Overkill Home Network

 Posted on January 9, 2025  |  brian

I’m often told my home network is typical me and far to complex. For me it’s just as complex as necessary, as I honestly don’t have very much time to invest. Here a few notes on how I got here and why

Growing my Network

Starting with a 24 port switch for downstairs was a necessity, simply due to the amount of rooms and space. While not having placed a lot for ethernet sockets in the existing rooms, ports simply add up quickly. The initial network was flat, running on a FritzBox and a cheap unmanaged switch. Version 2.0 emerged when I found an old managed Dell switch in a skip at university. The fan was broken, so it ran with a red light warning light for a few years. Back then I set up an IPCop firewall as my central system and used the FritzBox as the default gateway and PBX. My main focus was learning and understanding back then. So even though I had a managed switch, I ran a flat network.
At some point, and I honestly can’t recall why, I decided to separate my network into multiple VLANs. As far as I can remember, I mainly separated multimedia devices from the rest of the network, as they already had a s***load of vulns back then. This also resulted in me setting up a management VLAN for the configuration interfaces of the switch and the router. At some point there was something like a 3.1, switching from IPCop to Endian and then a 3.2 based on a SophosUTM with a personal use license. The end of Version 3.x began, when my Dell switch started dropping ports and functionality due to thermal issues (after years without a fan, so I guess I just increased wear). As a replacement I got a Zyxel 1920 as core switch.
At this point I only had WiFi upstairs, which I wasn’t happy with, as I always prefer cables above wireless for both performance and especially security reasons. As such I added a second Zyxel 1920 upstairs. Even though having enough free ports downstairs, two cables connected with LAG saved me a lot of extra copper going upstairs.
When the support of my Sophos UTM ran out and it simply had gotten older, I started searching for alternatives. IPCop was close to dead, I never got warm with Endian anyways (just personal) and then found OpnSense, which I’ve been using happily since that day. Being an inplace replacement for my Sophos UTM, not much changed. This was something like Version 4.5.
Somewhere in this phase I had an old FritzBox as one WiFi AP, two Ciscos I had also found somewhere in a skip and a TP-Link access point. This allowed me to make various stupid mistakes and resulted in regular misconfigurations, when I decided to try something. As a fix, I bought more CISCO APs on eBay and homogenised the WiFi part, to at least be able to copy configs.
Over time, my network simply grew. Adding security cameras resulted in an extra VLAN and the necessity for a PoE injector. As switches with PoE where always by far more expensive, the 8 port PoE injectors were a good compromise. Starting to use Siemens LOGO!8s for house automation resulted in needing a new VLAN for house automation. Monitoring the temperatures in the house using a RTL-SDR , cheap 868Mhz thermometers and influx DB with Grafana added further services, which received their own VMs. Having Web interfaces, but also internal interfaces for the involved components, I added a further VLAN for my services, to prevent access from the user network.
At some point my Zyxel switch started having issues and I began looking for alternatives. Already having multiple access points in the house, I knew the feeling of forgetting to configure a VLAN on a certain interface and then having to hunt for what I had done incorrectly and where. In addition it was always a pain to work with standalone access points and having to touch every single one, when changing a PSK. (Yes, I’m only talking about 4 APs, but I’m lazy.) As such I was also thinking about getting something with a WLC. Luckily, Ubiquiti had already started their UniFi range which was simply by far far far cheaper than CISCO or HP.
This was the start of my current network Version 5.0 with a virtualizied UniFi manager, a 24 Port UniFi switch downstairs and all WiFi APs replaced. After a while I replaced the Zyxel switch upstairs to be able to configure all my core infrastructure via UniFi.
Today I have a third 24port switch on my desk, mainly for convenience reasons. It offers permanent connectivity to 2 tower PCs, 2 laptops, a label printer and my work laptop. In addition it gives me access to my pentesting VLAN, extra ports for work devices, direct access to my management network and a few other things. I also have a few cheap 5 port UniFi switches i.e. behind my TV offering ethernet to the TV, a console and a FireTV Stick. A further 5 Port switch in the attic to connect cameras, a smart meter and a Siemens LOGO!8. The only unmanaged switch is a 5 Port TP-Link with PoE, which powers and connects 4 surveillance cameras in the garden.

