of all I say paper This is probably it's like how we see recording as if we're still using tapes We're playing back something on a record either way right you're staring at your blank Diagram where you start laying out your subnets and subnetting and planning separate network IP layouts is a good place to start now I've always liked the really simplistic and logical approach of the 192.168 network because my muscle memory of my fingers types 192.168 the Planning of this so comes up to a lot of questions of well Is there a specific schema? I should use for it and not exactly, but at least I can tell you a couple of them to avoid 192.168.1 Dot one is going to be most common among sure consumer routers or zero dot one that is Or specifically let's give it the full notation here 192.168 dot zero dot zero slash twenty four or 192 one nine six eight dot one dot Zero slash twenty four both of those would be a slash twenty four network allowing you 255 IPs and They're the most commonly used for things like your links this neck gear or any of the really consumer based routers I really recommend avoiding those numbers Those are the ones that you'll run into most especially if you run into business networks You run into a lot of conflicts with if you're trying to VPN, but outside of those numbers anything in the RFC 1918 space is fair game whether you want to start it with the 172 blocks Or you want to start with the 192 blocks make sure you're reading the full RFC 1918 and Not going just because it starts with 192 by the way doesn't make it RFC 1918 The who it has to be 192.168 Those octets are what puts you in that block right there So as far as how you do your subnetting pick a schema stay with it and that's pretty helpful But of note on that what I mean stay with it when I'm setting up my home network I built out all the things that I referred to as my not safe for work land as in when I work from home Anything that's not safe for work That's a streaming media device or all these other random things that you hit up on your network or when you let your friends Come over I stick those on the one line network. I have my security stuff Stuff I care about that is more locked down and more segmented on a 172 network because you can mix a match These different, you know first octet prefixes as long as they're all RFC 1918 And one of the things this can do especially if you're using things in the 10 network is at a glance You immediately know when you use groupings like that you can go Oh, and we've done this with many corporate networks We'll put the guest network on a completely different first octet prefix because then you just know if it has a 10 in front of It because everything on this network starts with 192 or vice versa everything on the network starts with 10 But you then throw the guest network kind of 192 series You're like if it's got a 192 it's a guest thing It doesn't really matter if there's an anomaly found in a network related to it It's obviously a guest device because that's where I've stuck all the guest devices as long as you have Some type of concept as you put down and honestly spreadsheets work really really well for this It's makes it pretty easy to then start laying them out for reasons of naming and If you ever get into doing larger network design I try to skip a couple numbers in between on the third octet That's just a preference that way if I have groupings. Let's say the 192 168 10.0 slash 24 is for cameras, but then we have too many cameras So we need a 11.0 and a 12.0 and then I'll start the 20 for maybe phones And then if I have too many phones the 21 and 22 can be phones And I can start the 30 that third octet with 30. So there's a few concepts That you can follow like that, but there's not like an absolute you have to for any other reasons than Organization have to do it either way. So hopefully that clarifies some of the subnetting. What do you think Jay? Is it kind of makes sense? It does it's kind of one of those things that I've had a lot of confusion about when I first started and Part of the reason why I create tutorial videos is because some of the learning content that I had access to At the time just didn't really help me much and just kind of confused me more. So I try to think about You know where things were hard for me, which is probably the case that other people have similar difficulties But when it comes to subnetting, it's one of those things that I feel like is really hard to explain well I think you did a good job, but I think that it's some part of it is just You have to do it in order to really get it because there's only so much explaining you can do but that was a really good explanation I figured maybe I'll just mention some of the confusion that I had And then maybe that'll help gauge some of the following discussion after that And to start off with what I first started homelab At the very beginning I didn't have any subnets at all other than the one that that was there the default And I didn't have any VLANs or anything. It was just a consumer level router you know just like many people start with out there and I I I basically divided the network in my own way wasn't a true division was an actual segmentation but I would have it set such that The it was like a class C is what most people are going to see when they're first starting out Is it it's what it's called, but we use Classless networking sider notation, which is a slash 24. We can talk about that later But basically what that means in the nutshell right now to keep it simple as you have 254 addresses So if you don't change anything, that's what you have The default router configuration dcp and all that is going to do that So the segmentation that I came up with was Dot one through dot 10 is network devices like You know manage manage switches Excuse me Maybe a NAS would qualify as that or anything. That's like a network hardware Would be dot 1 to dot 10 and anything from like dot 11 through 20 was servers And then you know some other things in between and then I would have dot 100 to dot 200 would be dhcp But all of it's the same network The segmentation here is nothing but just my scheme of where I put things manually when I do static IPs So none of this I'm going to accuse myself of having like a great. This is a great thing But you start off there usually people do that they get a spreadsheet They write it down and they just make sure to statically assign something that fits within the scheme that they come up with But there's no Network benefit from this other than oh, it's a dot 15. So that must be a server It's dot 123. So that has to be a computer because it got you know, it's normal dhcp But then you start to get into subnetting like or thinking about it like should I be doing that? One problem here where I think it really kind of gets into Form is that 254 addresses used to be a lot like there used