Network Feedback

I would like to get some feedback on my lan design. Right now most of the equipment is in place as it looks, however there are no VLANs currently setup. A few things I’m questioning is having a Management vlan at all, the purple lan is marked as a vlan but those will actually be trunk lines with all packets. I plan to disable the native vlan to stop all traffic from that.

I was contemplating putting my servers and NAS on another vlan, like management or work but then all data and service that I want to use on it such as dns and nas shares will be required to go the pfSense (8-core Epyc 64GB ram) so it’s capable but that routing doesn’t seem efficient.

Like most things we do, I’m sure I’m over complicating it and maybe I should only have an IOT, Guest, and trusted vlan since this is still a home / home lab. If this is the case, I would most likely make the ports going to the server cluster trunk ports.

Thoughts and recommendations would be great.

I always prefer to have VLANs for every different type of device and then put the default gateways for those VLANs on a firewall. Internal firewalls allow you to whitelist only the traffic required between systems and if a system gets compromised, it will help limit the damage.

1 Like

Creating a VLAN for “every different type of device”, so you are saying that you would have the TRUSTED network split up between the end workstation and the servers/nas? I’m thinking of doing that but I only have 4-5 computers on the network besides the servers/nas. I could move the mediabox computer into an untrusted sides as it only needs internet and nas/plex shares.

As I’m looking at the network, I realized I have a ton of IOT devices. I don’t mind as long as I get some VLANs setup for isolation setup to match the proposed diagram. I did notice a lot of my Docker containers will be using the IOT devices. So the Dockers will be able to reach into the IOT VLAN but not sure if all things like grafana will work properly only be able to query data versus getting a push, I’m not sure how all of the protocols work.

If I move the server/nas to a Server VLAN, I will have a decent amount of media traffic from my mediabox and my main dev box being routed through pfSense.

Thanks for the input.

What about running Pfsense as a virtual machine along with any secondary IPS/IDS in their own container as a standalone gateway device ( in a mini pc with lots of ram in it for example)?
Maybe that is overcomplicated but it’s an idea i’d considered but have yet to try.

I’m happy with the pfSense w/ IPS/IDS setup as the pfSense box is pretty Eypc (sorry for pun). I’m mainly looking for advice on the proposed layout on isolating systems and services but since this is a home / homelab I didn’t want to take it toooo far.

1 Like

Unless your home lab/network is really dense devise-wise there’s no need to encapsulate everything into unique VLAN unless you want to.
Wired and WiFi networks should get VLAN tags, that’s how I would do in my own house, with one optional for guest access.
Ubiquiti allows each access point to assign a VLAN tag, it’s an area i’ve not explored much yet in my home.

Yes, for example in my home I have the following networks/VLANs:

  1. Servers
  2. Parent systems
  3. Wireless-Parents
  4. Wireless-IOT
  5. Wireless-Kids
  6. Printer
  7. Management (ESXi, pfSense, Cisco switches)

I also add and remove many depending on what I am testing or labbing. I have a Windows DHCP server that handles all IP assignment and my pfSense is virtualized on my ESXi host. I don’t use VLAN1 for anything, it’s generally not a good practice.

So are all of your workstations in parents? Do you have a lot of dates it services going through the pfsense router?

There is one personal desktop on the Parents network and two laptops on the Wireless-Parents network. Essentially every network is a DMZ and I have to whitelist the traffic flows between them as needed. The wireless networks only have access to the Internet and Printer network, but not to each other. All DNS and DHCP comes from the server network, but there are ACLs to limit it to just that. Mgmt is isolated so only way to get to it is plug-in laptop to that VLAN.