Just looking for pointers since I'm tangentially interested in getting into home networking. How should I start trying to improve the security (maybe even performance) of a basic bitch modem > router > devices setup? Hardware hasn't been changed in years but seems to work fine with a 100MBPS plan (not doing 4K streams, just need reliable internet access and uploading/downloading with a privacy focus), but since I'm not leasing said hardware I'd like to take at least some administrative responsibility. Current layout is a Netgear CM400 modem and a Linksys EA7500 router with stock everything except passwords, everything else connects directly to said router via ethernet port or wireless.
Reading materials on improving security (or optimizing layouts, if you got 'em then send 'em) would be greatly appreciated. Bonus points if it's a step-by-step guide with good reference material in case something goes wrong.
I have no how-to but some general suggestions.
Get different physical hardware for the router and the Wireless Access Points as often the optimal location for one is not the optimal location for the other(s). I run PFSense(I think I'd use OPNSense if/when I start over) for routing on a mini-PC and then 3 Ubiquiti Access Points. I've also heard good things about Microtik and their prices seem reasonable.
Start segmenting stuff. I have 5 network segments... I think.
One internal VLAN with all my stuff on it, trusted devices only, so my server, desktop, iPad, Phone, various Raspberry Pis, DNS filtering(like PiHole) local NTP, etc, this also has an associated Wireless SSID and security.
One pure guest network, no wireless security, direct to the Internet, bandwidth limits if I feel I need them, uses my ISPs DNS, no access at all to anything else on my network. For contractors, other guests.
One 'secure' guest network, wireless password set, given to family and other trusted guests, still external access only. Also used for laptops and VMs I use for customer interactions in my consuting business but want to not be able to see my real networks. IOT devices which need Internet also go here, like my Purple air sensor, Amazon stick, and my car.
One no-Internet network. IOT devices with no need for Internet go here. Security cameras, WiFi outlets, my car charger. This has some NAT to allow communication to my trusted devices, for instance the security cameras can write directly to a locked down FTP server for video capture
Ok, 4 networks.
This is my security setup(well, not exactly because you never tell the exact setup to randoms on the Internet) and some things like the unsecured guest network I can only do since I'm rural enough to be able to
see shoot anyone trying to use my WiFi before they're close enough to use it.
