⏱ Reading time: 4 min

As a computer science and network security enthusiast and professional, a retired semi-pro-gamer, a passionate amateur photographer and, on top of all that, MOLO17’s Lead System Engineer, you can imagine my frustration when dealing with the typical home network (and unfortunately the typical small office network). If you can’t imagine it, let’s just say that I wasn’t able to tolerate a vanilla home network in years and that my home network is currently built with the same components I would install on a mid-sized business, with the same security and quality standards.

With this series of articles I will give you my take on designing and building a home network. The same principles of course apply to SOHO networks, with the proper changes in proper places.

The typical network scenario in a home network is a bunch of WIFI devices competing for the always starving resources of:

  • A single (and possibly suboptimal) connectivity
  • With limited hardware sometimes imposed by the ISP as a CPE (customer’s premises equipment),
  • With very limited QoS policing (or not present at all),
  • With limited hardware sometimes imposed by the ISP as a CPE (customer’s premises equipment),
  • With no real firewall or IDS/IPS on inbound connections
  • No form of threat management on outgoing connections
  • Internal communications not policed for security and QoS at all at layer-2, let alone layer-3, and consequentially no VLAN segmentation of any kind
  • Nothing that can be called monitoring / diagnostics by a reputable professional

This means that as a gamer my ping time is simply destroyed by Windows Update, Mac AppStore and Linux APT/YUM, Netflix, Amazon Video, and such. As a photographer, my off-site RAW photo archive backup can’t run late in the evening, because it might disrupt my Netflix viewing session or, far worse, my gaming performances, let alone the days I come home with a huge amount of freshly taken pictures (sometimes as far as 200GB in one session) and I have to archive them on a NAS from my PC. As a generic home user, that Prime Video session might be hampered by any of the above, even my own computer’s silent updates running in the background and, even worse, my network won’t offer any layer of protection at all from malicious links, scammers, identity tracking services and other threats that do not attack from outside to inside. A basic degree of protection is assured by the NAT translation, that is for sure, but most threats of the modern world do not come from open ports on the perimeter. As a paranoid security expert, I won’t even think opening (or dst-natting, for a better term) a port on the perimeter to an internal network without any kind of VLAN segmentation and an IDS/IPS in between.

And what about sharing your WIFI password with friends without a properly isolated (at VLAN level) guest network? And without the ability to impose restrictions on their behavior? This is some doomsday scenario from my perspective.

Another big problem is COTS (Commercial Off The Shelf) IoT today. It is not the industrial type of IoT we are dealing with in MOLO17 on a daily basis. COTS IoT is often posing security threats to the final users, or at least it pierces thru most of home routers to “phone home” (or cloud, for a more recent term) and become a puppet for its maker to control with or without your consent. As a paranoid security guy but also a home automation enthusiast, this poses an interesting and omnipresent dilemma, that I always have to come to terms with while setting up home automation devices on my network. I will explain how later on this series, but let me anticipate that this does require a certain degree of configurability on network hardware that your home router doesn’t provide.

You might be already thinking: “great ideas and principles, but the costs for a home network built with enterprise equipment are completely unjustified”. Well: you are totally right, in my case it is done due to my passion for networking, with a relatively big investment on the hardware side.

What I will propose in the articles of this series are instead relatively low-cost solutions for the normal household that can introduce the same features at a much lower price. The trade-off? You will pay with hard study and knowledge required to operate the components.

I will propose different devices and brands, used along with open source solutions, that have a very interesting price point for the home / SOHO environment, including:

  • Ubiquiti Networks UniFi
  • Mikrotik routers and wireless devices
  • PC Engines
  • Raspberry Pi
  • PFSense Community Edition Firewall Distribution
  • and more…

All of this without any endorsing by the respective brands, but only with my personal experiences and preferences.

Stay tuned for the next episode of Building Home Networks Like a Pro!