New Home/New Network/New Proxmox?

Negative radar is wayyyy off from me. Airport is a very small private airfield. Nothing much bigger that a G series jet. I will check to see though. I also have to see how much helio traffic I get. Air Guard flew right next to our home often before. I don’t think they run jammers, but never know.

I really hope the wifi is only needed for mobile devices and lap top…I hope to hardwire everything else.

I also need to decide what to put on IoT net vs semi trusted. I have a laundry list of items yet to add to the net map I made.

image860×460 59.7 KB

Yup it can detect the wifi signals up to 100s of miles away. They are extremely sensitive pieces of equipment unlike routers. Youll get ghosting and back scatter ghosts

Not in CONUS outside live fire ranges

Probably wont be an issue at all then.

smart locks ?

No smart locks yet, mostly wifi exterior cameras (till I can hardwire), smart tvs, alexa, fire tvs, smart light switches… sure there’s more…

I just checked guess there’s a smaller dopplar unit 15miles off. So is the small private airfield. I’ll have to see what ranges are offered on my router/nodes. I know it’s supposed to offer a wider range or more settings or so it says .

@PhaseLockedLoop I don’t know how effective the ASUS AX6100 is if I have it in the attic.

Here’s a proposed layout…

IP_cam_AP660×997 58.4 KB

Do not place it in the attic. I’m the summer it is way too hit up there you would reduce its lifespan a lot

Good point, with the spray foam insulation it should be way better but still 90-95 deg F is a bit much.

I updated the diagram, now I need to decide what to put where…
1.) Phones safe for Semi-trusted network?
2.) Printer ? Semi or Un-trusted
3.) TV Un-trusted?
4.) HDHomeRun ATO (Over The Air) Tuner?
5.) Any other GLARING mis-judgments of trust?

New Home Map1920×1032 229 KB

I will have the Protectli as a firewall… should I use this for DHCP (Dynamic Host Configuration Protocol) to assign IP’s addresses via MAC addresses? I also need to learn VLAN’s, Pick good IP ranges that make sense to me, and set up crossover rules for VLAN interconnection (IE allow plex access across networks to FireTV on untrusted/semi trusted network to trusted network where server is).

So I will have Pi-hole on the Pi as a DNS (Domain Name System) server, With Unbound as a Recursive DNS (Queries root servers asking them to which DNS server ask the top level domain of the FQDN. Then it goes on asking one of the DNS servers it has got with the next part of the domain and so on, so it acts recursively.) that should be using DNSSEC (DNS Security Extension).
***Resource on Medium.com

Other services I should self host? HTTPS locally? (IE certificate etc)

As I re-set my zpool from a 2x2 6TB mirror with a hot spare (12TB total) to a RaidZ2 (18TB total) I’m debating using Proxmox natively to manage the pool or use TrueNAS to manage the pool and share the data. I’m leaning towards Proxmox because I would like to learn more about ownership of file instead of chmod 777 eeeekkkkk, I would like to learn how to add a windows user account or IP as acceptable to access the folders and files instead of EVERYONE lol. I want to learn more about file sharing. Samba is what I have been using, but seems a bit slower for linux systems (without tuning), can NFS work better? can I do both? I have no idea…lol.

Yes, you can do both. IMHO, Samba is simpler to setup and have it work well.

In either case, server (samba and/or NFS) is mapping requests for file operations to some local user id, and kernel generic filesystem code is doing the checking for whether operations are allowed same as it would for any local piece of software running as that local user. The magic, is in how this this user id mapping works.

In the case of NFS, the server either blindly trusts the client UIDs supplied over the network, or you can use Kerberos.

With Samba, you can use AD(kerberos + ldap), but you can also just do a simple username and password… which is why I said it’s simpler in the beginning.

If you end up with 10+ hosts and you want all the accounts centralized and synced, it’s worth looking into krb5 stuff.
… but before you do that, you should probably sync your user IDs across systems.

By AD is that Active Directory?

I’d rather not sync user names, just to have variety for security??? Lol if that even helps.

I think as long as I have password access that would be the best security I need.

I have been working with Samba, but I am also attempting to figure out 100% how to mount drives (network or otherwise at boot with linux. Using either TrueNAS or native ZFS on Proxmox I’m fine with those are easy. I just need to figure out if having trusted users is even worth it with Samba shares. Or maybe iSCSI targets?

I’ll have to pay around once I get things set up in the lab at home. My hope is to have a remote backup job, then maybe snapshots on a backup server in the home. (I have two cold storage, and one off site BU).

I also, just started looking into freeRADIUS possibly for my wifi. Dunno if thats worth it… seems to be just for wifi??? If not it would be nice to implement for access to my network, or is this a wasted step? I may be over doing it, but maybe thats me. I could probably get by with just MAC filtering, but I thought MAC spoofing was fairly easy??? I thought I heard that…

BUT again I’m jumping ahead.

I like RADIUS for WiFi, once it’s set up its easy to use. WPA2 enterprise is more secure in that each connection uses its own key rather than a single preshared key, which prevents someone with the key from sniffing other WiFi traffic on the network. It also allows you to manage and importantly revoke users, plus it allows the client device to verify the identity of the server (much like https) which helps protect against someone spoofing the AP to try and get the password.

Awesome, thanks for sharing this. It seems like a great option. I do have a WPA2 option, I may try that on the router to see how devices react before I move over to the OPNsense firewall/router and turn the current router into a AP Mesh for the new place. I tried WPA3, but most of my devices couldn’t connect no matter the restarting etc.

