My new Nework Setup

Author:       -fab- <fab@redterminal.org>
License:      CC BY-SA 4.0
Published on: Fri, 02 Feb 2024 08:40:15 +0100
Last updated: Mon, 14 Apr 2025 13:20:00 +0100

It may be risky to publish my network layout, but because I got a new PFSense router and I like to talk about my homelab and the things I'm tinkering with I'm writing this gemlog post. Maybe it's some inspiration for someone.

*EDIT*: I switched to OPNSense from PFSense CE on my mainrouter on 26 March 2025, because PFSense CE updates do seem to take a very loooooong time!

It's always a mess to switch out such an integral and central part of a homelab like a router, so I did a lot of planning and research this time to get it right.

Network Layout

┌────────┐
│DSL     │
│Modem   │
└──┬─────┘
   │
┌──┴────────────────┐VLAN30T┌─────────────┐
│OPNSense Router    ├───────┤   Proxmox   │
│                   │VLAN35T│   Cluster   │
│                   │       └─────────────┘
│    mainrouter     │
│                   │       ┌─────────────┐
│                   │       │   FireTV    │
└──┬────────────────┘   ┌───┤   Stick     │
   │                    │   └─────────────┘
┌──┴────────────────┐   │VLAN40U
│                   ├───┘
│     switch01      │
│                   │
└──┬────────────────┘
   │VLAN40T,50T,55T,70T,80T
   │  ┌─────────┐  ┌─────────┐  ┌─────────┐
   │  │ Zigbee  │  │ FireTV  │  │ Desktop │
   │  │ Router  │  │ Cube    │  │ PC      │
   │  └────┬────┘  └────┬────┘  └────┬────┘
   │       │VLAN70U     │VLAN40U     │
┌──┴───────┴────────┐   │            │
│                   ├───┘            │
│     switch02      │                │
│                   ├────────────────┘
└──┬───────┬────────┘
   │       │
   │       │VLAN50T,55T     ┌─────────────┐
   │       └────────────────┤Raspberry Pi │
   │VLAN70T,80T             │Cluster      │
   │                        └─────────────┘
   │
┌──┴────────────────┐       ┌─────────────┐
│OpenWRT Router     │       │             │
│                   │VLAN70U│    WLAN:    │
│                   ├───────┤IoT & Printer│
│    wlanrouter     │       │             │
│                   │       │Insecure     │
│                   │       │      Devices│
└──────────┬────────┘       └─────────────┘
           │
           │                ┌─────────────┐
           │                │             │
           │VLAN80U         │Secure WLAN: │
           └────────────────┤             │
                            │For Laptops &│
                            │Smartphones  │
                            │             │
                            └─────────────┘
In the VLAN definitions T stands for "Tagged" and U for "Untagged"

OPNSense router (mainrouter)

*EDITED on 26 Mar 2025*

This is the center of my network, which does all the firewalling, DNS, DynDNS, DNSBL Blocking with the internal ubound DNSBL, DHCP and all the VLAN routing and setup.

I still use the ISC DHCP server because the Kea DHCP server doesn't inject new connected device names to the unbound DNS server. A feature that I need for my Incus Cluster when I spin up new containers, tear them down again and other things.

OPNSense is always ahead of the OPNSense business edition, so you can be sure to get frequent updates, unlike with PFSense CE.

IPv6

*EDITED on 26 Mar 2025*

I set up IPv6 for all of my VLANs which SLAAC. But the IPv6 addresses are not inserted into the Unbound DNS server, so IPv6 is just used for outbound connections to the outside of my local net.

*DONE*

I'll add ULAs (Unique local addresses) later to put them in my static DNS list for my stable servers in my homelab.

Glovary Firewall N100 Router Appliance

I bought this thing on Amazon (yes I know, but it's convenient) and here's a link:

Glovary PFSense Router

• Alder Lake-N 12th Gen N100 4C/4T up to 3.4GHz
• 8GB SODIMM DDR5 4800MHz
• 6x 2.5GbE ports i226V
• 2x M.2 NVMe Slots (1x 512GB SSD installed)
• 1x SATA 2.5" Slot (internal)
• HDMI port
• 1x TF card slot
• 1x USB3.2
• 4x USB2.0
• 1x USB Type-C

OpenWRT WiFi router (wlanrouter)

My WRT1900ACS WLAN died a few weeks ago, so I replaced it with a little travel WLAN router which also runs OpenWRT, which didn't work with 2 separate WLANs. But after an upgrade from the vendor it now supports my 2 WLANs under different VLANs (VLAN70 and VLAN80). It was a cheap buy, but it does it's job as I want it.

It simply serves as a dumb router for my two WLANs: One for my insecure IoT devices and one which is secure for my mobile things like laptops and smartphones. The insecure WLAN does not connect to the internet.

VLANs

I've set up 7 VLANs to separate my specific network segments:

• Untagged: The main lan is untagged and it only contains my desktop PC
• VLAN 30: Proxmox nodes (I have a cluster of 2 machines)
• VLAN 35: Proxmox VMs and containers
• VLAN 40: Streaming Hardware like my FireTV Cube in my room and a FireTV Stick in the living room.
• VLAN 50: Experimental Raspberry Pi Incus Cluster hosts
• VLAN 55: Raspberry Pi Incus Cluster containers
• VLAN 70: All the insecure devices go into this VLAN, which has no internet access
• VLAN 80: My secure WLAN for mobile devices like my laptops and smartphones

All of these VLANs/subnets are locked down as much as possible with the mainrouter firewall.

What do you think?

I'm really satisfied with my setup now and I think it's easily expandable. But of course I'm no expert and just a hobbyist. Fiddling around with the firewall was a little unusual to me at first and there may be some buggy rules that don't work as intended. But at least everything works.

If you have any opinions, suggestions, comments or advice please send me an email or if you wish so follow me on Mastodon/ActivityPub '@fab@pleroma.envs.net' and contact me there.

All in all - Have fun!

-fab-

--

Back to index

Homepage

Send me a gemini-mention!

Or write me an email.