Hero Image

Ro-block and Stoppify: A Story About Eating Your Own Dogfood

According to Wikipedia Eating your own dog food or "dogfooding" is the practice of using one's own products or services. That's what we do at All Families Secure, and today we're taking a deep dive.

If you wondered "how far could I take these solutions?" this this post is for you. We're diving into the nitty-gritty of a robust home network setup. Not a home network this post is specifically about my home network. It's Alex writing this by the way. My colleague Fabian has a different configuration, and we'll be exploring his approach in a future article. Think of what you're about to read as an extreme example of what's truly possible when you leverage the full power of All Families Secure's network solutions. It might seem like a lot, but for me, the peace of mind and control it offers are invaluable.

Plus in addition to our lab environments (where we pilot new early release features and test out unusual configurations) my home network needs to act as the ultimate test bed where I can test out the long term implications of configuration our customers may ask for.

So, let's pull back the curtain on how I've engineered my home network for optimal security, performance, and control.

The Foundation: Multiple Networks for Multiple Needs

The cornerstone of my setup is the implementation of multiple distinct networks. Each serves a specific purpose, providing isolation and tailored security policies.

segmentation

  • Primary Network: This is for our trusted, essential devices – our personal laptops, phones, and anything we consider to be entirely under our control and in frequent use. It's the most privileged network, but still benefits from the overarching security of our system.

    • Purpose: To provide a secure and fast connection for our most critical and frequently used devices.
    • Benefits: Optimal performance, direct access to shared resources, and a high level of trust for these known devices.

  • IoT (Internet of Things) Network: This network is a game-changer for smart homes. It's dedicated to devices like smart bulbs, security cameras, smart appliances, and other IoT gadgets. These devices often have varying security postures and can be targets for compromise. Iot_devices

    • Purpose: To isolate potentially less secure smart devices from the rest of my network. It allows for rigorous monitoring and filtering of their traffic. Crucially, it also allows me to create a 2.4GHz-only Wi-Fi network, avoiding compatibility issues that some older IoT devices have with 5GHz bands.
    • Benefits: Enhanced security by segmenting devices that may not be 100% trustworthy, preventing them from accessing sensitive data on my primary network. Improved reliability for older IoT devices.

  • Kids' Network: This is where the magic of granular control truly shines for parents. Our kids' devices, like tablets and gaming consoles, live here. ipad

    • Purpose: To provide a safe, controlled online environment for children, with adjustable access based on time of day or specific activities.
    • Benefits:
      • Ad Blocking: Reduces distractions and exposure to potentially inappropriate advertisements.
      • Content Filtering: Blocks malicious websites and adult content, automatically enforced at the network level.
      • Safe Search: Ensures search engines (like Google, Bing, YouTube) provide filtered results.
      • Specific, Pauseable Rules: This is where the "Ro-block and Stoppify" comes in!
        • Ro-block (Roblox Blocking Rule): Can be enabled or paused at will, perfect for encouraging homework or outdoor play.
        • Stoppify (Spotify Blocking Rule): Automatically blocks Spotify from 8 PM until the first person is awake (defined by an automation, for example, 6 AM). This ensures quiet evenings and a good night's sleep.
        • Media Streaming: A powerful rule that blocks access to video streaming sites, including YouTube, when it's time for a break from screens.
      • Smart Device Management: I also have a son who, despite our best efforts, keeps finding ways to quietly grab the main network password off other devices. Rather than constantly fighting this, I just used the power of our solution. If his iPad connects to the main network Wi-Fi, the network identifies his device by its MAC address and automatically drops it onto the Kids' Network, even though he didn't use the Kids' Wi-Fi directly. This provides a seamless, yet controlled, experience.

  • Guest Wi-Fi Network: Essential for visitors, allowing them internet access without granting them entry to my internal network.

    • Purpose: To provide temporary internet access for guests, completely isolated from my primary and other internal networks.
    • Benefits: Guests can get online easily and securely, while my private data and devices remain protected.

  • Dedicated DMZ (Demilitarised Zone): For specific services that need to be accessible from the internet.

    • Purpose: This allows me to run things inside my network (Emby for example, for media streaming) that I can connect to from the Internet, while significantly minimising potential damage should they be compromised. If a service in the DMZ is breached, the attacker is still isolated from my internal networks.
    • Benefits: Securely exposes specific services to the internet without risking the entire internal network.

  • VPN (Virtual Private Network) Server: Instead of acting as a client that connects out to a third-party service, my network acts as a VPN server. This provides me with a secure, encrypted tunnel back into my home network from anywhere in the world. It’s my personal "safe network" when I'm on business travel.

