Afasos,
What make of switches do you use? I'm 100% with you on all the security & privacy points you make and would like to improve my setup. My pc & laptop protect me but I'd like to start introducing network level measures. Blocking of shitware, tracking & privacy invading domains for my company gear SSID & VLAN, a less restricted SSID & VLAN for Mrs tweens PC & our (untrustable) androids plus a guest SSID.
I've been looking at the Draytek gear. I'm pretty sure the L2+ managed switch, access points and router will give me the multiple SSID & VLAN segregation I'm after but one of my access points would be in another building over a power line link. I'm struggling to the grasp how fully 8 port 'smart' switch would extend the full features of the 24 port L2+.
I don't like Draytek gear. It's both a little spendy and IMHO a bit rubbish.
I have an ancient TP-LINK WA-801ND Wireless Access Point I bought from a boot sale for a fiver. It's a v1 fortunately because the v2 & v3 are allegedly less reliable. The v1's are rectangular in design:
+ve
Multiple SSIDs and vLANs. So each SSID is configured to use a different vLAN.
Despite being ancient, it still works
Unlike a lot of cheap kit, I never need to restart it
External antennas with standard fitment - I've replaced the ones on mine with some slightly higher gain alternatives so a single access point covers the whole house
-ve
I'd never expose it to the internet
No IPv6
2.4Ghz only (not dual band)
I've currently got a TP-LINK T1600G-28TS (TL-SG2424) Layer 2+ smart switch, which again I'd never make accessible from the internet but has a lot of features and a responsive webgui (+CLI) at quite an affordable price
This is passing the tagged traffic from the Wireless Access Point to pfSense. Each tagged vLAN in pfSense presents out as a different interface and thus can have custom set of rules. pfSense also takes care of DHCP and DNS on the guest/public/media WiFi networks - although it's possible for it to act as a DNS/DHCP forwarder instead. The only downside with this switch is that it doesn't seem possible to set a gateway on it's management interface, so it's difficult to manage it via VPN from work etc.
pfSense is running virtualised under QEMU/KVM on my Ubuntu server. There is an Intel Pro 1000 VT quad port network adapter in the server which has all it's ports passed through to pfSense, which is better than bridging a virtual network adapter on the host OS. They can be picked up for about £15 on eBay.
For the main trusted network, my home server is running BIND 9.x with a restricted policy zone (RPZ) ... There are various sources on-line of domains used for propogating spam, advertising and malware. I have a cron job that runs once a week, downloads a couple of lists, parses them and updates the RPZ. TBH it could do with a bit more love and attention from me as it's not currently blocking all unwanted content - some advertising networks work whist others don't.
What I've done doesn't really present a full Unified Threat Management solution (UTM) as it doesn't prevent anyone from downloading malware or provide phishing protection in email etc. ...it's possible for me to provide some of that funcationality by adding squid, clamav to pfSense (see for example:
https://forum.pfsense.org/index.php?topic=72528.0). The trouble is, doing this for encrypted (https) traffic means effectively running a man-in-the-middle attack. And that means pushing out a root CA to all the clients (PCs, tables, phones) in order to get them to trust the https connection between their browsers and the pfSense proxy.
I might rebuild my virtual pfSense box with more RAM and disk space and experiment with running Snort/Squid/ClamAV at some point.