I know I’m doing way more than is needed, but I want to learn so that’s why I’m trying to implement all I can at home as I learn. I’m finally getting network layers down and understanding of how WAN and LAN interact through the router etc.

Didn’t need gigabit yet, but its a option now on fiber…

Screenshot (30)979×479 49.1 KB

Adventures in the New Network…and OPNsense.

Heres the new network…SO far…

20220118_0716111920×1080 108 KB

And here’s the office so far.

20220118_0721381920×1080 159 KB

20220118_0721491920×1080 166 KB

I had a ton of help from @ThatGuyB and @PhaseLockedLoop on this one along with a few online sources.

So far I have implemented the firewall successfully. I was banging my head against the wall for a bit because I was being TOO detailed in assigning Static IP’s and information while defining my network via OPNsense.
IE- When setting up a static IP I would also add in the DNS address, Network Name and all kinds of info…this led to problems when I tried to set up DNSmasq to use the firewall as the route for all DNS requests to my pihole device…I lost all internet access also because I never set up the access all rule to allow my devices to connect to the internet on the second network that was not set up automatically… I had DNS errors all over and it was a mess.

The key points that saved me-
1.) Make sure you have the basic rules in place to allow all networks to communicate with each other and the internet on ALL networks (I was setting up 3 and only one was really “configured”)

2.) set up your rules BEFORE you decide to start handing out Static IP’s OR just set the IP and not all the other options till you have it set up how you want (except maybe with DNS NTP etc.

3.) The device I attempted to use to test my rules allowing cross traffic between networks to different devices was a WD Mycloud EX (not the 2 version which is still supported by WD fyi) . Come to find out as a security feature the OS itself does NOT allow that by default UNLESS you activate “Cloud Access” which I can not enable because it is no longer supported with security updates from WD.

The parts that messed me up…
Using rules to allow DNS access on ports 53 and 853 between networks while trying to use a wrongly configured dnsmasq that weren’t connected to the internet vs default rule and static ips with ips for DNS assigned.

Trying to connect to a device that WOULDNT allow the connection!

Now that I’m past these few issues it’s been working quite well…

Other interesting facts about firewalls that’s useful setting up rules-
-Invert is a useful option to save on two rules in one… IE block such and such to Inverted destination block all traffic to everywhere BUT the destination. Kinda cool or can be used for source as well. (Thanks @ThatGuyB!!!)
-If it’s a network you need, keep backups of working settings and revert as needed (IE-I used it to make sure the wife had her Plex DVR and Phone access to FB, Pintrest and Instagram)
-ASUS RT-AX92U works great as a wifi 6 AP for wifi, sadly when put in “Mesh” mode without a wired backhaul the wifi 6 band is used for wireless backhaul and not available for device use for connectivity.
-I had more but brain fart I’ll as more as it comes to me…

References- Easy to follow Small Secure (dual-stack) Network Firewall and Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX - #60 by PhaseLockedLoop and Recursive DNS With AD-Blocking Features - Part 1 | Nerd For Tech and https://homenetworkguy.com/

Hope its ok to do external links…

To do: Need to learn to set up port mode on my Cisco router, and use firewall to create VLAN’s to assign that traffic to ports on the switch. This isnt really needed because I have two mesh networks I can set up with hardware I have ASUS RT-AX92U and a Linksys Mesh system for IoT.

Lol

I mean it makes sense that they would do this but yeah that is a bummer. That’s why a lot of people do the old style mesh still. Multiple access points wired in from different points in the home.

Why wouldn’t it be?

Its looking solidly setup now.

Thank you sir.

I just didnt want to seem like I’m promoting other sites is all.

Its coming along… I’m proud of it. I still have to do VLAN’s (already different subnets), 2nd Wifi network for IoT and set up both servers (X470d4u R2700 and Dell T420-converted from T320 he he he that was fun didnt think it would work but it has!!!).

-Will be upgrading to new proxmox version 7.1 I think last I saw, know this will mess up GPU passthrough, so I’ll be fixing that.

-I may do a clean install to try out my notes to make sure they are complete and attempt a new configuration of VM’s and ZFS dataset maybe using TrueNAS instead of proxmox natively… haven’t decided.

-Still keeping Plex on a LXC container not TrueNAS.

-Interested in a cloud service I’ll reference Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech for suggestions of software

-Learn email notifications

-Centralized monitoring

-Setting up automated updates

-Local and cloud backups

It’s ambitious for a novice not in the field…I may get side tracked… but those are my goals

Gamingwise… I’m looking into Wireless HDMI options to get rid of a cord across the room to my tv for recliner gaming on the big screen.

@PhaseLockedLoop… Do I need to worry about this with Protectli Vault 4 like yours?

Also,
Did you use any advanced options like intrusion detection etc?

Screenshot (109)1432×472 21 KB

I did but you don’t necessarily need to worry. I only did it to isolate my government work systems and protect them

Yeah, its more for experience. I can physically isolate via direct connection to firewall to each network AP without the switch being an intermediary and dedicate it to trusted cable LAN.

I’m still messed up somehow on my rules…at least for dns as far as I can tell… every guide I look up and try blocks dns completely despite a rule allowing it before the deny rule… I’m beginning to wonder if the fact that I have pihole set up as a recursive server to set up dnssec using its own unbound service is messing me up somehow… I’m at a total loss so back to square one and allow everything so I can write this… fml I’m gonna take a break a bit set up the ryzen server…maybe… I need a cable for that ug…well on to unpacking boxes then