I’m a computer science student and would like to practice some network “stuff”. As I’m mostly interested in the math side of computersciene all that networking equipment is fairly overwhelming so I’ve come to seek the help of kind strangers on the internet.
Goals ‘n’ Stuff
The endgoal is to create a subnet for my stuff (I live with other people and am not allowed to touch the router, to bring them the glory that is pihole and other nice things ).
I can guarantee wired connections to my subnet for everything that can be wired. Only wireless thing is my Phone, therefore a VPN to my subnet would be dandy for that.
Extended Goals (feel free to ignore)
At some point I would like to have Accounts for wireless. So my friends can have accounts and I can manage which devices they can see in the network. E.g. hide my Spotify-Connect-Speaker-thingies from those friends with bad music taste. This would be good to have done once, If i ever decide to do this on a larger scale. Though a guest-network would be fine for now (and by fine I mean super duper cool for my limited abilities in this field).
What I already have
Access-Point: Ubiquiti Unifi AP-AC Lite
RPi (3B+) running the Ubiquity-Controller, an SMB-based NAS and Pihole
One managed Switch: Netgear GS108PEv3 (8 Ports, 4 are PoE)
What I would buy
Unifi Security Gateway, this thing should allow me to
Properly seperate my network
Force everything to use my pihole as DNS (TVs, etc)
Have a Firewall to detect potential traffic that I don’t want
Unifi Switch 8-60W (Though 150W might be cool, since I like SFP)
I need more ports
PoE since I want more RPis over PoE (Yay less cables)
Unifi because I think their Interface looks better than Netgears
Another RPi as the VPN-Server
With a NAS running on my current I’d tax the poor 300MB connection to much I think, thats why Id get a new one
Your Opinion/Recommendation
I don’t want to just ask whats good and dont do some work myself, thats why I chose some parts. Feedback welcome, suggestions as well. Reasons why your picks are better or mine are bad/worse is welcome
Price is not an issue kinda. I don’t need any of this. If I need a few months more to get the stuff so be it. But I would like to not sell my kidneys. In the end I’m a student with limited income.
Thank you for your help and stay safe in these uncertain times
I’d maybe avoid the aging USG and the 60W unifi switch, and the PIs, and would get a cheap am4 server ($300-400 range) to do routing and services, and a crs328-24p-4s+ (iirc) as a switch, (or maybe one of the newer usw ones if you’re fine without 10G).
You don’t really need VMs either, just document your backup.
Unifi is really nice, but you don’t really get to learn how stuff works until you do it from scratch.
Wouldn’t really recommend pfsense or openwrt or similar for learning either.
While there’s value in using them as software appliances to implement network routers the opinions of their maintainers end up influencing the design of your network.
e.g. why not have multiple DHCP servers on one segment? Both pfsense and openwrt steer you away from that setup on the account of causing noob confusion, when in fact it’s actually a feature of the protocol… if it’s hard to test and experiment with multiple DHCP servers, how will you know how to use multiple DHCP servers properly once your job needs it (… or your home).
While I agree with what you are saying and having a good understanding of how to leverage multiple DHCP servers is worthwhile. It can also serve as a limiting factor for the design of a network and can make troubleshooting a little tougher for less seasoned admins…
I assume @xentoo you are referencing some website called Tolkiens’ net admin cousin.
I also don’t quite understand what you meant by the following statement. One DHCP to rule them all, one DNS to find them, One router to bring them all, and in the subnets bind them.
I assume you disagree with Risk’s approach: to create several DHCP servers and DNS servers for one network Segment as a learning tool on how both servers work. If both @risk and @xentoo could give examples of what they are talking about, I think it would help our new computer science and network engineers understand what knowledge they are trying to pass on.
I was mentioning multiple DHCP as an illustrative example of something you’d typically do for larger networks that you’re typically dissuaded from doing at home. You’d run a pair and configure them to sync leases off of each other in order to ensure there’s at least one DHCP server available at any time. Goes hand in hand with VRRP that helps ensure you don’t lose the gateway ust because you need to reboot the router for upgrades.
When setting up your own network services, you get a lot more exposure to all of these things work and sooner or later how to troubleshoot them and you get more of a learning opportunity than when using a web ui to manage a turn key solution.