The Hypervisor

While my IPCop was an old physical 800MHz box, at some point I decided I’d like to be able to host my own Wiki for documentation. In addition I was looking into managing my parents devices, to be able to fix them remotely and create reliable backups. Being in University I had access to MSDNAA and started with a Windows Server running an AD and HyperV. This then also housed my Sophos UTM. When I started running out of updates, I had a short phase running the free ESXi version, which I was never happy with, before switching to QEMU/KVM on a Ubuntu basis, which got migrated to Debian at some point. Hardware-wise I always used old PCs, until I actually bought a Dell T PowerEdge Server with enough CPU and RAM. I ran this setup until 2023, when I got myself a used DL380 Gen8 with two Intel Xeon E5-2690 CPUs, 20 Cores with 3GHz each and 188GB RAM. This was also the point, when I switched from QEMU/KVM to Proxmox.

My Current Network

The Backend

My backend network currently includes:

  • Used DL380
    • OpnSense as Router / Firewall
    • Debian VM as my Management VM including my Ansible Scripts
  • 1 UniFi CloudKey
    • The virtualized version worked, but I was stuck with a repository signing key issue for mongodb. Sounds stupid, but this way the issues are encapsulated and I don’t see them
  • 3 Ubiquiti Unifi Switch24
    • One Upstairs
    • One Downstairs
    • One on my desk
  • 3 Ubiquiti Unifi Flex Mini 5
  • 2 AP pro
  • 1 AP LR
  • 3 IW AP
  • 2 8 Port PoE Injectors
  • 1 FritzBox as PBX
  • 1 Unmanaged 5 port switch with PoE
    • “Splitter” and inejctor for four cameras

This currently covers 280m2 on two floors, a garden house, a shed and a garden.

The Front End

Having a larger house, basically split into two living areas, which will be separated soon, implies more rooms and thus more devices.

  • 2 “Smart” TVs
  • 3 FireTV sticks
  • 4 Alexas
  • 6 Surveillance cameras
  • 5+ Computers
  • Typical mobile phones
  • Tablets / eReaders
  • 5 controllers for home automation
  • 1 Temperature sensor, which I’m just evaluating
    • And working on an own design to scale throughout the house
  • My lab
    • Doing security, well, have a look at this website

Services

  • xWiki
    • Documentation of processes, electrics and everything around the house
    • Docker container on dedicated Debian VM
    • I ran various others before
  • Netbox
    • IPAM and inventory/asset management for all connected devices
    • Native on Debian VM
  • SnipeIT
    • Asset management for all my tools, equipment and other things
    • Documentation of all containers in the shed
    • Native on Debian VM
  • InfluxDB & Grafana
    • Logging of temperatures and some other small projects
    • Native on Debian VM
  • MotionEye
    • Camera Monitoring
    • Native in Debian VM
  • Vikunja
    • Task list, shopping list, reminders
    • Docker on dedicated Debian VM
  • Power Django
    • Self-written Django based web service for house automation
    • Dedicated Debian VM
  • Vaultwarden
    • Password manager, allowing me to have different data sets on my phone and computers. In addition, sharing of credentials within the family
    • Docker on dedicated Debian VM
  • NextCloud
    • Network file storage for everybody in the house
    • Dedicated Debian VM
  • Proxy
    • Squid, used for apt etc. to fetch updates
  • Dedicated Debian VM
  • Manager
    • Debian VM with X2GO as admin workspace
  • Monday
    • Self-written monitoring system for all services and VMs
    • Dedicated Debian VM

VLANs

  • Internal
    • All Clients
    • Why? Basis
  • Media
    • Smart devices
    • Why? Isolation
  • Work
    • Work / Employer devices
    • Why? Isolation. Protection of the devices from my network and protection of my network/communication from my employer
  • Printers
    • Printers J (printer, plotter, labelwriter, card printer)
    • Why? Isolation and allow use for internal clients, guests and work devices
  • Automation
    • Siemens Logos
    • Why? Devices themselves offer next to no security, isolation is a strict must
  • Services
    • VMs offering services, actually just virtual on the HV
    • Why? Filter access to the services, separate management from use
  • Management UniFi
    • Management interfaces of all UniFi devices
    • Why? Isolation
  • Management
    • Management interfaces of i.e. Proxmox, OpnSense, iLo
    • Why? Security, prevent access to critical interfaces
  • Pentest
    • Network for devices I test and play with
    • Why? Protection of my network from odd devices
  • Guest
    • Access for guests
    • Why? Protection of internally exposed services
  • Surveillance
    • Cameras
    • Why? Prevent raw access to cameras, also potentially exposed ethernet in the garden
  • Sensors
    • PoE temperature sensors etc.
    • Why? Tidiness