to be a time remember where like you had one computer in the house It was like a shared computer because that was super expensive and some people to this day have that still and Okay, 254 addresses. You have one computer. You have a router and you're that's it. You have two things. So Okay, that's fine But then as time goes on computers become more inexpensive. You have a bunch of raspberry pies So give them an IP address everyone in your house has a you know Smartphone probably so give that an address and then maybe Some people have a smartphone and a tablet and a laptop and a desktop Plus streaming devices and xbox and playstation And internet of things and all of a sudden 254 addresses doesn't really seem like all that much anymore So when I first started looking into subnetting I was reading every book that I could find same with vlands And it really confused me because they I don't feel like at least for me personally The books are really explaining this well So what the confusion was is you have a subnet mask And by changing the octets of the subnet mask you are giving yourself more IP addresses and splitting the network but when I worked in You know network administration for the very first time or when I joined an IT company for the first time very early in my career And I saw how a network admin was actually subnetting was not how the book said it was going to go The book would lead you to believe and many books would lead you to believe that you just dropped the octet You could have separate networks within you can but then when I called to work for a company to spend this way ever since Um, it's just a bunch of slash 24 networks. They have, you know, like a 10 dot 10 dot 10 dot zero You know slash 24 or 192 168 dot 10 whatever Um, they have their own scheme for how to name the IP addresses But they are legitimately completely separate networks in every sense of the word There there's a router that routes between them. I think that's kind of what clicked for me because If you think about um, and this has happened to me all the time I don't know if it's happened anyone in the audience where you bring your laptop with you and you go to like a burger king Or a restaurant that's right there by a really busy highway and you can you probably already know where I'm going with this and You know, it's it's whopper wi-fi at burger king, right? So you try to connect to it Check some email and it connects fine But you it just says no internet access What why and you and you look at it at your logs and you find out you can't get an IP address Probably because everybody that's driving by is hitting that access point over and over and over again saturating the dhcp List and using beyond or trying to use beyond 254 You you realize quickly the limitation there and My point is when it comes to subnetting by dropping the subnet mask or lowering it, you know I forgot what the I don't remember it off the top of my head because even I don't have this memorized But if you lower the um octets of the subnet then you go from 254 to what was it like a thousand? at the next level, um I can't remember that it goes 22 and I've seen this before is I was on vacation at a resort and I was funny because they had address exhaustion problems and no guest isolation So I could see everybody on there and I was like wow one. I can see everything too They need more addresses Yeah, so one time I was like on the internet um and had that problem and then I just Statically assigned myself an IP address within the range and it worked fine. I was online and other people are like How do you get online like I've been trying everyone's trying and next thing you know I'm teaching everybody how to create a how to um assign a static IP um under device Which you know, you're literally just hoping that there's no other device using that IP You really don't know Um, so so that's one benefit of subnetting right there Is that it increases the number of addresses you have available because 254 might not be enough nowadays with internet of things Roku's xboxes Um, you you have IPs being used left and right I would say the average household now in a lot of areas probably uses more IP addresses than companies did 15 years ago Um, so I see a future where jays got so many raspberry pies They have their own raspberry pies subnet because he's got so many of them Not wrong. So Right there you can see a value of subnetting And when it comes to how businesses do it that I've seen especially with cloud They just have completely separate networks that they design the um the IP address scheme And then they have some kind of a router in front of it that routes the traffic accordingly I haven't personally seen a company in my experience That subnets the way the books tell you that that is done The way that the books tell you how to do it is just changing the subnet mask and that's it That's all you do But maybe it's better now because I honestly haven't read a book about it in a long time since I learned it But at least back then it was hard and when it comes to vlands What was kind of confusing for me? I honestly is less confusing but Um, I was thinking okay. Well, how do I know the right number to come up with? Does it matter what number or the vlan idea come up with? Is it completely arbitrary to where I could just make up whatever I want? What's the minimum number? What's the maximum number? These questions are all answered in the books pretty well. I think because it's pretty straightforward but had these questions and I kind of it took took a long time to click and That's one of the things I wanted to mention here because it's going to set the stage of Navigating the home lab because I think the learning process matches where you have A class almost a class C. So I'm used to that too slash 24 network, right? And it just doesn't go far enough because in a home lab. We have a bunch of vms. You have this you have that Um, what do you do about that and then the conversation trends ends to Okay, I need to do subnetting. How do I do it? How do I split it up? Does that Help security does it have nothing to do with security? Is it required for another security thing that I want to do? Why would I even want to split my network in the first place? And that's actually the next part I'm going to be talking about is before we get to the vlands is why we split our networks I think that's probably a good place to start. So All right then. So we have a a slash 24 network. We are using 253 addresses right now things are not looking good. We have like 50 raspberry pies and 100 iot devices and all kinds of things What do we do? All right The the easy solution is you could just go to you know a slash 22 So you've increased the scope of a particular range that'll give you more ip addresses on the segment and that part's fine But let's talk about more specifically besides just having bigger