My Home Network Setup

It’s been 3 long years since I published anything to this blog …. 😳


The not so pretty setup !

In this article I’m gonna write about my home network setup. It’s important to note that the decisions and components used here were subjective to,
  1. Reuse of components from the previous setup
  2. What I could source conveniently without breaking the bank
  3. My technology preferences

Before I start rambling about the technicalities, let’s highlight what I needed the setup to do.

The basics like an internet connection, Wi-Fi for the mobile devices, Good connectivity throughout the house. Then the not so obvious need to run a lightweight web server, file server, different surveillance cameras, NVR system, IoT devices, home automation system, remote access for surveillance monitoring and lightweight administration. Let’s list them all.

  1. Reliable internet connections with enough juice
  2. Mesh capable WiFi solution 
  3. Ability to have multiple isolated networks 
  4. Easily extensible for future use cases
  5. Shareable wired and wireless connectivity 
  6. Power over Ethernet 
  7. Remote access 

What about privacy and security. When trying to achieve all the above mentioned requirements I’m exposing myself to a whole lot of privacy and security vulnerabilities. There’s no way of fully eliminating the risk. Well you simply cannot have the cake and eat it too. I had to find a good middle ground. This middle ground however is gonna be an ever changing one. With time new risks will emerge and will need mitigation. Here’s me hoping I won’t be finding those new risks the hard way. Fingers crossed.

Let’s jump right into the components and software solutions I ended up using.
  1. pfSense open source software based router
  2. i5-5200U based mini pc with 4x 1gig network ports as the router host
  3. Unify layer 2 switch (VLAN capable)
  4. Unify wireless access points 
  5. CAT6a shielded cabling 
  6. Blue Iris Software based NVR
  7. Low power CPU and a low power GPU with CUDA support (for AI)
  8. Home Assistant open source home automation software
  9. Zigbee2MQTT bridge
  10. RTSP compatible POE cameras
  11. WireGuard, Suricata,  pfSense firewall for VPN, IPS, IDS

Looking into router solutions pfSense and OPNSense was the solutions that had the customizability I needed. It’s really hard to choose one over the other given they are both based on FreeBSD and had a shared codebase until OPNSense forked out on 2015. It came down to personal preference. Unify dream machine solutions was a close second but lacked the customizability and the flexibility of running on my own hardware.

I chose a i55200U based mini pc to keep the power consumption low while having enough power with AES-NI. The 4 1gig Intel NICs gave me enough isolated throughput.

Unify layer 2 switch gave me the ability to configure VLANs and port restrictions to keep different networks defined in the pfSense router secure and isolated. This also means I get a good ecosystem with my chosen unify access points. I couldn’t really find any alternative to this setup at a comparable price point. 

Blue Iris is a software based NVR. I’m not thrilled about having to run a windows machine for this purpose as Blue Iris only has a windows app. I was also looking into Synology NVRs. In the end the Blue Iris won due to the user base and price point.

I choose Suricata over Snort for IPS, IDS. I already had it running on my web server, thus had a good base configuration that would keep working with minor tweaks. I used a WireGuard tunnel for remote access over OpenVPN.  WireGuard had everything I needed and comes bundled in the FreeBSD kernel used in pfSense.

That’s a wrap. In my next post I’m planning to cover how I’m using pfSense with the layer 2 switch and access points to achieve multiple isolated wireless and wired networks …













Comments

Post a Comment

Popular posts from this blog

Setting up KDiff3 to work with TortoiseGIT

Image
Setting up KDiff3 to work with TortoiseGIT When I work with git I do most of my work on the command line except for a few tasks. Resolving conflicts is one of them. So when it comes to resolving conflicts I prefer the KDiff3 instead of the TortoiseGIT diff. I was googling around to find the proper way and after grabbing things from difference places here is what I did. Obvious steps  :) Install git Install KDiff3 Install TortoiseGIT Then after that Open tortoise GIT settings Go to "Diff Viewer" Go to section "Configure the program used for comparing different revisio...." Choose "External" Enter the following "[ kdiff3 instalation path ]\kdiff3.exe %base %mine --L1 %bname --L2 %yname" Go to "Merge Tool" Choose "External" Enter the following "[ kdiff3 instalation path ]\kdiff3.exe %base %mine %theirs -o %merged" Click apply I will soon write something to show how to actually resolve...
Read more

Nextcloud and PHP8

Image
  PHP8 broke my Nextcloud instance !!! I run a Nextcloud instance on a self hosted Arch  linux server. Arch linux because I like the challenge 😁. Nextcloud due to privacy reasons. Recently Arch upgraded all php packages to php8 . Nextcloud 20.x, the version I'm using currently can't work on php8 thus my instance went offline. In this article I'm gonna describe how I managed to fix this issue. I run timeshift in my server via the cli. So I could have downgraded the php version. That would mean I would have to refrain from updating php and risk zero day vulnerabilities. That would nullify the whole purpose of running a self hosted Nextcloud instance for my sensitive data. Instead I went with dual php versions. I run php-fpm with Apache in my server so now I have to figure out how to run Fast CGI process manager with 2 php versions in the same Apache server. If you are thinking "well you are a SDE and you should know it", let me start by saying I neither use PHP...
Read more

Nextcloud on Arch Linux (Encrypted System) [Part 01 - Preparation]

Image
 In this series of posts I'm going to outline the process I used to create my own Nextcloud server.  Network Setup First step is to prepare my network. I'm planning to host this at home. Due to obvious security concerns I don't want to host this on my home network. I used pfSense  to achieve what I want. The pfSense setup is outside the scope of this post. If you do need help or is curious about setting up pfSense let me know. Given below is an overview diagram of my network,  The basic firewall rules in this network are Server can't talk to the switch.  Server can't talk to the pfSense router interface Server interface has Suricata IDS/IPS running.  Drive Preparation and Encryption Secure erase the drive.  Note: The drive I used was an old HDD. What I didn't notice was that the partition table was of type DOS. Had to change that to GPT and repeat this process in order for it to work. I'm going to use a 250GB HDD for my instalation (not a SSD). First...
Read more