Threw the Original Post into a "spoiler tag" to preserve it, but here is the updated "request for comment"
So I have FINALLY managed to get the Home reno done, which included wiring up all the walls with Copper and Fibre. Found a waterproofing issue with my shower while I was moving my stuff back in and had to extend my stay away from home for another month while I got someone to rebuild it. What a journey!
So now here I am, finally putting everything back properly and starting to configure the new network layout.
1. My Phone, Tablet and Streaming boxes actually all have a pretty good cadence of security related updates and are all running Unix based OSes, so I'm wondering if instead of having two VLANs ie 50 "my trusted stuff" like desktops and servers, and 60 "my untrusted stuff", I reorganise and break it out to 3 VLANs:
- Services: Cause I actually have a lot of VMs running things like Gitea, SAMBA, Plex, Dovecot, so I could organise them all away and use ACL to allow all access from my LAN, plus specific needs based access from other VLANs
- "My" LAN: all my desktops, phone, tablet, HomeAssistant, so they are in a single broadcast domain. ACLs allow specific access from other VLANs strictly as required.
- "Shared" LAN: My devices, but things that my also be shared with guests, like the streaming boxes, printer/scanner. Set ACLs to allow Guest VLAN access to certain IP
ort combos for things like printing, scanning, casting, while allowing "My" vlan full inbound access but limiting outbound access back to specific needs.
2. I didn't really think about it before, but I'm wanting my DNS to offer views between subnets, and I also make a lot of use of NSUpdate, so I'm adding a VM to the 1U server for BIND to host zones, and then forward queries to a recursive DNS server (either on my VPS through a Wireguard link, or as a container in Vyos). I'm undecided if I want to also have a Pi-hole/Adguard Home instance in that "forwarding" chain, or use something like BIND-AdBlock in the Recursive or Authoritive resolver.
Am also needing to install a mDNS repeater somewhere.
- Looking for opinions on the DNS layout, mainly around the "consumer" blocklist options vs having something pull blocklists into BIND as RPZs
- Looking for opinions of the IP layout. Should I give my Authoritative BIND an interface in each VLAN, and pop the mDNS repeater there as well, or have the mDNS repeater on a different host/VM altogether, and have BIND receive it's requests on a single IP, having been L3 routed from the other VLANs?
- If BIND should be a single interface host, I'm starting to wonder if I should make VLAN 255 a /29 subnet to have BIND, Vyos (for DHCP) and (if I use one) Pi-Hole/Adguard Home to more easily ACL access to all the VLANs (for all this important network infrastructure), instead of it being just a /30 Transit VLAN for Vyos?
3. Should I add a VLAN explicitly for management interfaces? Like Hypervisor UIs/SSH ports, Switch management access.
- If so, should it be isolated from the internet, or just the other VLANs? (obviously isolated from non-established/related inbound internet traffic, but should I make it a "nothing ever"?)
- Access options: ACLs to access from my desktops/tablet when needed, or should I add a VLAN interface on the "client" devices I 'd be using to access them?
- If adding a VLAN interface on the clients I'd use for this access, could I use that as a way to lock down SSH into my VMs as well, by having them reject SSH connections that didn't originate from a Management VLAN address, and do some outbound ACLing on the interVLAN switch? Or much, much too extraneous?
Bonus Question (might spin this to a new thread though): Anyone know about splitting wireless clients to different VLANs based on MAC address, WITHOUT making multiple networks? The WAP I have for this is a Ruckus R730. I think the only way is a RADIUS server, but I've only looked at it form a limited perspective so far...
Thanks again to anyone who takes the time to read this, and who can share any opinions, experience, ideas!
So I have FINALLY managed to get the Home reno done, which included wiring up all the walls with Copper and Fibre. Found a waterproofing issue with my shower while I was moving my stuff back in and had to extend my stay away from home for another month while I got someone to rebuild it. What a journey!
So now here I am, finally putting everything back properly and starting to configure the new network layout.
Mostly set here, but wanted some input on slight changes for my VLANs:
1. My Phone, Tablet and Streaming boxes actually all have a pretty good cadence of security related updates and are all running Unix based OSes, so I'm wondering if instead of having two VLANs ie 50 "my trusted stuff" like desktops and servers, and 60 "my untrusted stuff", I reorganise and break it out to 3 VLANs:
- Services: Cause I actually have a lot of VMs running things like Gitea, SAMBA, Plex, Dovecot, so I could organise them all away and use ACL to allow all access from my LAN, plus specific needs based access from other VLANs
- "My" LAN: all my desktops, phone, tablet, HomeAssistant, so they are in a single broadcast domain. ACLs allow specific access from other VLANs strictly as required.