subnets to have more devices And so jay can have an entire raspberry pi army at his disposal As I do Because he does that's a different topic. Yeah, that was a lot that was last week's episode But why do we segment things on a network and security is the first answer that a lot of people are come up with And it's certainly a big part of it But overall you want to have logical groupings of things. So one, you know where they're at Sometimes just for routing reasons But in specifically and especially in scope of the homelab show security is probably the more utmost reason you do it and with Segmenting things out what you're trying to avoid and let's use a few cyber security terms here Is you have your east west movement across the network? So north south is the coming in or going out through the firewall east west is if someone is inside your network What can they do? They've taken over a phone. They've taken over an iot device. They're on your computer Which is always the worst case scenario, but we have lateral movement. Where can that? Person on your network or device? Move laterally and what can they find what can they see now if you actually built a network that is flat But isolated every host from each other You've actually still firewalled everything in its own tiny little space and that's less of an issue But that's never how we build networks because the reason the things are on the same network Some of the time is because they need to talk to each other. I need to send a print job to my printer I need a file share between my server and my nas and my system I need these systems to log on now. Ideally any of the encryption Uh should be in place for any of these local devices just because it's local never assume That the network is secure even though it's behind the firewall and everything else This is a good mentality to keep but I also do live in the real world where well Some things and some traffic that passes across each little grouping of subnets. It's just going to be unencrypted and that's life We always are working towards it. I love modern products But I do work in the real world of not modern products that are available Either way by offering these segmentations This allows you security then the next question of course is what goes where what goes on what And the next time you're you're looking at this and this was a thing that I commented right away Is going through and putting your phone on the iot network I said this in my video where I talked about doing the pf sense home firewall rules and people like what the phone on the iot network and honestly if you look at some of the iot devices I'll use chromecast as an easy example It the modern ones run a version of android and my phone runs android and if you're using an apple You know, you're trusting the apple ecosystem Well, there's the apple phone or the apple tv and having those devices on the same segment makes a lot of sense Now do you trust those devices implicitly that you are fine with them being on other networks? Not necessarily so you kind of group those together. There's one of your groupings One of the things that I also would say goes on the network and I'll bring up plex because this I know is more of a home user thing than a business thing But plex and streaming media servers that you host and run Should also be on that same network segment as the iot devices as the devices that they're going to talk to The problem is if you and I've seen people already mentioning the comments things like mds If you're trying to do things like mds and bridge it between two separate sub nets and create firewall rules between there It may work, but it does depend on the device and it depends on how the device was written Sonos is one of the easier examples because I see a mix of it used in businesses and at home And sonos is one of those things that well They just don't seem to expect any device not to be on the same broadcast segment same subnet as The uh devices that are talking to it. That's a really common thing. That's one of the reasons I always say group all those together Now getting a bit more into business But this definitely overlaps the homelab people is building out your storage subnet the storage subnet And when you're looking at let's say something like nfs if nfs is not using any type of encryption to talk That means it's kind of passing around and clear some of the data Well, that is something you should probably logically lock down to a network segment so your Different things whether it be iSCSI nfs and really it's just also a security measure of if There's some type of bug that could be exploited in nfs or a misconfiguration on your part Having your storage network and let's say your vm servers and the nas target storage that they talk to All on that separate network makes a whole lot of sense because now you've segmented out the different uh Traffic that's going through there one you can identify you can track all that traffic You don't allow the other devices on there. So there's no risk of interference And if there was going hey, we found a flaw in the iSCSI protocol in the nfs protocol You're less at risk because well I'm going to patch it but hey it's over there and it's not something that if someone was on my local network They have direct access to there's another reason for segmentation now This goes into the cyber security slash homelab area which is segmentation where you absolutely create Really isolated networks and i've talked a little bit about this before Is because we have one we just call it vlan 1337 because it's a small logical segment But sometimes you can go a step further in isolating it. It's for people who want to actually do some malware testing Do not start by testing malware. This is something you work yourself up to A series of advanced things because I have Really dealt with companies who thought they were curious if their av system worked and they just wanted to test it And they ended up owning segments of their network and a server because they didn't realize that what they thought was an isolated network Had absolutely the ability to You know reach through and do this one of the common misconceptions is the double NAT something So i'll be behind the first NAT and they create another NAT behind it without realizing that second NAT behind it can reach up to the first one And uh, they can have problems. So there's different reasons for all these different isolations that you do Now the methodology of isolation is where we'll get into There's uh different methods where let's just create all separate I think steve gibson became famous for his I think he called the three dumb router system Where yeah, I remember that one. Yeah, I thought that was clever. It's really the most basic and simple way Look it up. I'm not going to go into it It's I think the listeners here are more advanced to have at least