Hi, I am kinda new to networking. I know the basics of having a good firewall, switch and router but i dont know how to implement the security protocols.I live in Canada with Bell 3.0 Fiber plan using the new gigahub 4 modem. I want to setup home assistant again, either on a raspberrypi 4 or from the nas. I can also build pc homelab as i have lots of PC components as well.
I have access to few tp-link and asus router devices as well as some networking components. I want to build a secure home network along with my nas ( also new to using a nas).
NAS:
I have not setup the nas yet, as I am deciding what hypervisors to use Proxmox?Unraid?
TERRAMASTER F4-424 Max NAS Storage / 4Bay Core i5 1235U 10-Core 12-Thread, 8GB DDR5 RAM, Dual 10GbE Ports (strong textHow much ram should I use? what raid config? etc…)
Please let me know if i need to swap any parts out, or completely change any parts. I will be posting a lot more often. As i have a lot more PC components, and will be creating some content to go with along my journey.
Just for clarification, do you want to segment your LAN into VLAN’s or diffrent subnets (172.16.x.x/192.168.x.x/10.x.x.x)?
What kinds of threats are you considering when you mean secure home network? The major thing I would be conserned would be checking that all the security features are enabled on your router/firewall.
I would be looking at port scan options myself with my background.
For example, my router firewall has settings like
SYN-FIN attack
SYN-RST attack
X-Mas attack
FIN scan
NULLflags attack
TLDR, google what those attacks mean since I am not 100% sure if there are bad side effects.
In short, I do use VLAN’s somewhat in my network, they are logical way for switches to create virtual local area networks but since it is L2 technology it probably will not work on anything apart the Cisco C3650. I cannot personally say if those TP-link or Asus sytems really support those. For my sanity, I have just picked one wendor for all of my projects that need more than just the basic connectivity.
Do you plan on opening that home assistant or something else to the general internet?
in Canada with Bell 3.0 Fiber plan using the new gigahub 4 modem
What is your plan in general how to approach the homelab structure, as there is no trivial way to get rid of the Bell router and replace it with your own hardware.
@ciaomane I would not worry about replacing any equipment your internet provider provided. I wouldn’t worry about setting up any services (home assistant) or security until you have both your ISP and the router you are going to use for your home lab. Both routers should be secure by default if you have updated their firmware. You seem to be worrying about too many steps at the same time.
The first step is to choose a router for your home lab from your list of routers. The next step is to connect your ISP router to the router you chose for your home lab via ethernet. Then, connect one client to your home lab router to ensure you get internet from your home lab. Don’t worry about security or setting up any service until your ISP-provided router and the home lab router can connect to the internet.
Proxmox and Unraid are not both hypervisors. Proxmox is a hypervisor, and Unraid is NAS software. To use Proxmox, you must create and configure a virtual machine for Unraid, Synology NAS software, or True NAS. If you are not skilled at creating virtual machines, I recommend Unraid for your NAS system software. I know very little about Unraid or Raid software, so I can’t advise you on how to configure Unraid or what type of raid you should use.
@FinOxy and @ciaomane, I can confirm both of @ciaomane Asus routers do support VLANs, but you need to replace the default firmware with ASUS WRT, a fork of OpenWRT that only works on ASUS routers. Unfortunately, the only way to access the advanced features of ASUSWRT is from the command line.
I stand corrected then! I have not really played around with Asus networking because I use those things for my home network and I consider those production tier so I don’t screw around with them.
But still, I guess at this point the important step to do is to pick what you would like to run the homelab.
Although I would like to add, that if you want to be able to access the homelab services outside of that network, you probably need to setup port forwarding. It shouldn’t take too long, maybe 5 min the first time and 1-2 min after that.
And at this point, I would advice that you deal with the network setup of your lab first before setting up any other devices.
@ciaomane I suggest you use two different routers: one for the whole home and another for your home lab. If you do as I suggest, this will add an extra hop (all internet traffic for the home lab will have to go through the whole home router) for your home lab. Since you will need to connect your home lab to the entire home router anyway, there will be only a very short delay in the internet traffic for the home lab router. The delay will be so brief you won’t even notice the delay in traffic. For almost 15 years, I have used a separate router for my home lab and have only seen less than a second delay in internet traffic once both routers are configured correctly. When I added my current home lab router to the whole home router, all I needed to do was make sure the Wan interface of the home lab router got an IP address of the lan interface of the whole home router. The two routers configured port forwarding automatically; I didn’t have to configure port forwarding manually.