- "Shared" LAN: My devices, but things that my also be shared with guests, like the streaming boxes, printer/scanner. Set ACLs to allow Guest VLAN access to certain IP
ort combos for things like printing, scanning, casting, while allowing "My" vlan full inbound access but limiting outbound access back to specific needs.2. I didn't really think about it before, but I'm wanting my DNS to offer views between subnets, and I also make a lot of use of NSUpdate, so I'm adding a VM to the 1U server for BIND to host zones, and then forward queries to a recursive DNS server (either on my VPS through a Wireguard link, or as a container in Vyos). I'm undecided if I want to also have a Pi-hole/Adguard Home instance in that "forwarding" chain, or use something like BIND-AdBlock in the Recursive or Authoritive resolver.
Am also needing to install a mDNS repeater somewhere.
- Looking for opinions on the DNS layout, mainly around the "consumer" blocklist options vs having something pull blocklists into BIND as RPZs
- Looking for opinions of the IP layout. Should I give my Authoritative BIND an interface in each VLAN, and pop the mDNS repeater there as well, or have the mDNS repeater on a different host/VM altogether, and have BIND receive it's requests on a single IP, having been L3 routed from the other VLANs?
- If BIND should be a single interface host, I'm starting to wonder if I should make VLAN 255 a /29 subnet to have BIND, Vyos (for DHCP) and (if I use one) Pi-Hole/Adguard Home to more easily ACL access to all the VLANs (for all this important network infrastructure), instead of it being just a /30 Transit VLAN for Vyos?
3. Should I add a VLAN explicitly for management interfaces? Like Hypervisor UIs/SSH ports, Switch management access.
- If so, should it be isolated from the internet, or just the other VLANs? (obviously isolated from non-established/related inbound internet traffic, but should I make it a "nothing ever"?)
- Access options: ACLs to access from my desktops/tablet when needed, or should I add a VLAN interface on the "client" devices I 'd be using to access them?
- If adding a VLAN interface on the clients I'd use for this access, could I use that as a way to lock down SSH into my VMs as well, by having them reject SSH connections that didn't originate from a Management VLAN address, and do some outbound ACLing on the interVLAN switch? Or much, much too extraneous?
Bonus Question (might spin this to a new thread though): Anyone know about splitting wireless clients to different VLANs based on MAC address, WITHOUT making multiple networks? The WAP I have for this is a Ruckus R730. I think the only way is a RADIUS server, but I've only looked at it form a limited perspective so far...
Thanks again to anyone who takes the time to read this, and who can share any opinions, experience, ideas!
| Host | Notes/Interfaces |
|---|---|
| 1U Server - Hypervisor | Has regular interface with VLANs trunked over it, plus an IPMI interface |
| 1U VM - Vyos | Should just need VLAN 255 |
| 1U VM - BIND | Should it be a interface per VLAN, or VLAN 255 expanded |
| 1U VM - Pi-Hole/Adguard Home??? | |
| 1U VM - HomeAssistant | One interface on the "Main" VLAN or a "Services" VLAN if created One interface on the IOT VLAN to control "smart" devices |
| 2U Server - Hypervisor | Has regular interface with VLANs trunked over it, plus an IPMI interface |
| 2U VM - Plex | In the "Main" VLAN, or in a "Services" VLAN if created |
| 2U VM - APT-Cacher-NG | In the "Main" VLAN, or in a "Services" VLAN if created |
| 2U VM - Gitea | In the "Main" VLAN, or in a "Services" VLAN if created |
| 2U VM - SAMBA | In the "Main" VLAN, or in a "Services" VLAN if created |
| 2U VM - Tdarr | In the "Main" VLAN, or in a "Services" VLAN if created |
| 2U VM - Mail Server | In the "Main" VLAN, or in a "Services" VLAN if created |
| 2U VM - LANCache | In the "Gaming" VLAN, or in a "Services" VLAN if created |
| 2U VM - Wiki Server | In the "Main" VLAN, or in a "Services" VLAN if created |
| Main Desktop | In the "Main" VLAN, could have a "management VLAN" interface |
| NUC | In the "Main" VLAN, could have a "management VLAN" interface |
| (Old) Tower Desktop - only around for importing DVDs and Blu-rays | In the "Main" VLAN |
| Gaming Desktop | In the "Main" VLAN, would need a ACL to allow access to LANCache for Steam |
| PS5 | In the "Gaming" VLAN (mainly for grouping firewall rules for things like uPNP) |
| PS3 | In the "Gaming" VLAN (mainly for grouping firewall rules for things like uPNP) |
| Wii U | In the "Gaming" VLAN (mainly for grouping firewall rules for things like uPNP) |
| Streaming Box 1 | In the "Main" or "Untrusted" VLAN |
| Streaming Box 2 | In the "Main" or "Untrusted" VLAN |
| LG TV | In the IOT VLAN, cause no one should trust these things |
| AVR | In the IOT VLAN, cause no one should trust these things |
| Sony TV | In the IOT VLAN, cause no one should trust these things |
| SoundBar | In the IOT VLAN, cause no one should trust these things |
| Phone | In the "Main" or "Untrusted" VLAN |
| Tablet | In the "Main" or "Untrusted" VLAN, could have a "management VLAN" interface |
Hi all
Still working away at my home network’s upgrade. (Surprisingly hard to get people to come out, wire up my walls and take my money, just saying)
Just wanna run how I think I’d lay out my VLANs to organise everything and get observations and input.
