Babby's First Networking Plan

Hellooo everyone, I’ve been learning more about networking in the past few weeks, and I wanted to get some insight.

I have this planned out, and all is executed except purchasing the 2nd switch and Pi-Hole/DNS stuff. I’m getting the POE+ injector today, so I’m very excited for that. Yes, I will be spending Halloween setting up a raspberry pi with Pi-Hole xD

Homelab-idea731×452 7.6 KB

I’m excited to get it all put together! It’s honestly super interesting to learn about all the way back when I was first putting my media server together. If anyone could let me know any insight they have, cautions, recommendations, etc. I would appreciate it!

As an upgrade path, you may wanna move from unmanaged to managed switches so you can start setting up dedicated VLANs to put isolation between network devices (I keep my TVs in a whole different VLAN than the rest of my devices)

Sorry, I accidentally cutted the first sentence, here it is:

This looks awesome! Pretty good setup!

Oh interesting. Can you tell me more about why someone might use different VLANs? Is it primarily for security purposes?

Thank you! I can’t take all of the credit; my coworker inspired me after talking about all of this cool stuff since he’s quite the networking buff haha

Pretty much! Well, TVs and any other type of IoT device that is managed by big companies like Samsung, LG, and similar, will have full access to your network and will start fingerprinting devices on the network. Telemetry gathering and all that. Also, I don’t trust companies with software like that to not have glaring weaknesses that could be exploited.

I have a VLAN for:

• Home local network
• Server software and expose ports that are used exclusively for services to be accessed across the board
• IoT Network (where my TV resides, and I may send my game consoles there too)
• VPN clients (as a landing zone of sorts)

OpnSense is a great piece of software, and it runs a heck of a lot! Slowly but surely you can start expanding your network and make it a great environment for you!

Sneaky edit: Just note that you only have 1Gbps between your router and your switches, so depending on how much stuff you’re downloading, you may bottleneck things around a bit (i.e. if you’re downloading stuff on your xbox, and your laptop and your server at the same time), but this would only be an annoyance if you have fiber speeds, or have more than 2 people in a household.

Would the solution to this be to get a 2.5 gig card for the router and upgrade the switches? I might upgrade if I have issues.

One thing I’d recommend is adding a NAS and upgrading the backbone of your network to 2.5Gb/s speeds minimum. Your backbone is the incoming router and both switches. The NAS has a separate connection to the incoming router. If possible, plan for fibre optic cable for easier upgrades in future (swapping out an adapter rather then putting in new higher spec Cat cable )

Could be, but if you’re going to do upgrades, you can go 10 gig for decent prices nowadays. However! This current network works for you, and you can plan for upgrades later down the road

Consider whether the sbc with pi-hole will be doing anything more and whether it will impact DNS availability.

For example, I like to tinker with my sbcs, so sometimes this can cause temporary DNS outages, so I have two physically independent pi-holes: one for master and one for slave.

• I also recommend using DOH for upstream.
  https://docs.pi-hole.net/guides/dns/cloudflared/

• Regarding lists, I personally use the following sets:

https://oisd.nl
https://github.com/hagezi/dns-blocklists
https://github.com/StevenBlack/hosts
https://someonewhocares.org
https://firebog.net

• It’s good to keep pi-hole on https, just for the nerd’s sake.

• It would also be a good idea to block TCP/UDP 53 and 853 traffic on the central firewall (router) to prevent leaks to external DNS servers, bypassing your pi-hole. For DOH, there’s a list for pi-hole that helps block DOH. However, you should check whether this list won’t block access to any VPNs, etc.
  https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/doh-vpn-proxy-bypass.txt

• It would also be good to have a strict LAN traffic policy. Even though it’s a LAN and no one but you will probably ever walk there, but…
  Each machine should have a firewall that blocks all IN traffic and allows only specific types of traffic for specific IP/port/protocols/MAC.
  I personally follow the principle of total abstraction, blocking everything and allowing only the bare minimum for those hosts that require it. In my case, I also filter OUT traffic from machines to an absolute minimum.
  No IN/OUT traffic on the LAN or to the WAN is allowed unless I’ve previously approved it.