Complexity Kills

The initial question is: What counts as being complex? I run an inventory system for all my tools and collection of devices. Instead of using Snipe-IT, I could just as well use something like an excel table. For me Snipe-IT is easier and quicker to use. As such complexity here, is a question of perspective and experience. Following this branch, I have services like my Netbox to keep an overview of my network. If my network was smaller, I wouldn’t need it, in return I’d be missing functions I need / want for myself. Then let’s talk “SmartHome”. While SmartHome adds to the complexity of the house, does it add to complexity of life? I honestly have no answer to any of these questions, but I’ll try to draw a fair line.

VLANs

I’ve described a list of 12 VLANs in this post, which are mainly there to separate devices from each other, that I trust more or less. Even the PC I’m currently typing on isn’t that trustworthy, as I use it to surf the internet, and it may become infected at some point. My Vaultwarden host in return is isolated and can’t communicate except for application access and fetching updates. For me this separation is a base necessity to ensure the security of my data. But is it necessary? Well, many private and corporate networks are flat with no isolation, they all work. Some get pwned, some don’t…
From the complexity perspective it requires me to have my IP address management, which I run in netbox, but could also be an excel table. So yes, it’s so complex I don’t remember every IP address. Which means I also need an internal DNS server, which is part of my OpnSense.
From the management perspective, the implication of the VLANs is minimal. While having had to configure firewall rules once, everything from there is just as easy as having everything in a flat network

VMs

I’ve listed 13 VMs above, which seems like a lot. Following the same argumentation as with the VLANs, I’ve separated all services from each other, to make sure a fault in one doesn’t affect the others. Yes, everything could be run on the same VM, except for the router/firewall.
Yet again, it’s so many systems, that I’ve documented them in my netbox, to make sure I don’t forget anything.
From the management perspective it has added ansible to my overall ecosystem. The amount of VMs is too high, to install updates on every single manually. In return, using ansible I patch all VMs in a similar time to maybe 2..3 VMs.

Router/Firewall

Looking after my OpnSense is obviously by far more complex than looking after a typical home router. No discussion here.

Operations

Once a week I go through a checklist to update:

  • OpenSense
  • Proxmox
  • Unify cloud key & switches and APs
  • My manager VM
  • All other VMs via ansible
  • NextCloud
  • Snipe-IT
    • Planned to become a cron job
  • Netbox
    • Planned to become a cron job
  • All Docker based services are backed up, updated and rebuild once per day – automatically

This takes me about 20-30 minutes, of which most is waiting and watching a movie.
The longest procedure is copying my backups to an RDX drive, which I have to insert and remove by hand.

Is my network complex?

Not for me, as I grew my documentation and automation with my network. Is it more complex than typical home networks? Yes!But in return I’m also a power user. Is it more complex than it could be? Yes! Although I’d say, most of the complexity results from my security requirements. In addition, sharing the systems requires certain redundancy and stability, especially, when I’m traveling.

Is a typical home network complex enough?

I honestly don’t think so. Many people have multimedia systems (TVs, voice assistants), their home automation, the golden NAS with all important pictures, the normal laptop for surfing and everybody who visits their house on the same flat network. Should anything ever be affected by some form of attack, everything will fall.

When looking at evermore growing home networks from a risk perspective, one quickly finds out, that the networks aren’t secure enough for the requirements their owners have. Ideally home routers should offer dedicated VLANs for multimedia, home automation, guests and the normal network. (Guest networks already exist on many modern home routers.) To counter the resulting complexity, well, the routers could just bring all necessary functionality for everybody, not just for power users….

Full Transparency

Yes, I have more VMs, but they’re for example build systems, I only start up once every few months, the same applies to my EMBA and FACT VMs. They mainly just wait for me needing them. And I also have a few more VLANs, one for my DSL uplink, as the modem is also connected to my switch, a small DMZ for allowing remote access and multiple lab / research specific ones. Here my plan is to actually have two hypervisors. One for research / pleasure and one for the productive things, but well, my network is still growing.

P.S. Time to close a ticket in Vikunja