some type of firewall that has some segmentation support Or a firewall that has multiple interfaces on here. So if you look at some of the Modern firewalls the majority of them in the or should be building yourself whether it's on tangle pf Sense open sense whatever the firewall that makes you happy A network interface cards are relatively inexpensive I've talked about when you're building your own firewall grabbing all those four port intel cards And now you have four logical spots to plug in and build your network And then from there you can segment it now the firewall becomes the divider between those logical segments of the network so I can have the Uh switch port one going to a switch firewall port one I should say firewall port two going to another switch and never to those two shall meet except for at the firewall The firewall will look at it and analyze traffic coming from each segment And then you will write rules that allow traffic to pass or you say you will put it in so they'll shall not pass this traffic And you'll keep this nice isolation between them Now vlan's come in here and vlan's I've got I think two or three Strong explainer videos I put together to show the differences on here now vlan's share that logical port So let's say we have a firewall for sake of discussion here one port is labeled way on the next one is labeled land But we want to have segmentation of it. So we physically have single port But logically we go I want to subdivide this out and let me explain why you would want to do that way If you go through and say here's my land, but then I want to make An iot land and I want to make a another land for my guess So we have just a couple to keep it simple the vlan's carry the data across the same physical layer, but add an extra tag to separate the traffic you need a vlan aware firewall after First and then after that you need vlan aware switches What these allow you to do is take the network traffic with these tags and peel off That tag as needed or carry the tag to the next switch to the next switch So if you have a series of switches and then you go hey port 16 on my second switch Peel off all the tags except for the one that said iot and make port 16 and iot No problem. You can do that. This is why they call it tagging a port And when you have the ports that carry all the traffic from the Firewall to the switches those are referred to as trunk ports It's kind of like your mainline trunk where everything comes over there all the packets This has a disadvantage that's very clear One anyone on land can see any nested vlan's in there If you're if you tap the data if you will on a trunk port you do have the ability to see all of it This is one of the reasons that when you separate these the vlan's Because they travel all down the same pipe. They're sharing the bandwidth. There's another disadvantage But also anyone who's on your native vlan one is able to see all the other nested traffic potentially on there so by breaking that out And breaking it down at the switch level. This is what stops them from doing it now A few people have asked me about this you can look it up There's been flaws found in switches that you would set a segment to be a certain vlan and the switch would allow you to vlan hop I have one video of an old trend. I think it may have been a trend net It's a it's a cheap switch where I found out that you can actually get to native vlan no matter what there was a flaw In the switch but just by forcing it So that's kind of a little off topic, but yes, there is a little bit of an issue there So make sure you have a good switch because if you trunk a switch port Bring it all over there and then tag a switch port. So it's only one vlan coming out Hopefully the switch is smart enough to only ever let that vlan come out You are relying a little bit on your security for that by having a physically separate one You don't have to worry about mistakenly tagging something or anything like that Someone is asked because if you find old videos and I still have it set up this way I have a separate switches for my server network because that way you couldn't even go in And modify those switches because there's they're not carrying the tag traffic of some of my other network traffic So you can never accidentally even misconfigure them because they're physically separate ports on my firewall So there's some advantages to doing it that way now the peeling off of a vlan It's a little bit more confusing to people But it's actually very simple when you do this with wi-fi The way and we use unify as an example But there are of course just one example in the many of vlan aware and vlan capable wi-fi devices Where you take and trunk the data all the way to the switch And then you trunk the data from the switch over to the wi-fi access point By doing this and I say all right take this ssid and only Tag the grab the tag traffic for iot grab the tag traffic for You know my guest network and then the vlan will carry through and be tagged only on that ssid This is a couple explainer videos I have related to vlands and unify to kind of show how that works But it's another way that works very well for carrying all the data now The other advantage to doing this is let's use an example of a larger enterprise environment And I've talked about uh one of them we did specifically we unify where we installed 300 access points They carry all the different vlands across to all 300 access points because once it gets to the access point That's where the segmentation happens. They have some very specific business related devices that is on a Very narrowly scoped uh network. They do have a guest network. They're piggybacking across all there This stretches across six buildings So by carrying the trunk to all six buildings I can create a guest network in all six buildings that is sourced at the very head end of the firewall That's another advantage that it has of instead of having to run Double the networks as in we have a we have one fiber line going between each of these buildings We would have to run separate fiber lines if we didn't do it with vlands So there's other advantages to using it that way So does that kind of clarify a little bit? You think chase some of the vlan uh side of it and what? Yeah, we're to segment those Yeah, I think so um and there's a few things I want to underscore because there um There's a lot in what you said that I just want everyone to you know, that didn't already know it to really know it and um you know pay attention to certain certain things here and One thing I'm going to mention that um pick you back stuff what you said that I really want to drive home is that if you think about default routers Um, you know configurations or I should say, you know common off the shelf routers that you buy at a you know local department store Um, it does not benefit the vendor at all to um