Quote History Quoted:
VLANs provide zero security if you are allowing all the networks to be reached from any other network. You need to limit what networks are reachable from others.
For example, there is no reason for your Echo to communicate with BlueIris, so dont allow it.
Another issue with many networks is limiting the outbound connection to networks outside of North America. Your Chinese camera will try to call home. Dont believe me, run wire shark and watch. So block the outbound connections.
As for address space, increase the mask size from. Switch to a 10./8 or 172.16-31/16.
View Quote
Agree with everything above except the part in red. Don't do that. If you need more address space, change your mask to a /23 (255.255.254.0). That gives you 510 usable addresses. Unless you're doing something very different from the normal home network use case you don't need that much space. Creating giant networks like a /8 or /12 may cause issues if your ISP decides to use RFC1918 addresses at the edge, the way AT&T does at my home.
I've done networking since 2000 at medium to large companies.
As I see it, here are the use cases for vlans in a home network:
1. security - want to control where hosts on a network can go, and what hosts are allowed to reach the network.
2. size - in practical terms, a /23 network with 500+ hosts will work just fine for most things. Most homes won't get to this point.
3. OCD - If you just have to be organized, and want to be able to easily determine what type of device something is based on IP.
4. Learning - What better way to learn, then to play around on your network?
I completely agree with the person who said to block outbound traffic from your cameras to the Internet. Same thing for any IoT devices that don't need Internet access. That may be the most compelling use case for doing VLANs.
In my home network, I have a /24 for all my hosts, and a /24 for client vpn connections. I don't do IoT, but I still have ~26 real and virtual devices on my network. I have a stack of Meraki gear that will let me vlan and create barriers between segments. It just isn't worth it to me. I do watch all of my network traffic via full NetFlow. I can see everything on the network as well as stuff coming and going to the Internet. I get alarms when certain things fire.
If you aren't using OpenDNS for your DNS servers, you're doing yourself a disfavor. It is free, fast, reliable and will help prevent you and your family from connecting to harmful sites. Cisco purchased OpenDNS a few years back, but seems to have pretty much let the people who know what they are doing keep doing it. Same for Meraki.