As discussed in a previous post, I started
breaking improving my home network for the sake of knowledge and experience
acquisition. But before I could get very far, I needed a plan. I wanted to at
least theoretically be increasing my network security, and I hoped to enable
playing with technologies used at work such as Kubernetes. Finally, this was an
opportunity to see the ExtraHop network monitoring tools, which I have helped
create, as a customer.
After way too much time futzing with flow charts, I created the first draft of my plan. The first phase involved completely reorganizing the IP addresses of everything on the network and dividing it up into VLANs. Luckily, a friend of my stumbled on some reasonably-priced 48-port POE managed switches at a used computer parts seller. Just the thing I needed to make my plan possible.
The next step in implementing my plan was learning what the hell to do. Over the course of a week, I dusted off my Cisco CCNA knowledge from high school. I revisited my notes about subnetting, VLANs, 802.1Q (trunking), and the corresponding functionality in ESXi virtual networking.
Implementation Part 1 - Configuring in Parallel
My goal was a transition from the existing network to the plan above while minimizing network downtime.
The first step was configuring the pfSense router on a vSwitch with no uplink to have feature parity with the current router. This allowed easy switching from one router to the other with just a minute of downtime. The old router was configured to act as a simple Wireless Access Point.
Next up, I configured each VLAN and a corresponding DHCP server on the router using a new virtual interface for each. On the ESXi host, I configured a port group for the LAN pfSense interface and set the VLAN to 4095. This disabled the untagging of 802.1Q frames which enables trunking on the router.
I moved all network devices to the top 24 ports of the new switch, leaving the first 24 ports open for configuration. All of the devices were configured to use the same subnet at this point, so the port move had no actual effect. I was ready to start moving devices into subnets and VLANs one at a time as downtime allowed.
I marked the trunk going back to the router with a “T” in each VLAN, and each port going to a device with a “U”. The PVID was set to the desired VLAN for each port. (I don’t know what that does, but it’s required.)
Implementation Part 2 - Migrating Wireless
Once I configured everything in a “dark mode” I was ready for the big test. I arbitrarily chose the WiFi as the first subject for the migration. I scheduled a “maintenance window” for the crack of 8:30 AM before my fiancée started using the internet and began the transformation.
It went surprisingly well. A quick IP change on the WAP, a swap of the port on the switch, and quickly moving a couple static DHCP assignments. Everything seemed to be working.
Implementation Part 3 - Migrating Everything Else
Next to move was… everything else. The most difficult part of the migration were devices with static IP references. For example, when creating the Kubernetes cluster, the NFS server was entered as 192.168.0.102 rather than the hostname. I updated these references to the hostname so they would be unaffected by the IP address change.
Coming Up Next
The subnets are in place, but as it stands today it has no security benefit over the old topology. The next step is adding routing rules between subnets in the pfSense firewall.
As shown, the only firewall rules configured thus far are the default rules which allow all traffic to all destinations. I would like to severely limit this, to only allow traffic which makes sense, and almost entirely restrict the internet-facing devices.
Additionally, I would like to get a WAP which supports multiple SSIDs and have a DMZ wireless network for devices such as ChromeCasts and printers.
In all the shuffling I got a good look at the devices on my network. I discovered that the Chamberlain garage door opener has a half-duplex 10Base-T NIC. Who know those were even still a thing.