I use to really over-segment my local network. I think at one time I had 9 VLANs (Management, Private Data, Main vlan, IOT with internet, IOT without internet, PBX phones, CCTV cameras, gaming systems, guest network). It worked fine, but honestly wasn't needed, was harder to manage, and caused more inter-vlan traffic than needed.
Here are my thoughts on why all of those VLans are or are not needed.
- "Management" - not needed - I have three managed network switches. three wireless APs, and a firewall. That's more than most people and it still makes zero sense to put those devices on their own dedicated Management VLAN. It also makes accessing and managing those devices harder when you have to make sure you have limited access to that VLAN for "security" purposes. I now have my network equipment on the same VLAN as my "trusted" devices which include my servers and most trusted computers - which makes managing the entire system much easier.
- Private Data/Trusted Devices - needed - This is a must have VLAN. You need a VLAN that only has your most trusted devices on it. Devices like your cell phone and other mobile devices do NOT belong on this VLAN
- Main VLAN - not needed - this can honestly be combined with the Untrusted with Internet (which is what I eventually did)
- Untrusted with Internet - needed - This is another "must have VLAN. It is for "untrusted" devices that need the internet. Mobile devices, TVs, media streamers, IOT devices that need the internet to work, etc all belong here
- Untrusted without Internet - needed - devices that you don't want touching the internet belong here.
- PBX Phone and CCTVs - not needed IMHO because there is no reason these need to be on their own VLAN. Throw everything on the Untrusted without Internet VLAN.
- Gaming systems - not needed - gaming systems do sometimes need special rules/permissions to work right. But we don't have enough devices to make it worth a special VLAN. I can create a Firewall alias and manage the special rules that way.
- Guest Network - location dependant, but not needed for most of the country - I had one that was literally never used because my house has good cellular coverage. It's not 2001 anymore where mobile data was expensive. Short term guests just use their own mobile service.
By breaking the Untrusted devices into two VLANs - one with internet access and one without internet access - it makes it super easy to manage new devices that I bring into the house. I can ensure a device can access the internet or not access the internet simply by assigning it to the correct VLAN (which when using a WiFi connection is as simply as connecting them to the WiFi system with the correct WiFi password - one password connects devices to the internet vlan and one password connects devices to the non-internet vlan).
If you haven't guessed already, I completely re-did my network earlier in the year and I now have just three VLANs.
- Private/Trusted - my networking equipment, servers, and trusted personal computers.
- Untrusted with Internet - all mobile devices, TVs, streaming devices, visiting family or other long term guests, etc
- Untrusted without Internet - network printers, CCTV, PBX phone system, IOT devices, etc
These are just general guidelines and there are certainly some exceptions/custom Firewall rules as well to make everything work. For example, while my PBX phone system is on the VLAN without internet access, I do grant some of the the PBX servers' ports to the the internet so the system can make and receive calls, etc. My "Alexa" and "Google" devices are actually on the Untrusted
without Internet VLAN, but I have created a Firewall alias to manage those and have a firewall rule so they
can access the internet.
Also, while my trusted servers themselves fall into the "Trusted Devices" VLAN, I have multiple network interfaces (either virtual or physical) on each machine so that a VM or machine can have an network nic in any of the appropriate VLANs. Media stored on my NAS device can be accessed from both the Trusted and "Untrusted with internet access" VLANs so that I can access that media from my computer, mobile device, TV, media streamer, etc. My
BlueIris machine has a nic in all three VLANs because devices on all three levels need to be able to access that machine. That might seem like a potential security issue until you realize that only "trusted" individuals are even on my network to start with. The IOT devices on my Untrusted without internet VLAN might be able to access the BI machine, but they can't
do anything with that data because none of the devices in that VLAN can access the internet, etc, etc, etc.
So to answer your question, while the actual BI machine might "sit" on the IoT VLAN, I think giving the devices on the Home/Trusted VLANs access to the BI machine is probably going to be needed.
Perhaps I have swung from one extreme (having too many VLans) to the other extreme (not having enough), but so far it has worked out for me. Obviously the VLAN structure I have would never fly in a corporate environment (where things like a "management VLAN do actually make sense and are extremely important for the overall security of the network), but a typical residential network requires a different line of thinking IMHO.