have segmentation by default which means if you do find a You know generally available router that supports vlands and not all of them do and supports all the things you want um Just having vlands and subnet setup does not give you segmentation Which is what you've already said, but I'm just want to drive that home And if they at the router that you bought did actually segregate all of the networks By default if you let you create separate networks and those are by default Segregated then people are going to be calling in to customer service because you know if you're you're an entry-level person I created a network and I put my printer on it But my desktop on this other network can't see it They get a support call and when they get a support call they lose money and the markup on the routers are small enough as it is so so um Steve Gibson called it the tyranny of the default in his podcast Well, he was talking about something else, but I'm going to apply it to this and that is um on routers generally speaking everything connects us everything because Um, you know, they have um, what was that that was required for xbox I'm trying to remember that automatically opens ports. Oh the upnp nat. Yeah. Yeah. Yeah so something like that is enabled by default because Generally speaking an average person buys an xbox. They want to play games with their friends They don't really want to have to have a network sign or a computer science degree They just want it to work and the vendor doesn't want to receive that call So everything talks to everything and everything you create talks to everything else So there's no segmentation by default some router sure some firewalls sure they'll they'll have segmentation by default But most won't so the the point being that like I said Just having the lands and subnets does not give you segmentation It gives you a logical separation But by default everything on network a is going to be able to ping and access things on network b Like you're talking about lateral movement. That's full lateral movement You have separate networks But you've done nothing to at that point to separate them And then when you mention pf sense or the firewall that allows you to get those subnets or vlands or whatever it is and Define rules that this network is able to talk to the other network completely But none of the networks are able to talk to this other network because that's more restricted You have to come up with that part yourself But if you don't already have Subnets in vlands, then you have no means by which to build the segmentation if that makes sense. Yeah Now one of the next things to talk about and it's perfectly timed and they must have known this True nas has joined the chat like this your nas open source project because hey, let's talk about nas segmentation. This is a Topic of confusion and I've which I did the two follow-up videos one was with analogy moms with true nas And one of the things that people think is hey cool. There's four network interfaces on my nas device Let's tie these together and make one big interface because that's the most logical way which not necessarily Let me explain the better idea is to take when you have a Storage device and you want to connect it. I mean don't get me wrong bonding things together There's great reasons to do that But a lot of the times you want to be able to put in a camera system might be an example of this You have four ports put a segment of that nas in each port instead of trying to peel it off as a series Of vlands because usually with nas devices, especially You're always going for as fast as possible Even if you have two ten gigs or more ports on there you are best not to route your storage or Traffic going back and forth to the nas so by taking the nas and maybe having one port b for dedicated management of it and binding The management ports to that segment. So all right, we've created a secure Uh, you know range. We've got a secure subnet. That's our management land So this is where we have all the management of devices and we'll put the Web interfaces or however, we're accessing these devices for control on that one next the data layer Well, I got to have this data layer talking to SMB for all my window shares or all my windows users on my nas that want to attach to it Taking a separate network interface and then saying what services and only the ones needed binding to it All right, this physically this one plugs into this network So it's tied to the same subnet and great. This is how users directly access it We see a ton of people and a lot of questions around firewall rules that come up in my forums Where people are trying to route all their storage and this is there they want to keep their nas separate great idea Poor execution when they try to route everything through the firewall It's way better to take these extra network interfaces and put one of the interfaces tied to each one of the subnets where the device will be active but In the principles of least privilege when you always want to follow that Figure out the minimum things needed and only turn on those minimum things So if it's smb smb and take another network interface if you have it tied to like nfs and ice cozy for your Targeting now to go a step further things like plex if you're running plex in a jail on a true nas You can have the plex be on a separate vlan and I have a jail vlan explainer video That you can find on true nas you tie the plex to that vlan and that vlan should be probably the same vlan or Network subnet I should say that you have all of your iot devices and streaming devices in because plex needs to talk to those Once again, don't try to route your streaming if you can avoid it through the firewall You're taxing the firewall and sometimes creating complexities not that they can't be overcome But you're creating unneeded complexities now Obviously, you need to get all your data into plex so that other network interface That is on the network that you can copy the media that you would like to get on to the true nas server That's running the gel that has plex on it should be on the other segment So i'm copying all the smb not across the network, but from wherever I got my media from Leave that speculation and copy it over to the smb share and then you do The segmentation and then the gel fires up it is able to read the data based on the policies that you set But the broadcast side of the data is attached to that specific Network segment down there. This is just something you'll see You know, it's not just building storage networks There's going to be your common thing you see in the enterprise environments But when you're building out even these home environments or your home lab environment Having something in each segment saves you a lot of headache from configuration Still provides you with the proper amount of security provided you've also Not bound the