• As for VLANs, they’re nice and sometimes necessary, but don’t overdo it in a small home LAN, especially if you’ve already purchased unmanaged switches. Replacing them with new ones at this early stage is a financial extravagance.
  As a security prosthesis, as I mentioned above, strict per-machine firewall rules are essential.

I’d setup a PNAT for those ports versus a block, it effectively does the same thing but will make it easier than fighting through logs and blocks one at a time.

So effectively it says any device can try to go to any DNS IP it wants but they will infact be forwarded to the IP of the Pi-Hole.

Some devices find ways to try and circumvent DHCP / Static DNS and blocking DNS will break them. Home Assistant OS / Ring cameras, are a perfect example of this.

A Port NAT solves all that.

I don’t need to look for anything in the logs. I block all DNS traffic going out to the WAN. I also broadcast my DNS using DHCP. Personally, I don’t want anything on the network that doesn’t respect my broadcast DNS. If something is that stubborn, I shouldn’t let it access the network.

But that’s a matter of personal preference… I prefer blocking, and you prefer redirecting.

But generally speaking, as you say, for the average user, redirecting will probably be easier. The only important thing is to prevent query leakage.

If you want to upgrade, this would be my suggestion:

You could use a Lenovo M720q with an Intel X710-DA4 and buy two inexpensive 2.5 G AliExpress managed switches with SFP+ uplinks.

Install Proxmox on the M720q and virtualize OPNsense, Pi-hole, and Tailscale.

However, I think you’ll also be fine with gigabit networking. If you want a managed switch, the Zyxel GS1900 series can often be found at a good price on eBay and even has OpenWRT support. But if you don’t want to tinker with VLANs etc. just buy any unmanaged from netgear / tp link / zyxel / etc. and you will probably be fine.

In your setup it makes very little sense to setup a RPi5 for DNS blocking when you already have a gateway/firewall in place. Just run whatever adblock service you perfer on it and you’re done like blocky or adguardhome. That being said, if you cannot bridge your modem double nat is likely not worth it. Just run it on bare metal and you’re done, no need to involve VMs etc which increases complexity and also add a lot more do “things that can go wrong” into the mix. If you want to tinker around more consider running FreeBSD directly might also be an idea given that it’ll give you a lot more flexibility and pf syntax (firewall) is one of the most straight forward you’ll find.
Generic NAT firewall pf config / template | The FreeBSD Forums is a good start if you want to go that route (IPv4). Another “nice” addition is that ZFS (even without ECC) is pretty resilient so power outages etc is likely to cause very little to no issues.

As for switches, I’d also recommend that you go for VLAN-capable ones. Zyxel GS1900 are “decent” if you want cheap ones that works well in general without breaking the bank and its much easier to diagnose if something goes wrong.

What’s also missing(?) is some kind of wireless functionality (intended)? Since it’s a home network and depending on the placement you could replace the switch for the three devices on the right with for instance a Mediatek Filogic-based devices running OpenWrt which would serve both as a very good AP and at the same time as a switch. These will also be as cheap as a switch on sale.

Now one last word of advice from me - don’t overly engineer, stick to your initial plan and see how it works out

Thank you for all of the responses everyone I have some thinkin’ to do

If your isp gives you ipv6 be sure to permit the required ICMP packets back in through your firewall otherwise you’ll see wierd ipv6 breakage

See below

IMG_28831320×2868 320 KB

I will just add that if you have v6, don’t forget about dedicated rules for v6 because often people end up with just v4 and are unpleasantly surprised later.

If going that route, I’d actually recommend getting a fiber connected switch / router and have 10G on the router<->switch segment and a bunch of 1G ports.

Something like this could be an idea, I get recommended these a lot by my local tech circle:

[edit]Oh yeah, and your setup looks fine for now, this is for if and when you decide this setup has outgrown your needs. ^^ [/edit]

There will be OpenWRT support for this switch in the near future. I got it, but really can’t recommend the stock webui, they really try to push you to use nebula, their cloud subscription UI.

@Level1_Amber are you looking for a network design that will let you tinker and learn or are you looking for a network that just works and you don’t have/want to mess with?

If you’re at least someone security aware firmware updates and some kind of software maintenance is required?