@Shadowbane The “quote” was more of a tongue in cheek joke, but I was referring to a network based on a more monolithic design using structured subnets on a “Class A” network (10.0.0.0 – 10.255.255.255).
@risk It would appear that we’re trying to get across a very similar idea, just have differing views for handling DHCP. I personally prefer to have a more centralised configuration, where as it seems you prefer to be a little more hands on by narrowing the scope of a DHCP server within an IP range. (DHCP1 = 192.168.1.50-100 DHCP2 = 192.168.1.101-150 … etc…)
Deciphering the mangled Tolkien blurb
One DHCP to rule them all - Using a single DHCP server (inc. HA configurations), then relying on DHCP relaying for the separate sites/subnets.
One DNS to find them - Pretty much as it sounds. Using DNS for local name resolution along with caching and a pinch of basic content filtering.
One router to bring them all - Is a little misleading, but writing “at least one router per site or subnet” didn’t have the same ring to it, while spewing out a Tolkienesque misquote.
And in the subnets bind them - Primarily refering to how the DHCP relay agents work, assigning addresses from a core DHCP server.
I was referring to e.g. the “failover” feature as implemented by isc dhcpd or e.g. etcdhcp.
My point was a more meta, … you can’t really run e.g. etcd on these things liie your USG or pfsense or openwrt router. (actually you probably could, but you’d be better off with a bunch of pi zeros as nodes, which is probably a bad idea too). Not really an easy learning environment
First of all thank you!
What I got is that Unifi is the “one click”-solution. It will mostly work. But I will not learn a lot doing it since it’s hidden from me.
Building my own router would therefore be pretty cool.
The next point would be, how much I would like to tinker with things. The 2+ DHCP Server setup is something I never thought about, as everything in uni was examples with one DHCP-Server.
So I will be thinking about how much I want to so with my network.
It’s definitely cool to have two servers, but currently for my setup one is more than enough and is it worth the effort for the small chance, that I’ll be managing the Network of a bigger organisation.
Thank you for the switch recommendation @risk. I’ll look around a little more though. I don’t have a rack yet. Buying one for one lonely switch isn’t the smartest investment I think, though I also don’t want a glorified tabletop (rack-mount-switch just laying around somewhere).
So if i get a rackmount server to do my routing I will consider that Also thanks to @xentoo for bringing that video up. For some reason it never crossed my mind to watch that again.
I have an old System (FX-4100/8GB DDR3/GTX 760 from the PCIe 2.0 ages) lying around here. I’ll do some testing with it to check if it’s up for the task. In the end it needs to do my traffic and that’s basically it. Configuration should be the same on a more powerful machine anyway.
If I do decide to use a custom server for routing and services, then I’ll also need to look into cooling, as my bed is in the same room and I do in fact like to sleep in silence.
If the server isn’t an option I’ll likely go with PIs and some prebuild small router.
That older PC should be more than capable. It might be worth grabbing an intel nic. Other than that, sounds like you’re all set for a fun little project.
Seconded. Should be a good start. Perhaps with the exception of missing AES-NI instructions for high throughput/low latency crypto.
… the one i mentioned in particular is very shallow, as far as rack mount equipment goes. It’s also 10G capable and does POE stuff that’s nice and useful for wifi. I believe it can be “wall”/“desk” mounted as well, by rotating the rack mount ears by 90⁰ - most network gear supports that because people mount stuff on a sheet of ply where they don’t have a rack.
There’s also other nice switches with VLAN support you may want to look into. CSS610 is kind of cute for $80, but doesn’t have ssh access. Most consumer gigabit routers, have hardware VLAN support once you flash them with openwrt, but they’re 5 port only, usually that’s not enough.
In terms of cheap racks, musician equipment tends to be made for 19" racks and there are some insanely robust relatively small 19" racks on wheels that various music gear companies make/sell.
In the ultra ultra cheap category, lookup “lack rack” - there’s a series of cheap and light $5 square coffee tables at ikea that just happens to have a 19" opening between table legs. You can screw in shallow and light network equipment.
Also don’t focus on dhcp too much. If anything try to get basic stuff going first (static ip on lan side/nat/firewall/port forwarding/dnsmasq for simple dhcp and dns).
).