web admin interface and don't worry. This is this is something as a problem that scales I've certainly seen way too many corporate networks with the web interfaces Bound to the same network where the users are just don't do that This is a good thing to learn in a home lab So hopefully when you when you were if your goal is to get a job in the enterprise environment You're not among the people binding those interfaces where users can get to it No one should be able to sit down any users desk and start punching in And get to the firewall interface to your nas web interface or any of those things That's an important reason for segmentation But back to that topic You'll just save yourself a lot of trouble by putting each of these in your own segment Just save that trouble that way they're doing this now anything that's on the same subnet does not get Routed through the gateway as in does not apply to the firewall rules It is up to the switch to handle the the talking of those devices on that particular segment There are certain switches I seen someone asked about certain enterprise switches that will have the ability to Actually make rules in between there, but we'll that goes a little out of scope of what we're talking about here in home lab So hopefully that makes a little sense of where some of those devices and some of the design you should put into it For putting there. What do you what do you think Jay? Yeah, I think that's a great explanation I i'm going to add some to that too because You know the common question is why should I segregate things and I my answer is I mean there's no benefit to doing that But there's also every benefit to doing that because you create the benefit So, you know like basically just like you were saying if you don't have firewall rules that define what could talk to what and you implement vlands and subnets you you really Haven't accomplished anything because everything you talked to everything But then you have the firewall rules that determine what can talk to what but then the logical question is How to segregate it and you gave many examples there I'm going to add some more so Um one example i'm going to I know I always use kids as an example, right Because they they they're always pushing boundaries. Let's be honest. Um, and it's including network boundaries So, you know, I'm trying to do a zoom call for example or whatever service. I'm trying to use And everything's pixelated. I can't hear the person talk at all. Why is that so I look at the um firewall logs or whatever it is you look at for for your graphs and I would find oh my Son is downloading like a bunch of stuff right now and has the pipe completely Saturated so uh, what are you doing? It might be what I'm asking. Oh my hard drive Had an issue. I you know, I'm just downloading all my steam games again Now with steam games being 60 plus gigabytes a piece and all of that coming down nothing on the else in the network I mean that's that that's just saturating things and not every firewall does a good job of sharing a connection equally So with vlands and subnets and segregation I can say the vlan that the kids are on maxes out at um 50 megabits No matter what the upstream is no matter what the capability of the firewall is I don't want them to go above 50 megabit megabits because If I'm trying to do something for business or something for work and I need to get it done I'm not trying to um compete with Traffic that's not as important in the moment So I could create the rule now that I have that implemented I now have the ability to put a bandwidth limit via the firewall because the You know their devices are on the proper subnet So that subnet or that vlan basically the ssid is where I do it It's going to have that limit and then I might want a 100 megabit limit for every single device laptop So that no one of them could saturate the connection I might have an unlimited ssid that has a different user group in unify that doesn't have a limit at all I can go on and on on on this but basically you Need to define Why and how to segregate because it depends on what you experience if you have an issue where Um, oh the network's unusable right now. Um, I guess I have to wait till it's done Well, that's an idea right there to find out why and do something about it maybe Segregate it so you can put a limit on it Or in my case I could have the wi-fi network drop at 9 p.m. At night So I don't have to worry about someone watching spider-man at 2 in the morning. I'm keeping me awake You like I said you define that and then you you have a management layer Obviously, you don't want that to be accessible by the public internet So you might put all your management interfaces on and you should do this on a separate network Lock it down like crazy to where only certain things can get into it And then when you start to look at it that way you could start to create your own ideas about where to You know where to put things and The other thing that you will experience as a spoiler if anyone is just getting started in this you'll have devices that Are you know edge cases right you you put them on on their design, you know designated network and Well, you have an exception. You do want this other device to talk to it But not these other ones and you have to have these one-off exclusions. I think the chromecast is a Really good example here because you know, it wants you to be on the same wi-fi network But if I put that on the iot network or the streaming media network Well, my laptop is on the devices network and yes, they can talk to each other because I created a rule for that But um, if I'm not mistaken, uh, chromecast wants the same broadcast domain Which you're not going to have because you're on a different network It doesn't matter that you could route to it you can ping it you can you could totally do that But you can't cast to the chromecast because the broadcast is different So those are things that are just in my opinion I'm not going to get into because they're growing pains of network segmentation that I would love to save you all from it But unfortunately, um, it is something you're going to deal with and it is something you're going to have to figure out And we could probably even talk about that further in the future But um getting back to my point, you know, just think about the different devices you have And the security of those devices how much traffic they might use and just create some rules around that And that'll help you diagram exactly how to structure your network Now one of the final things I want to make sure people are clear on now You can understand and most people do at least the way a firewall works is Unless I open up rules the default of let's say a pfcense firewall most modern firewalls not consumer ones consumer ones are a crap show Of of maybe it's secure But most firewalls by default do not allow anything