Homelab Phase 1 - Complete

As discussed in a previous post, I started breaking improving my home network for the sake of knowledge and experience acquisition. But before I could get very far, I needed a plan. I wanted to at least theoretically be increasing my network security, and I hoped to enable playing with technologies used at work such as Kubernetes. Finally, this was an opportunity to see the ExtraHop network monitoring tools, which I have helped create, as a customer.

My overly-complicated home network goal

The Desired End-State

After way too much time futzing with flow charts, I created the first draft of my plan. The first phase involved completely reorganizing the IP addresses of everything on the network and dividing it up into VLANs. Luckily, a friend of my stumbled on some reasonably-priced 48-port POE managed switches at a used computer parts seller. Just the thing I needed to make my plan possible.

The next step in implementing my plan was learning what the hell to do. Over the course of a week, I dusted off my Cisco CCNA knowledge from high school. I revisited my notes about subnetting, VLANs, 802.1Q (trunking), and the corresponding functionality in ESXi virtual networking.

Implementation Part 1 - Configuring in Parallel

My goal was a transition from the existing network to the plan above while minimizing network downtime.

The first step was configuring the pfSense router on a vSwitch with no uplink to have feature parity with the current router. This allowed easy switching from one router to the other with just a minute of downtime. The old router was configured to act as a simple Wireless Access Point.

Next up, I configured each VLAN and a corresponding DHCP server on the router using a new virtual interface for each. On the ESXi host, I configured a port group for the LAN pfSense interface and set the VLAN to 4095. This disabled the untagging of 802.1Q frames which enables trunking on the router.

I moved all network devices to the top 24 ports of the new switch, leaving the first 24 ports open for configuration. All of the devices were configured to use the same subnet at this point, so the port move had no actual effect. I was ready to start moving devices into subnets and VLANs one at a time as downtime allowed.

Configuring VLANs

Configuring VLANs

I marked the trunk going back to the router with a “T” in each VLAN, and each port going to a device with a “U”. The PVID was set to the desired VLAN for each port. (I don’t know what that does, but it’s required.)

Implementation Part 2 - Migrating Wireless

Once I configured everything in a “dark mode” I was ready for the big test. I arbitrarily chose the WiFi as the first subject for the migration. I scheduled a “maintenance window” for the crack of 8:30 AM before my fiancée started using the internet and began the transformation.

It went surprisingly well. A quick IP change on the WAP, a swap of the port on the switch, and quickly moving a couple static DHCP assignments. Everything seemed to be working.

Implementation Part 3 - Migrating Everything Else

Next to move was… everything else. The most difficult part of the migration were devices with static IP references. For example, when creating the Kubernetes cluster, the NFS server was entered as rather than the hostname. I updated these references to the hostname so they would be unaffected by the IP address change.

Coming Up Next

The subnets are in place, but as it stands today it has no security benefit over the old topology. The next step is adding routing rules between subnets in the pfSense firewall.

Allow all the Traffic!

What Firewall Rules?

As shown, the only firewall rules configured thus far are the default rules which allow all traffic to all destinations. I would like to severely limit this, to only allow traffic which makes sense, and almost entirely restrict the internet-facing devices.

Additionally, I would like to get a WAP which supports multiple SSIDs and have a DMZ wireless network for devices such as ChromeCasts and printers.

Fun Take-Aways

In all the shuffling I got a good look at the devices on my network. I discovered that the Chamberlain garage door opener has a half-duplex 10Base-T NIC. Who know those were even still a thing.