I've got the pfSense box running well enough like this. Right now the NAS has a pihole and pivpn (wireguard) running on it so that I can be ok with running my phone on a public WiFi. I've got pfBlockerNg installed on the pfSense box so I may be rethinking that. Truthfully, I like how pihole and pivpn work so I may leave it as is.

There are no VLANs set up on the pfSense box, only on the switch. I figured VLANs on the pfSense was unnecessary as I have the 4 port PCIe, each with their own subnet(?), and I've plenty of space on the switch. Is that a mistake? Is there a better way?

The family computers and the NAS are on the 192.168.13.0 network.

Neither IoT network can ping the LAN or Trusted Wireless network.

Should I move the TVs so that the phones on the Trusted Wireless can stream to them?

This is my first attempt at securing and setting up the home network beyond sticking a router in there and running everything on 192.168.1.x. Do you see any glaring mistakes?



It seems to be working as expected.

I'd probably combine the trusted wired/wireless and the iot wired/wireless. and just have a trust subnet and an IOT subnet.
I think you are adding complexity without any/enough reduction in risks.

That's what I have.

I don't stream from phones to TVs, I left my TV On the IOT network.

quote:

Originally posted by eyrich:
I'd probably combine the trusted wired/wireless and the iot wired/wireless. and just have a trust subnet and an IOT subnet.
I think you are adding complexity without any/enough reduction in risks.

That's what I have.

I don't stream from phones to TVs, I left my TV On the IOT network.

^^^^ I agree ^^^^

quote:

Originally posted by smschulz:

quote:

Originally posted by eyrich:
I'd probably combine the trusted wired/wireless and the iot wired/wireless. and just have a trust subnet and an IOT subnet.
I think you are adding complexity without any/enough reduction in risks.

That's what I have.

I don't stream from phones to TVs, I left my TV On the IOT network.

^^^^ I agree ^^^^

I think you're both right. I'll just move the WAPs to their respective wired VLANs.

Now I've got two extra ports. Any other use for them?

Maybe I can use one for a dedicated management port and one for a database server.