physical layout:
- modem in bridge mode connects to a 1U server
- 1U server has Vyos in one VM, HomeAssistant in another
- 1U server connects on to my Brocade 7250-24
- 7250-24 connects across the home to a 7150-C12 in the lounge, and a 7150-24 in the office
- C12 connects up the TV, Game Consoles and PC, streaming box and a WAP
- 7150-24 connects the two desktops and 2U server (hosting plex, SMB, LANcache, and other misc VMs) and a WAP
Plan for VLANs is:
- 10 is Vyos out to the ISP per their settings page, and Vyos will provide NAT and firewall duties
- 50 for my desktops, Gaming PC,streaming box, HomeAssistant, LANcache and the SMB VM. Allowed to access the internet
- 60 for the untrusted devices like phones, tablets, streaming box, internet connected IOT (per recommendation by @sic0048)
- 70 for the Gaming Consoles and Lancache. Allowed to access the internet
- 80 for guest wifi. Allowed access to internet but not other VLANs
- 107 is connected to Vyos and HomeAssistant, then trunked to the 7250, both 7150s, the TV and the WAPs for Internet of Things stuff. No internet access
- 255 is a Transit VLAN between the 7250 and the Vyos VM
Does this mostly make sense?
I have the LANcache so that I can swap downloaded games in and out of the consoles and gaming PC’s local storage without having to wait for my fairly slow internet to download them again, since I have yonks of storage in the 2U server to hold everything. Point of putting the consoles in their own VLAN was to make it easier to allow their various uPNP and similar settings for online gaming, and set all their DNS server settings to the LANcache via dhcp, so I don’t have to configure each one.
I see a lot of people tend to have two IOT VLANs, one for internet accessible and one not. I have a single IOT device that has a good enough reason for my to allow it internet access, but would still prefer to keep it isolated from the rest of the network. Opinions on whether I should allow that by having it in the same 107 VLAN and allow it to the internet with ACLs or should I make a VLAN for IOT with internet access just for it?
In terms of routing, will I need to set static routes to make sure traffic going between my devices and the 2U server never needs to go through Vyos on the 1U server? Or is there another way to do config of the VLANs that ensures that?
Finally, I’m torn on whether to use Vyos for DHCP and DNS for the other VLANs or spin up a container with ISC Kea and BIND running for that, opinions and advice welcome on that too.
edit: adjust the listed plan to split the “Main” VLAN
Still working away at my home network’s upgrade. (Surprisingly hard to get people to come out, wire up my walls and take my money, just saying)
Just wanna run how I think I’d lay out my VLANs to organise everything and get observations and input.
physical layout:
- modem in bridge mode connects to a 1U server
- 1U server has Vyos in one VM, HomeAssistant in another
- 1U server connects on to my Brocade 7250-24
- 7250-24 connects across the home to a 7150-C12 in the lounge, and a 7150-24 in the office
- C12 connects up the TV, Game Consoles and PC, streaming box and a WAP
- 7150-24 connects the two desktops and 2U server (hosting plex, SMB, LANcache, and other misc VMs) and a WAP
Plan for VLANs is:
- 10 is Vyos out to the ISP per their settings page, and Vyos will provide NAT and firewall duties
- 50 for my desktops, Gaming PC,
- 60 for the untrusted devices like phones, tablets, streaming box, internet connected IOT (per recommendation by @sic0048)
- 70 for the Gaming Consoles and Lancache. Allowed to access the internet
- 80 for guest wifi. Allowed access to internet but not other VLANs
- 107 is connected to Vyos and HomeAssistant, then trunked to the 7250, both 7150s, the TV and the WAPs for Internet of Things stuff. No internet access
- 255 is a Transit VLAN between the 7250 and the Vyos VM
Does this mostly make sense?
I have the LANcache so that I can swap downloaded games in and out of the consoles and gaming PC’s local storage without having to wait for my fairly slow internet to download them again, since I have yonks of storage in the 2U server to hold everything. Point of putting the consoles in their own VLAN was to make it easier to allow their various uPNP and similar settings for online gaming, and set all their DNS server settings to the LANcache via dhcp, so I don’t have to configure each one.
I see a lot of people tend to have two IOT VLANs, one for internet accessible and one not. I have a single IOT device that has a good enough reason for my to allow it internet access, but would still prefer to keep it isolated from the rest of the network. Opinions on whether I should allow that by having it in the same 107 VLAN and allow it to the internet with ACLs or should I make a VLAN for IOT with internet access just for it?
In terms of routing, will I need to set static routes to make sure traffic going between my devices and the 2U server never needs to go through Vyos on the 1U server? Or is there another way to do config of the VLANs that ensures that?
Finally, I’m torn on whether to use Vyos for DHCP and DNS for the other VLANs or spin up a container with ISC Kea and BIND running for that, opinions and advice welcome on that too.
edit: adjust the listed plan to split the “Main” VLAN
Last edited: