Your Local Area Network (LAN) is vital to your home and office. It's what handles all internal and outbound traffic, ensuring all clients on your side can communicate with one another, as well as billions of devices worldwide, so long as you have a router and external link. But how does one go about securing their LAN? Here are some pointers on how to not make your LAN vulnerable to outside attacks. Some involve common sense and others require you to do a little work.
Replace a basic ISP router
Not all firewalls and routers are built the same
Your Internet Service Provider (ISP) will supply a standard router from its inventory, but this unit is usually locked down and only offers basic functionality. Unless you have an ISP-supplied router with advanced network features, you'll be missing out on vital tools to help keep your network secure. Not only that but your ISP will only enjoy snooping on what you're doing both on your LAN and using its internet services. If you wish to gain full control over your LAN, you'll want to build a custom firewall.
It's easier than you think. All you need is a mini PC or dedicated firewall device with a CPU, RAM, storage, and a few Ethernet ports. OPNsense is a solid software package that includes everything for creating a robust and secure firewall and router device. Once you've established a LAN, you'll be able to mess around with Virtual LANs (VLANs), Demilitarized Zones (DMZs), Virtual Private Networks (VPNs), and more. Some ISP routers may support these features, so it's worth checking before you create your own.
9 things to avoid when building your dream OPNsense firewall
Building your own firewall can be incredibly rewarding, but here are some things to watch out for.
Avoid using weak passwords
This goes for admin and Wi-Fi
The primary defense against anyone joining your wireless network is the passcode and encryption. Always use WPA3 (or WPA2, if WPA3 is unavailable). While it may make sense to have a memorable word or phrase for this to make it easier for guests and visitors to connect while inside the building, I always recommend using a randomly generated string of characters. This should include letters, numbers, and special characters. The same goes for any passwords on connected clients, which could be compromised in some other way.
Your admin account on the router should also have a strong password. An ISP router may have it already configured with a jumbled password, but this is usually displayed somewhere on the unit, rendering it useless should someone gain access to it somehow. It's always best to change this to a random password. And if you're creating your own firewall using OPNsense, a strong password will need to be created during installation. If someone makes their way onto your LAN, at least we can try and keep them from doing further damage.
Consider segmenting your network
VLANs are your new best friend
A VLAN is a means to split up your network into segments. It's identical to a physical LAN but is entirely virtualized through the network. Should your router/firewall and the rest of your network equipment all support VLANs, you can create multiple networks without spending money on specialized infrastructure. With VLANs, you can create guest networks for those who visit your property and don't require access to various services on your network.
It can also be considered good practice to keep IoT hardware separate from the rest of the network. Devices shared on the LAN, including Network-Attached Storage (NAS) and printers, can all be configured to be available on specific (or all) VLANs, so you won't miss out on segmenting parts of the network. Like Docker containers, isolating parts of your LAN can improve security and avoid further damage should a specific device become compromised.
3 reasons you should you be using VLANs on your home network
Virtual LANs are excellent for creating the perfect network.
Create a Virtual Private Network
Stop everyone snooping on your traffic
There's a good chance you may plan to open up some services on your LAN. This could be a NAS, media streaming service, photo storage, cloud storage, collaboration software, surveillance, and much more. All of this can be run from your home or office and external access can usually be granted. This involves opening up your LAN to the outside world, but there are some ways to accomplish this without increasing risk. One method is by using a VPN, which can be hosted within your LAN.
By running your own VPN, you can connect to your network from anywhere in the world and access all the services as you would at home or in the office. It's secure and prevents you from opening up vulnerable ports without configuring SSL and other advanced features. You could go down the DDNS and domain name route with reverse proxies, but a VPN would work just as well for getting into your network with little effort. I would also suggest using a VPN within your LAN when connecting to the outside world.
Using a VPN through your firewall/router can cover your entire LAN, encyrpting all traffic and negating the need to install clients across the board.