@ciaomane After you decide which router to use for your home lab, the next step is to connect and configure both routers. Don’t worry about setting up any services until both routers can pass internet traffic to all your clients. Please let us know if you have any questions or run into issues. I am pretty confident I, @FinOxy, and @alkersan can help you. If there is a question or an issue neither of us can answer or figure out, I am sure there are others in this forum who can.
Also, I forgot to answer one of your questions. As for which router to use for the home lab, I would pick the ASUS ROG AX 1100 because there are two issues with any TP-Link router. First, I hate all TP-Link routers, and second, all TP-Link equipment has been added to the U.S. government band list.
Again, from my point of view that is not a major issue. But I can say from experience that I have had some trouble with some TP-link consumer tier stuff. I am sure any one of the routers @ciaomane listed at the start will probably be Good enough, but the major thing is looking at the UX that you are going to use.
But I would personally probably go with some of the asus options since I had an pretty okay impression of them. I am personally migrating to Ubiquiti myself at the moment, but if you are willing to tinker around and want to learn something different, opnsense/pfsense might be an option. But I am pretty sure you would need some Pcie 2x/4x GBe NIC on top of the current setup.
And this choise should be considered a cornerstone of your home lab. It should not be screwed around with once you have gotten it working since if you manage to properly screw up the setup, you are going to have a very bad time. (And yes, take your backups).
And before we go on any further, @ciaomane, how familiar are you with OSI layers 1-4 since those basically are the most critical things that you would need to deal with in a homelab.
Physical layer, so the one that deals with transmissions)
(Ethernet, fibre etc
Data link layer
(How switches and other network devices handle point to point connections)
Network layer
(Deals with routing within the network and how it expands to the internet. Mostly ipv4 and ipv6)
Transport layer
(Deals with how services are laid out, every service has a port and to access that you need to use the correct port. For example, if you are reading this, I am pretty sure you are using port 443 which is the standard for HTTPS)
If you are not really familiar, these are foundational consepts. I guess these same apply to the layers 1-3 of the TCP/IP-reference model.
Here is a quick source that I used to brush up, but I did get proper lectures on this stuff in high school myself.
Put your own router behind the ISP provided one and call it good enough. If you want to get fancy, only hand out 200 adresses, make the rest static and only whitelist those to talk to the NAS by looping through the “inner router”.
Basically a DMZ-light with a hand full of Access Control Lists.
This is the paranoia+ way to networking! Everything is pain and if stuff does not work most of the time. An 80/20 mix of lots of planning and a little bit of configuring. There will be excessive swearing with a setup like this!
Description: Protected area, the angry looking firewalls grudgingly let the bare minimum pass through, internet is accessible though.
Services:
– Internet, DNS, DHCP, NTP, SMB/FTP/etc.
– [RADIUS, optional-ish for home-paranoia ]
– your Personal Wifi [not in actually important operations]
Devices:
– Regular Computers/laptops/tablets/phones
– Media-NAS (read-only from this network!)
Red:
Description: This is the “holy ground”, here you keep your stuff secure and away from prying eyes. This network NEVER gets to talk to the Black-Net or the Internet. Management happens back here and only here. Devices are grouped up into further networks which may only talk to each other through a firewall. Fiber and EMI-hardened devices only.
Services:
– [NO INTERNET HERE]
– DNS, DHCP, NTP, SMB/FTP/etc.
– RADIUS and related services
Devices:
– Management PC
– Backup-NAS (ideally not, but we are only 95% paranoid here )
– Media-NAS (read/write access)
@ciaomane The above video is why I don’t recommend any TP-Link or their partner company’s equipment. Also, I have had trouble getting their consumer equipment to operate properly.
I agree with you, @MazeFrame. I prefer non-China networking gear. The only reason I use my ASUS router instead of a more enterprise system is for the internet traffic to the whole home. I want a simple router without many complicated options. Of course, for my home lab, I have a Unifi Dream Machine SE acting as my home lab router. I also have a Pfsense device between my home router and home-lab router. The internet traffic headed for my home lab has to pass through the Pfsense device before it reaches the home lab router.