Ah, the long-awaited home network setup post. Here I’ll describe the hardware that I have set up to create my (almost) ideal home network. There are many like it, but this one is mine.
This article will be broken up into a few sections:
Internet PoP
We have AT&T internet at home. I recently upgraded the service to gigabit speed, which surprisingly is not really that fast. It is pretty good though, we get about 600 Mbps both up and down, so I can’t really complain. That seems to be about par for the course for gigabit connections.
Anyway, for the AT&T network, the fiber comes into my garage and I got a nice little patch panel setup there. The house came pre-wired with connections to the office, the master bedroom, the game room and the living room, with a bonus phone line going to the kitchen. I wired up the 110 block with those lines.
AT&T gave us a bit of hardware, besides the fiber PLC; we have a gateway box, along with the set-top box for the living room and a wireless one for the master bedroom, along with a small Cisco wireless receiver for the bedroom box.
So, from the fiber PLC, an Ethernet cable goes into the gateway box, which I have in the garage as well. Then, out of the four-port switch on the gateway I have one line running to my firewall, a phone line going directly to the patch panel (yes, we have a hard-line phone), and another one directly to the switch. Why? Well, it turns out that even if you pass-through all the traffic to the firewall, these hardware devices that AT&T gives you don’t really play well with passing into the firewall; so they are on a separate network within the backbone. We’ll get to that later, though.
The Fire Wall
Now you might be curious what I chose to use for my firewall. If you are unaware, the Netgate company makes hardware and software just for that, and they’re pretty accessible for the common folk. I got a Netgate 1100 for my home network setup.
Now, if you have ever used the PFSense software itself, maybe in a VM or something, you might have a shock when you first log in to the WebConfigurator on one of their devices. You see, the ports are wired internally like a switch. That means you are basically forced to utilize VLANs on the firewall. Which isn’t necessarily a bad thing, learning new stuff is always fun!
So with a bit of googling and bumbling about in their documentation, I got all the VLANs set up how I wanted. We’ll go over those later on. For wiring, the WAN port connected to the AT&T gateway and the OPT port goes to my garage switch.
The Backbone
You’ve already heard me mention my garage switch. Well, I have two switches. They are Cisco 2960-CG series switches, with 8 built-in Ethernet ports and two SFP ports. I have one in my garage and another one in my office.
In the garage, there are a total of 5 ports filled. The first you know, it goes to the firewall. The second you know as well; the one port goes to the AT&T gateway, to separate its traffic from the rest of the network and allow it to get back to the gateway. Then there are three that are broken out into the various rooms through the patch panel.
In the living room and the master bedroom, I have two Netgear smart switches. These are sorta weird to set up but they did the trick! I set up a trunk port on them and then I have a wireless VLAN set up that my wireless access points connect into, as well as a port for wired traffic. In the living room I also connected things like the game console and the TV. In both places they also have a connection for the set-top boxes too. Those are on the same VLAN as the gateway.
Now for the other switch! This one is in my office, so I can wire all the things. This one has 6 ports wired. One goes into the wall, that’s the trunk to my garage switch. Another one here is connected to a wireless access point. I have one connected to my printer and yet another connected to my laptop dock. The last three connect into my server. One is for management, one is for the VM trunk, and one is for the SPAN port. We’ll talk about that in the VLAN section.
The VLAN Plan
I have around 9 or 10 VLANs set up in the network…is that overkill? I’m not sure. I suppose the fact that I’m not actively using all of them could point to that. But, I wanted to separate a lot of the traffic.
The first one is Management. This one is the one I have all the switches on, as well as the main server port. It is generally best practice to separate the management network from the managed, so that’s what I did.
Second, we have the DMZ network. This is where I put all the Internet-facing services, like the web server.
Next is the Print VLAN. This is where all the hard-wired printers connect – although, right now, I only have one printer.
The Server VLAN is where I plan to host internal servers. Unfortunately, I don’t really have anything on there now. I do plan to mess around with LDAP or a domain server there at some point.
I have a Remote SPAN setup on the Security VLAN. That monitors all traffic in the network and sends it over to Security Onion. If you are looking for an easy way to get into Security Ops Center type jobs, playing around with that is definitely a pretty easy way to do that.
The last two VLANs are for regular clients – Wired and WirelessFuture24GHz. Wired is pretty self-explanatory. The wireless one is so named because I didn’t quite get the right access points that I wanted.
Wireless
This is probably the cornerstone of any home network setup nowadays. I wanted to upgrade my wireless at home to support at least WiFi 6. Even better if it supported 6E. So I went looking online.
I found the set I got on Amazon as a refurb, it was a set of the TPLink Deco mesh wireless. I picked them because I didn’t want to have to buy a separate controller, and then have to get the access points. These are nice because you can run it as a wireless router, or you can put them into access mode – which is what I wanted.
Ideally, I wanted to be able to control which radios on the WiFi went to which VLANs. Unfortunately I was not able to achieve that with these devices. Who knows, maybe someday there will be some hack where I can install a new firmware and be able to control it.
Anyway, that’s why I named the wireless VLAN in that way. In the future, I’d like that VLAN to be for the 2.4 GHz wireless radios. Then I’d have at least one for the 5 GHz band and another for 6 GHz.
And there we have it! A nice, high-level overview of my home network setup. Hopefully it’s not terribly hard to follow – but then again, if it is, leave a comment! Hopefully I can explain some things in more detail.
Leave a Reply