Some Remarks Regarding Network Security and Privacy

For a while I landed in the convenience of Unifi products, investing in switches, AP and Router/Firewall/NVR, i.e. the UCG Fiber. And in many ways did it work very well even if I was nervous at every update since I had had some bad updates before, and a bad update could bring down my whole network. Add to that that Unifi is very much like Apple: Do it our way or no way. I did not like that one bit. And when I heard about Mythos I did not really think it could secure my network, so I put an OpenBSD firewall before my UCG Fiber. But having Unifi still as this single point of failure gave me no rest, so I exchanged it for an Omada AP without a controller (it supports a controller if you like), a Netgear switch with PoE, a D-Link and a Netgear switch driven by PoE-PD. So how would I secure all of this? By putting pfSense on my trusted six port firewall with great care and very strict firewall rules between every subnet.

So my internet is connected via my OpenBSD firewall, and it is handling NAT. Its only purpose is to be an edge firewall. It runs no services, it is very locked down.

My internal firewall is pfSense, it handles all internal routing.

1st subnet: Switches and one AP without internet access.
2nd subnet: Management or trusted net. This net is also accessible via my AP but only via EAP-TLS (WPA3-Enterprise. This net has access to my OpenBSD firewall and pfSense). Internet traffic goes via a WireGuard tunnel (mullvad.net).
3rd subnet: DNS and NTP handled by pi-hole and chrony on a rpi5, a SMTP relay, a log server, and MariaDB on my Proxmox. I wanted these out of the server subnet since they are reachable from the insecure Media net. This net is also routed through the WireGuard tunnel for internet.
4th subnet: Servers resides here.
5th subnet: Media net where my Sonos speakers, music server and home assistant lives. I regard this as insecure, but not as a DMZ.
6th subnet: IPMI clients. It has no internet access.
7th subnet: Cams and NVR (we will return to this). It has no internet access.
8th subnet: Gaming net. It has no internal access at all.
9th subnet: IOT net. It has no internal access at all. Here resides my Kindles, Luxsin X8 Dac, and other IOT things.
10th subnet: A VPN net via WireGuard with two tunnels, one for management (which has access to my my OpenBSD firewall and pfSense machine), and one for my work phone (split-vpn) so that I can reach my calendars, Vaultwarden server and Navidrome. The management WireGuard net is also routed via the mullvad WireGuard tunnel for internet traffic.

My UCG Fiber is also a NVR, but it was not easy to use it only as a NVR. As you remember, it is Unifi's way or no way. I ended up putting it on my Media net where it thinks it resides on the internet, its WAN SLA is to ping its gateway which is on pfSense, and it thinks everything is hunky-dory, the other interface is connected to my Cam subnet where it handles an IP-Cam and acts as a NVR. This seems to work well.

But to secure your external and internal network is only one part. How should we handle all the other parts? I use Pi-hole to filter out much trash on the internet. It blocks over twelve million domains, Adguard choked on this, but it does not affect Pi-hole at all. It also handles all local DNS, even CNAME, external DNS is via Mullvad, and it handles all internal NTP. I am very happy with this solution, and it resides on its own vlan. In this way does not pfSense has to expose any ports to the internal net except for dhcp. And I route surfing internet traffic via a VPN tunnel.

I have always used Firefox as my browser, and it is a great browser, but they say it lack proper sandboxing, but I do not want to use Chrome or Edge either. I have settled on the Brave Origin browser.

I have and use one browser extension, Bitwarden, which is connected to my self hosted Vaultwarden instance, a clone of Bitwarden at home in an Alpine KVM machine on my Proxmox server.

I host nearly everything at home: Calendars, Contacts, passwords via Vaultwarden, Home Assistant, DNS, NTP, a RSS-server for news, the only thing in the Cloud is my photos which reside with Ente. I host my own music on Navidrome, all of it are always reachable via split-vpn, so when my Qobuz subscription ends in November I will probably have no subscriptions at all.

I have cut ties with all social media, I have never been a great user of it, but now I have left X and Reddit. It was not edifying, and it took too much time from me.

I think that all of us must stop for a moment and look at our lives. Not everyone can or should host everything at home, but that does not mean that we should go on selling ourselves to all these companies.

You see all of these videos on YouTube, many of them are not fearmongering people, they lift up true dangers to all of us. AI is great, but I would never have it on my phone. When Apple Intelligence was released I sold my iPhone 16 and bought an iPhone 15 Plus because it could not have Apple Intelligence. Now I am alternating between said phone and a Pixel8 with GrapeheneOS. I can even use my Fenix 6X Solar now with Gadgetbridge instead of putting everything in Garmin's cloud.

And the thing is that some of these things written about above will increase my inconvenience, but they will greatly increase my privacy and security. What is most worth to you? There are dangers everywhere, and we need to see it and be very discerning about it. We have great softwares that are free or where you are not the product.

You have countless Linux distributions (and FreeBSD, OpenBSD, NetBSD, and illumos, and these operating systems will gladly give life to the computer that Microsoft 11 killed), LibreOffice, Zotero, Chromium, Firefox, Zettlr, Navidrome, Music Assistant, WireGuard, OpenVPN, Thunderbird, Bitwarden, Ente, Calibre, GrapheneOS, Pi-hole, AdGuard Home, Joplin, Miniflux, Literal Word, F-Droid, Brave and so on. It only needs a little research to find all of this.