Hello everyone, I hope you can help me. For a number of reason we need to upgrade our home network to something better.
I apologize in advance but this is going to be a long post as I want to be as clear and concise as I can and provide as much info as I can.
We currently have an Xfinity XB7 (Model # CGM4331COM) provided by our ISP that is doing all the routing/networking in the house, for the most part. It works (and it’s Comcast so that’s saying something) but it has a lot of limitations and is basically a closed box you can’t really do anything with. I’ve been putting off changing things around for a while and it’s finally time to do something about it.
Here is how the current network is setup.
The XB7 has 4 Ethernet Ports (3x 1GbE, 1x 2.5GbE) on the back. I am using two of them. I have the 2.5GbE port directly connected to my personal PC as it has a 2.5GbE NIC built into the motherboard and I get a kick out of seeing Steam download games at 140MB/s. We have Xfinitys 1.2 Gb service and since it’s over provisioned by about 20% we can hit 1.4Gb at times.
I have 1 of the 1GbE ports connected to a unmanaged PoE+ switch (specifically this one, Amazon Product Code: B082KNLXVT , since I can’t include a link) I bought cheap on Amazon for our security cameras. It currently has 11 PoE Ethernet connections to various IP Cameras/Doorbells and a connection to a Reolink NVR (RLN16-410). I like having the cameras on a separate PoE switch since if they are direct NVR connected you cannot access them independently from the NVR itself. This is a Reolink NVR limitation and I can’t really do anything about it currently.
Everything else is connected via Wi-Fi to the XB7. This includes cellphones, RokuTV, Amazon Alexa, our home office Intel-NUC PC that it was inconvenient to run a cable to and our printer/scanner. When we have guests/family over I also have to give them this networks login info which I hate to do but you cannot create a guest wifi network on Xfinity hardware.
Now, the reason for the upgrade is two-fold. I’d like to put the IP Cameras/NVR on it’s own network (or VLAN) so that it isn’t internet accessible (at least easily), setup AdGuard Home to do DNS level ad-blocking for everything on the network(s) and also create a Guest Wifi Network (or networks) for our AirBnB rental unit and for when guests come over so they can have Internet access on any devices they bring without it touching our private network.
Having done some internet sleuthing one of the more popular solutions is using one of those mini PCs to create your own router with something like pFsense or OPNsense.
So here is what I got.
CWWK Mini PC - (Specifically Amazon Product Code: B0C274PGW1) that I’ve installed 16GB of RAM and a 500GB NVMe SSD into. This box has 4 2.5GbE Intel 226v NICs in it and was highly recommended by several people in the searching I’ve done.
I also have a Unifi Flex Mini switch as well as a Unifi U6 Pro AP to provide Wifi for the main house. I have a second Unifi Mesh AP that will be used for the AirBnB that is rated for outdoor install.
So what I think is the current setup will be the XB7 (Bridged) connected to the CWWK Mini PC (WAN) and that will give me 3 other physical connections from the Mini PC. One will be a 2.5GbE link to my personal PC, one will be to the Flex Mini (which will have the Unifi AP’s connected to it) and the last one will be to the PoE switch that has all the cameras/NVR on it. I do want to run the Unifi Controller in a VM or LXC on Proxmox so I can manage the Unifi equipment as well. The main routing will be handled by a VM running OPNsense. I did notice that there is a new version of pFsense that supports the new Intel i226v controllers so if it is a better option, I’m ok with that. On the other side, I know there is a community repository for OPNsense that lets me install AdGuard Home directly as a plugin in OPNsense so I don’t have to have it in it’s own VM or container. I’ve read that there are pluses and minuses to both approaches but honestly, I’m already in over my head so simple and easy is what I want.
So my main issue is I’m a novice at most of this and don’t really know how to configure it correctly/optimally.
For the record my Xfinity XB7 is setup at 10.0.0.1 . I currently have my PC connected via Wifi to the XB7 and I can log into its very limited webUI to manage it and so I have Internet while doing this. About the only thing you can change on the XB7 is the DHCP range. I have it set to 10.0.0.100-10.0.0.250 currently on a subnet mask of 255.255.255.0 . Since the Mini PC isn’t connected to the XB7 currently and it has no built in Wifi capabilities, this info is just provided for reference if needed at any point.
So I started by connecting the MiniPC to my desktop computer via an Ethernet cable plugged into “eth1”, which is the second port from the left. I want the eth0 (farthest to the left) port to be the WAN connection eventually. All other ports were empty and the Mini PC had no connection to the Internet/XB7. I ran the Proxmox setup (Version 8.0-2) off a bootable USB and to try to make things as “same” as possible, I set it up Proxmox with an IP of 10.0.0.2/24. A gateway of 10.0.0.1 (which is the IP of my Xfinity modem) and the DNS I left at 127.0.0.1 . Was this the right thing to do? I dunno, that’s why I’m here. I don’t think this matters currently because the Proxmox box doesn’t have any connection to the Xfinity network but once I do connect them, I don’t want them to be on two different private network ranges or subnets or they can’t talk to each other. Or maybe I don’t want them to talk to each other and all I’ve done is set it up so they cross the streams and nothing works, this is where I’m getting confused with my lack of knowledge on the subject.
So I completed the rest of the ProxMox setup and it eventually took me to the CLI interface and said I could connect to the WebUI at 10.0.0.2:8006, which I could not do yet. My PC’s 2.5GbE NIC initially only showed a 169.254.xxx.xxx local link IP so I figured that’s why I couldn’t connect. I went into the IVPv4 settings for the NIC on the PC and manually set it to an IP of 10.0.0.15, a subnet of 255.255.255.0 and gateway of 10.0.0.1 and after that I was able to connect to the Proxmox box at 10.0.0.2:8006 and use the WebUI. If I understand it right, since Proxmox itself doesn’t do any DHCP services the computer had no way of knowing what IP to use. Please correct me if I am wrong, I am here to learn.
Proxmox by default created a vmbr0 Linux Bridge tied to enp2s0 which should be the eth1 port I connected the PC to.
That should mean, if I understand it correctly, that enp1s0 is the eth0 port (the one I want to be the WAN connection) so I need to create another Linux Bridge and link it to that port. I created vmbr1 linked to enp1s0.
This is as far as I’ve made it tonight (it is currently just after 1 AM) but if I understand this correctly, when I go to create either my pFsense or OPNsense VM I will assign it both the vmbr0 and vmbr1 network devices, have it set vmbr1 as WAN and vmbr0 as LAN, correct?
What do I do about the other Ethernet ports on the Mini PC (eth2/enp3s0 and eth3/enp4s0)?? If I want devices, such as the Flex Mini switch and the PoE switch to connect physically to those, they also need added in some way, correct? I know the bridges are virtual and can be assigned to more than one VM. I do plan to run the Unifi Controller in a Proxmox LXC so that I can manage the APs and get statistics/logging from them, so I need to make sure it’s setup in such a way that they can be seen by both the pFsense/OPNsense VM and the Unifi VM/LXC.
Thank you for reading my novel and any help, comments, suggestions you can provide would be amazing.
As for now, I’m going to sleep.