My new Nework Setup

Author:       -fab- <fab@redterminal.org>
License:      CC BY-SA 4.0
Published on: Fri, 02 Feb 2024 08:40:15 +0100
Last updated: Sun, 15 Sep 2024 21:00:00 +0100

It may be risky to publish my network layout, but because I got a new PFSense router and I like to talk about my homelab and the things I'm tinkering with I'm writing this gemlog post. Maybe it's some inspiration for someone.

It's always a mess to switch out such an integral and central part of a homelab like a router, so I did a lot of planning and research this time to get it right.

Network Layout

┌────────┐
│DSL     │
│Modem   │
└──┬─────┘
   │
┌──┴────────────────┐VLAN30T┌─────────────┐
│PFSense Router     ├───────┤   Proxmox   │
│                   │VLAN35T│   Server    │
│                   │       └─────────────┘
│    mainrouter     │
│                   │       ┌─────────────┐
│                   │       │   FireTV    │
└──┬────────────────┘   ┌───┤   Stick     │
   │                    │   └─────────────┘
┌──┴────────────────┐   │VLAN40U
│                   ├───┘
│     switch01      │
│                   │
└──┬────────────────┘
   │VLAN40T,50T,55T,70T,80T
   │  ┌─────────┐  ┌─────────┐  ┌─────────┐
   │  │ Zigbee  │  │ FireTV  │  │ Desktop │
   │  │ Router  │  │ Cube    │  │ PC      │
   │  └────┬────┘  └────┬────┘  └────┬────┘
   │       │VLAN70U     │VLAN40U     │
┌──┴───────┴────────┐   │            │
│                   ├───┘            │
│     switch02      │                │
│                   ├────────────────┘
└──┬───────┬────────┘
   │       │
   │       │VLAN50T,55T     ┌─────────────┐
   │       └────────────────┤Raspberry Pi │
   │VLAN70T,80T             │Cluster      │
   │                        └─────────────┘
   │
┌──┴────────────────┐       ┌─────────────┐
│OpenWRT Router     │       │             │
│                   │VLAN70U│    WLAN:    │
│                   ├───────┤IoT & Printer│
│    wlanrouter     │       │             │
│                   │       │Insecure     │
│                   │       │      Devices│
└──────────┬────────┘       └─────────────┘
           │
           │                ┌─────────────┐
           │                │             │
           │VLAN80U         │Secure WLAN: │
           └────────────────┤             │
                            │For Laptops &│
                            │Smartphones  │
                            │             │
                            └─────────────┘
In the VLAN definitions T stands for "Tagged" and U for "Untagged"

PFSense router (mainrouter)

This is the center of my network, which does all the firewalling, DNS, DynDNS, DNSBL Blocking with PFBlockerNG, DHCP and all the VLAN routing and setup.

Because the ISC DHCP server seems deprecated (with a big warning in the user interface) I switched to the also supported and still in development Kea DHCP server. Unfortunately Kea doesn't support to inject new connected device DNS names into the unbound name server, so I had to set up static leases for all the servers I'm running. Hopefully this feature will soon be added.

There was PFSense Plus+ installed on the router, which is no longer open source which is a no-go. So I installed an actual version of vanilla PFSense (2.7.2-RELEASE) and it was no problem and worked out of the box. The vanilla version is Apache 2.0 licensed.

No IPv6

In my previous setup I had IPv6 up and running for most devices. I chose to disable IPv6 with the new one, because it's easier to set up in the beginning.

Of course I'll try to add IPv6 into my existing network when I'm ready for it (it's on my TODO list). I still have to do my research how to do it in PFSense.

EDIT: I set up IPv6 for some of my VLANs which now support IPv6. But the IPv6 addresses are not inserted into the Unbound DNS server, so IPv6 is just used for outbound connections to the outside of my local net (15 Sep 2024)

Glovary Firewall N100 Router Appliance

I bought this thing on Amazon (yes I know, but it's convenient) and here's a link:

Glovary PFSense Router

• Alder Lake-N 12th Gen N100 4C/4T up to 3.4GHz
• 8GB SODIMM DDR5 4800MHz
• 6x 2.5GbE ports i226V
• 2x M.2 NVMe Slots (1x 512GB SSD installed)
• 1x SATA 2.5" Slot (internal)
• HDMI port
• 1x TF card slot
• 1x USB3.2
• 4x USB2.0
• 1x USB Type-C

OpenWRT WiFi router (wlanrouter)

My WRT1900ACS WLAN died a few weeks ago, so I replaced it with a little travel WLAN router which also runs OpenWRT, which didn't work with 2 separate WLANs. But after an upgrade from the vendor it now supports my 2 WLANs under different VLANs (VLAN70 and VLAN80). It was a cheap buy, but it does it's job as I want it.

It simply serves as a dumb router for my two WLANs: One for my insecure IoT devices and one which is secure for my mobile things like laptops and smartphones. The insecure WLAN does not connect to the internet.

VLANs

I've set up 7 VLANs to separate my specific network segments:

• Untagged: The main lan is untagged and it only contains my desktop PC
• VLAN 30: Proxmox nodes (only one for now)
• VLAN 35: Proxmox VMs and containers
• VLAN 40: Streaming Hardware like my FireTV Cube in my room and a FireTV Stick in the living room.
• VLAN 50: Experimental Raspberry Pi Incus Cluster hosts
• VLAN 55: Raspberry Pi Incus Cluster containers
• VLAN 70: All the insecure devices go into this VLAN, which has no internet access
• VLAN 80: My secure WLAN for mobile devices like my laptops and smartphones

All of these VLANs/subnets are locked down as much as possible with the mainrouter firewall.

What do you think?

I'm really satisfied with my setup now and I think it's easily expandable. But of course I'm no expert and just a hobbyist. Fiddling around with the firewall was a little unusual to me at first and there may be some buggy rules that don't work as intended. But at least everything works.

If you have any opinions, suggestions, comments or advice please send me an email or if you wish so follow me on Mastodon/ActivityPub '@fab@pleroma.envs.net' and contact me there.

All in all - Have fun!

-fab-

--

Back to index

Homepage