in no ports are open But me as in my me as a user behind the firewall when I reach out to a website www.google.com A series of things is happening. I've requested some data that is outside of my network I've opened this connection most firewalls have NAT built in so I know some people may see I'm conflating it Yes, I know there's firewall and that are two separate things, but it's generally merged in for sake of this particular discussion I'm having here The NAT translation system says all right Tom's computer reached out for a network resource beyond The local networking through the WAN and we have created some NAT translation ports So we can pull that data back in because Tom requested it and then the ports die and they close again This same concept absolutely works when I have network segmentation the firewall rules provides you have them set up properly You can have a network that does not have access to your computer As in I have my let's just call it iot where we set up segmentation These to get to the internet that it shouldn't be able to get to me But then how do I monitor those devices from my network? Well, the same firewall rules apply provided you set them up properly From my secure if we want to call it that network the network that my computer's on I can reach out across, you know your Movement laterally and go through the firewall The firewall rules and then touch and talk to those devices because I requested Data from them. So if you're running a server and someone mentioned Zavix This is one of the ways that would work as well where if you had a Group of servers put on a different segmentation where you're running a virtual machines And you have rules that the iot devices can't talk to them But you'd like to monitor them Well, you can tell zavix to reach out and talk to them and the data will be replied at the request of zavix But that does not automatically allow anything that wasn't asked for from the iot devices to be sent back across So the firewall rules work the same internally as they do externally So it's not a problem to create these rules where there's no Access but you do have to be careful and this is where things can get Sometimes a little bit confusing about how you create those rules where those destinations are because sometimes people say I'm just going to block replies going to this network And this is where reasons I covered it the way I did in the videos where I broke down specifically with pf sense But you can extrapolate that to whatever firewall you're using the rule concepts are the same in most modern firewalls So that's one of the for for those and I seem more than one person asking that question inside of there That hopefully makes a little sense that the firewall rules work the same for your lateral movement as they do for your internal external across your WAN movement And I wanted to add a couple more thoughts and a few tips actually that I think are important One of which is to test don't assume So for example, let's just say your goal is to have a completely segregated network such that Anything that connects to it can only access the internet and cannot talk to anything else inside your house So don't just assume. Oh, I've watched tom's video and I know I didn't do or make any typos I know I did it exactly like he said I don't even need to test it because I'm 100 confident that I didn't mess anything up Don't do that. Um, you would actually want to connect your laptop temporarily for example to the iot network And make sure that you can't ping anything else in your house Don't assume that it's the case make sure that it's the case actually test it do a port scan Try to ping stuff just try to access things and if it's working well And you did it right then you should get nothing back except out to the internet Then you know for sure it's working don't just assume that it's working The other thing I recommend is that when it comes to vlan ids To and I've done this and tom you said that you've done this too, which you know, we I don't think we've ever talked about it I think it's just something we just naturally have decided to do independently But um, what I like to do is have the third octet of the ip address game match the vlan id Yeah, I forgot to mention Oh Yeah, it makes it so much easier to know because if you have a vlan Let's just say you're the third octet of your chosen ip scheme for iot is 200 And then you see like a dcp Addressed for a new device come in that has 200. Oh, well, that's on the iot network So it's probably that smart plug that I plugged in yesterday and forgot about that makes sense But if you see something on there, you didn't add an iot device and there's something on your iot network Okay, that's a probably an issue right there I need to probably look into that But it's it's so much easier when you have the third octet match because it's the vlan id it makes total sense um So the way that this is a i'm going to try to make this a very brief summary to kind of walk everyone through to try To make this come full circle when all of a sudden done network segmentation and vlands and subnets Here's how it works. You have let's just say an iot device, right? And it connects to your wi-fi access point Your it connects to the ssid called iot But you have given the vlan tag of 202 200 was just something I came up with randomly doesn't matter what you come up with there's no rule here It could be 200 250 whatever you come up with with the vlan id that you like You make that third octet the same your iot device connects So when it connects to the access point, it has vlan tag 200 and as long as it's a managed switched You know after that that 200 vlan, you know tag follows through so when it asks for a dhcp address Then you also have a dhcp server that let that understands that vlan id 200 is the iot network I need to give it a not address from that network Then that communication goes back if you have a device in between that doesn't support vlands at all Well, guess what that's stripped and it's it's not going to work well Assuming everything does have that you come up with your vlan id you have your subnet And that vlan tag is passed through everywhere it goes and that allows you to define What goes to what and you mentioned earlier that wi-fi is a good way to do this and it absolutely is you can just If you have any wi-fi access that allow you to set a vlan tag and not all of them do But if you do have that then you could absolutely make it the case that everything that connects to that SSID is automatically tagged with whatever you want to be tagged You could have your media network Roku's and such they get tagged if they connect to that network And then you have your um, you know chromecast or whatever I can go on But that's at a very high level. Sorry. That's basically how it looks now There's all kinds of players of abstraction and quirks