-- Leo's gemini proxy
-- Connecting to redterminal.org:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en
Author: -fab- <fab@redterminal.org> License: CC BY 4.0 Published on: Fri, 02 Feb 2024 08:40:15 +0100 Last updated: Thu, 29 Feb 2024 21:00:00 +0100
It may be risky to publish my network layout, but because I got a new PFSense router and I like to talk about my homelab and the things I'm tinkering with I'm writing this gemlog post. Maybe it's some inspiration for someone.
It's always a mess to switch out such an integral and central part of a homelab like a router, so I did a lot of planning and research this time to get it right.
┌────────┐
│DSL │
│Modem │
└──┬─────┘
│
┌──┴────────────────┐VLAN30T┌─────────────┐
│PFSense Router ├───────┤ Proxmox │
│ │VLAN35T│ Server │
│ │ └─────────────┘
│ mainrouter │
│ │ ┌─────────────┐
│ │ │ FireTV │
└──┬────────────────┘ ┌───┤ Stick │
│ │ └─────────────┘
┌──┴────────────────┐ │VLAN40U
│ ├───┘
│ switch01 │
│ │
└──┬────────────────┘
│VLAN40T,50T,55T,70T,80T
│ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ │ Zigbee │ │ FireTV │ │ Desktop │
│ │ Router │ │ Cube │ │ PC │
│ └────┬────┘ └────┬────┘ └────┬────┘
│ │VLAN70U │VLAN40U │
┌──┴───────┴────────┐ │ │
│ ├───┘ │
│ switch02 │ │
│ ├────────────────┘
└──┬───────┬────────┘
│ │
│ │VLAN50T,55T ┌─────────────┐
│ └────────────────┤Raspberry Pi │
│VLAN70T,80T │Cluster │
│ └─────────────┘
│
┌──┴────────────────┐ ┌─────────────┐
│OpenWRT Router │ │ │
│ │VLAN70U│ WLAN: │
│ ├───────┤IoT & Printer│
│ wlanrouter │ │ │
│ │ │Insecure │
│ │ │ Devices│
└──────────┬────────┘ └─────────────┘
│
│ ┌─────────────┐
│ │ │
│VLAN80U │Secure WLAN: │
└────────────────┤ │
│For Laptops &│
│Smartphones │
│ │
└─────────────┘
In the VLAN definitions T stands for "Tagged" and U for "Untagged"
This is the center of my network, which does all the firewalling, DNS, DynDNS, DNSBL Blocking with PFBlockerNG, DHCP and all the VLAN routing and setup.
Because the ISC DHCP server seems deprecated (with a big warning in the user interface) I switched to the also supported and still in development Kea DHCP server. Unfortunately Kea doesn't support to inject new connected device DNS names into the unbound name server, so I had to set up static leases for all the servers I'm running. Hopefully this feature will soon be added.
There was PFSense Plus+ installed on the router, which is no longer open source which is a no-go. So I installed an actual version of vanilla PFSense (2.7.2-RELEASE) and it was no problem and worked out of the box. The vanilla version is Apache 2.0 licensed.
In my previous setup I had IPv6 up and running for most devices. I chose to disable IPv6 with the new one, because it's easier to set up in the beginning.
Of course I'll try to add IPv6 into my existing network when I'm ready for it (it's on my TODO list). I still have to do my research how to do it in PFSense.
I bought this thing on Amazon (yes I know, but it's convenient) and here's a link:
Alder Lake-N 12th Gen N100 4C/4T up to 3.4GHz
8GB SODIMM DDR5 4800MHz
6x 2.5GbE ports i226V
2x M.2 NVMe Slots (1x 512GB SSD installed)
1x SATA 2.5" Slot (internal)
HDMI port
1x TF card slot
1x USB3.2
4x USB2.0
1x USB Type-C
This is an old Linksys WRT1900ACS with OpenWRT 23.05.2 flashed to it.
It simply serves as a dumb router for my two WLANs: One for my insecure IoT devices and one which is secure for my mobile things like laptops and smartphones. The insecure WLAN does not connect to the internet.
I've set up 7 VLANs to separate my specific network segments:
Untagged: The main lan is untagged and it only contains my desktop PC
VLAN 30: Proxmox nodes (only one for now)
VLAN 35: Proxmox VMs and containers
VLAN 40: Streaming Hardware like my FireTV Cube in my room and a FireTV Stick in the living room.
VLAN 50: Experimental Raspberry Pi Incus Cluster hosts
VLAN 55: Raspberry Pi Incus Cluster containers
VLAN 70: All the insecure devices go into this VLAN, which has no internet access
VLAN 80: My secure WLAN for mobile devices like my laptops and smartphones
All of these VLANs/subnets are locked down as much as possible with the mainrouter firewall.
I'm really satisfied with my setup now and I think it's easily expandable. But of course I'm no expert and just a hobbyist. Fiddling around with the firewall was a little unusual to me at first and there may be some buggy rules that don't work as intended. But at least everything works.
If you have any opinions, suggestions, comments or advice please send me an email or if you wish so follow me on Mastodon/ActivityPub '@fab@pleroma.envs.net' and contact me there.
All in all - Have fun!
-fab-
--
-- Response ended
-- Page fetched on Mon May 13 14:31:37 2024