    • Purpose: To allow secure, remote access to my home network resources and to route my internet traffic through my trusted home connection when I am away.
    • Benefits: When I'm using untrusted hotel or airport Wi-Fi, all my traffic is routed back through my secure home internet connection. For maximum ease, I pair this with a dedicated travel router. I connect the travel router to the local Wi-Fi, and it automatically establishes the VPN connection back to my house. Then, all my devices—laptop, phone, tablet—simply connect to my portable Wi-Fi network that they already know. This is far simpler than needing to manually turn on and turn off a VPN client on every single device.

  • Isolated Business Network: As I occasionally work from home, this is crucial.

    • Purpose: To keep home and business needs at arm's length. They don't talk to each other directly.
    • Benefits: Maintains strict separation between work and personal data, improving security and compliance. The only interaction I've allowed is printing from the business network to my home printer, configured with specific firewall rules to prevent any other cross-network communication.

What I'm Not Using

Sometimes it's best not to try and use every feature, but to be thoughtful and use "just enough". Even though my network is doing a lot, I have made a concious choice to not enable some features. So, let's talk about what I don't use and why.

features

  • Kids' Network Turns Off at Night: This is a bulletproof solution in many households, creating a hard stop for screen time. However, it proved to be a pain for me. I often manage and update the kids' devices when they're in bed. I wanted to avoid a scenario where I was having to put their devices on the main network for updates or constantly pausing and resuming the kids' network schedule. Instead, I opted for the more granular solution of managing the services that tend to lead to sneaky late-night iPad use (like my "Ro-block" and "Stoppify" rules).
  • Bandwidth Restrictions: I could apply speed limits to non-primary networks (like the Kids' and Guest networks) to preserve performance for my main devices. But with an NBN 1000 plan, I currently have bandwidth to burn. If I were on a speed-limited service, then I would absolutely consider some traffic shaping to ensure fair usage.
  • QoS (Quality of Service): Likewise, QoS can be used to maintain the quality of latency-sensitive services (like video calls or VoIP) by ensuring they are prioritised over other traffic. I've never needed to turn it on. My network has proven that even during the height of the pandemic—with multiple high-bandwidth devices running at once, plus multiple streaming services and video calls—it never dropped out.
  • Device Blocking: I can always block a specific device from accessing the network entirely, even if it has the right password. It's a powerful feature to have up my sleeve, but thanks to the effectiveness of the other controls, it's one I've never had to use.

Beyond the Wi-Fi: Other Key Elements

My network solution extends beyond just Wi-Fi segmentation:

  • Hardwired Connections: I have hardwired most of the house. While Wi-Fi is convenient, a cabled connection offers superior speed, reliability, and lower latency. This has enabled me to implement greater than 1 Gbit/s speeds in key areas. The network core and connections to certain high-bandwidth devices all run at 10 Gbit/s, with a number of other devices running at 2.5 Gbit/s. In essence, my network is ready for NBNco's upcoming multi-gigabit plans. If that doesn't make much sense think of it this way: 10 Gbit/s is enough bandwidth to stream 500 4K YouTube streams or 666 4K Netflix streams concurrently.
  • Security Cameras and Access Control: These are fully integrated as part of the solution. Our cameras are pare of the IoT network, ensuring their traffic doesn't interfere with general usage and that they can be monitored and controlled securely. Access control devices also tie into the system for seamless management.
  • Site-to-Site Family VPN: I also have two brothers with kids of a similar age to my own. Naturally, I've rolled out the same All Families Secure technology and kid-safe networks to their houses. To take it a step further, I have established a site-to-site VPN that links only the kids' networks together between our three homes. This creates a private, secure network for the cousins to play Minecraft or do some retro gaming together, just as if they were in the same room on the same Wi-Fi. The best part is that their game traffic never needs to go out via the public internet, keeping it secure and private.
  • Geo-blocking: I also use geo-blocking to deny traffic to and from certain high-risk countries. Blocking traffic from nations like North Korea, Russia, and Belarus is a standard practice in many business networks to reduce the attack surface, and I've replicated it at home for an added layer of security.
  • Redundant Internet Connection: To keep things online, I utilise a redundant internet connection – a mobile prepaid SIM. In the event of an NBN outage, the network automatically fails over to the mobile connection, ensuring continuity for essential services. With Starlink's new "standby" solution, I may migrate to this in future for a more robust and (optionally) higher-speed backup.

As you can see, a well-designed network can provide incredible levels of control, security, and peace of mind. While my setup might be extensive, the modular nature of the All Families Secure platform means you can implement as much or as little of this as your family needs. If you want an out-of-the-box solution that delivers just the essentials, check out our services page to learn more. If this level of customisation and control sounds appealing, contact us for an obligation free discussion.

Stay tuned for Fabian's setup coming soon, which will offer another perspective on maximising your home network's potential!