[0x01] The lab network
► Written on February 1, 2019.
As explained in the the series overview, I use the lab to experiement with enterprise gear so my home network is - let’s say - advanced.
My router is a HP desktop I got for free running pfSense. I installed a second NIC in it. Any PC should work.
My main switch is a 1st gen Unifi US-24 featuring 24 1Gb RJ45 ports and 2 1Gb SFP ports. I didn’t buy the PoE version due to budget constraints. It’s managed via the Unifi controller that I have running on a VM on my hypervisor.
For Wi-Fi, I have an Unifi UAP-AC-LITE. Because my switch doesn’t have PoE ports, I use the included PoE injector to power it.
As mentioned previously, I use pfSense for routing. It’s really simple to install: create an USB stick with the ISO file, boot router from it, install files, setup a LAN range and some other options (usually the defaults are fine).
For my LAN, I use
10.20.0.1/24 (do not use
192.168.1.1/24 for reasons). I use the LAN for management and networking devices (routers, switches) only and create VLANs for clients.
I have four VLANs:
10 for users,
20 for the “lab” devices,
30 for IoT stuff and
40 for guests. They all exist in various ranges under
10.20.0.0/16, usually either
10.20.[VLANID].0/24 or a
/21 so that
10.20.[VLANID].1 is in it. They all have some space for DHCP and some for static devices.
I have two Windows Server 2019 VMs running DHCP. They are set up for a 50%-50% load balance and both can handle full load if the other needs to shut down. In pfSense, I set up the DHCP relay (under Services menu) to point to these 2 VMs for multi-VLAN operation. I use my AD domain controllers for DNS (just point DNS to DC IPs, it’s really that simple) and a separate VM running Network Policy and Access Services for 802.1x authentication for WiFi and Ethernet.
DHCP load balance settings
My firewall rules in a nutshell:
- Trusted users in VLAN
10can access anything except the LAN net
- Lab devices in VLAN
20can get out, to VLAN
30(IoT) and use ICMP and UDP port 161 (SNMP) to LAN and VLAN
- IoT devices in VLAN
30can get out (I should restrict these, but I haven’t found the time) and access my MQTT broker in my home assistant server.
- Guests in VLAN
40can get out but basically nothing else.
On my switch (1st gen Unifi US-24), I have two trunk ports (upstream and for the AP), one LAN/management port for emergenices, and then designated some ports for the Lab VLAN. The rest are 802.1x ports that authenticate users via Active Directory NPAS (I’ll write about my AD setup later).
On the Unifi AP that I have, I’ve setup a couple of networks:
- my main network uses WPA Enterprise and authenticates user via AD NPAS to a VLAN (usually User VLAN)
- the IoT network is used by the IoT devices that I have (a Google Home Mini, Chromecast and some other devices)
- the Guest network is used by guests and segmented off so they can’t access home/lab network
I have an OpenVPN service running on my router that I can use to access my network from outside. It assigns its clients to
10.10.1.0/24 and has the same firewall rules as the user network.
I also have a VPN tunnel to Osku’s network. We used this tutorial to set it up, if you’re interested: https://mitky.com/pfsense-openvpn-site-to-site-vpn/