that you'll run into that are just part of growing pains that We can't cover today But I'm it's my hope that this helps, you know, the people out there having trouble of understanding how this is truly separated Understand that at the end of the day Having multiple networks does not give you segmentation, but it gives you the ability to create segmentation You define that segmentation you define the vlan id's And you logically create that the way that you want it to be And you give the meaning to it So hopefully that helps people that are kind of just starting out with this networking thing Not run into the same confusion that I ran into when I first started Yeah, one thing I will uh, we kind of didn't talk about but it's worth just noting that yes This is a this is a real issue is uh broadcast storms and things like that where And I've seen this people go well if I can make it slash 24 and we go slash 23 or slash 22 And as you go down you're increasing the size and scope of that particular subnet There there's some I have dealt with some networks. We help flatten Unflatten a large scale company. They just kept someone had the idea that we we plan on growing But instead of coming up with segmentation, they just I think they had a slash 20 or something They had everything everything in there and um, there's good reasons not to do that but broadcasting broadcast arms and Solving it later can be a problem. So yeah, that's uh, that's a thing I'll mention that's that can be an issue why you don't want to do it that way There's times you want to have because of the nature of those devices some larger subnets, but there's also And you'll see this especially in the older networks. You'll see smaller subnets But there's a series of routers in between them, but not firewalls only routers So this allows the logical routing of all those together without any rules I've seen a few of the older networks set up that way. We actually are working on a querian client who Without segmentation who's but lots of subnets has it that way. Just all the subnets have all the routing rules They can all talk to each other freely They run to a few of those things especially with older networks But like I said, they can get way out of scope and off topic. We're completely aware of them We just wanted to keep it narrow because boy we can go on and on about networking and I seen other people talking about Hey, what about bgp and os pf and everything else. Oh, don't get me wrong. Those are great things I think they probably go a little outside the scope specifically of homelab But they're absolutely wonderful things to talk about in terms of learning network engineering And I've seen a couple of discussions as I said in the chat where people are talking about the Merits of learning it. So if you're on your way to that path or learning all that it's definitely Something I highly recommend Yeah, and learning is a good point that I wanted to bring up too because You might look at this And think well really isn't much of a benefit for me because my homelab's really kind of small I only have like a I have one Synology and one laptop I have just those two things. So why would I care to separate anything? Um, you know, you can make an argument either way lateral movement is definitely a thing there But um, if you're learning because you know, you are wanting to be a network administrator Then I then absolutely you should implement those things Even though they might not have value to you on a practical sense It has value to you in a learning sense because you'll learn it by doing at least for me I learned by doing so that Alone could be a driver for implementing those protocols and those technologies because you have an opportunity to work with them To break them to fix them to get locked out of them because I know exactly what's going to happen as you navigate this Um, but you learn a lot and sometimes that's really the only reason you need Yep, absolutely. All right. I think we covered all the topics here and uh, it's not just we can keep it in scope here We we would as much as we would love to do an all-day network bootcamp training We have companies to manage but we love this stuff. So we definitely wanted to talk about it Yep, and I figured this seemed like a good topic I I believe links if you haven't seen them already the videos I have or I show some Functional practical guides to how to set these firewall rules rules up in pf sense How to firewall your true nas how to firewall your synology and well the true nas is more about binding ports and things like that but you know, honestly The the knowledge I share in that can be applied to what other other devices you may have the concepts are the same It's always about practicing segmentation which is still in the bigger scheme of things part of your principles of least privilege Don't give things privileges. They don't need and access to things They don't need to it just helps you sleep at night when they don't have it Which it's hard to sleep tonight because the more you learn about all this the more you just go I just want to be a farmer Yeah, but it was also that amazing feeling when when you succeed at something like But like I you know, we've talked off camera about my smart tv that I want to have on the network because home assistant Is able to control it But if it's on the network it has able it's able to access the internet Which means it could show me ads on my own tv and I don't want that There's no setting to turn that off on this model. I have checked I have googled like crazy There is no way to disable ads on this thing So what did I do? Well, I created a firewall rule that says if that tv is trying to get out to the internet No, you could talk to local Machine, you know the the home assistant machine, but you can't talk to anything else So anyone it's complaining about internet access. I'm like you were trying to load an ad weren't you naughty tv? No Yes, you're not allowed to do that on my network and then It starts to become so much fun because you feel like you just activate a god mode and you can disable These things that vendors themselves won't even give you options to disable. It's just an awesome thing to learn. It's so much fun Yep, absolutely. Well, thank you all of you for joining us at the peak. I seen there was like 250 people here So awesome. Love seeing all you people on the live show Thank you for everyone who downloads this not as a live show It just lists to a podcast because you don't have time to consume us and you probably heard us at 2x So this was only a half hour show for you That's how this is my podcast How else would you listen to a podcast? I know I need all like that. So Thank you very much For those of you on live show free leave if you could hit the like button It would be greatly appreciated and we'll see you next episode. Thank you everyone. Thank you