Suggestions for how to setup network?
jdelliott last edited by
I understand concepts such as VLANS, subnets, etc, but for some reason when it comes to actually figuring out the best way to set everything up, I am kinda lost. I have a fairly large home network, for a guy that just likes to tinker. Currently everything is setup in one large subnet, but I'd like to separate everything and hopefully make it more manageable, and I'm unsure how to do that. I'm hoping someone here might have suggestions on how they'd do things.
My end goal is to have seperate networks. One for PCs, one for management of equipment (Dell baseband management, console ports, etc), a secured wireless LAN that is able to access network assets such as file server and printer, another wireless network able to strictly access the internet, maybe with captive portal so I know who is using it, a home security network (going to be setting up ZoneMinder along with POE cameras), and an entertainment network (Roku, Kodi, etc)
Watchguard XTM 5, with pfsense, only 2 ports out of 6 being used, one for WAN, one for LAN.
Cisco 2960 48 port managed Gig switch
(2) Cisco 3960 POE switches - one will be for connection of POE cameras for ZoneMinder
(2) Dell SC24-CS servers, one running OMV as file server, one will be setup with Zoneminder
Dell 2900 server running OMV that will (eventually, hopefully soon) be a backup of the main OMV server
Dell 2950 server running Proxmox for VMs - would be nice for all VMs to be on a separate network also, but able to access network assets
Rack admin computer running Windows 10, for access when needed (rack is in basement, two floors down from my main computer)
(1) roku and (1) Kodi boxes, and that may be expanding
Cisco 2511 remote access server, connected to console ports of Watchguard box as well as the Cisco switches
Brother network laser printer
Various cell phones connecting to wifi
Any ideas on how to get all of this the way I want it? If you need more clarification on what I am hoping to achieve, let me know and I will try to provide it.
awebster last edited by
It sounds to me like you have all the nuts and bolts necessary to build a pretty decent segmented network.
There's no mention of your WiFi gear, but regardless of vendor, as long as it supports VLANs you'll good to go with that component too.
Personally, I have networks for servers, kids, media, IoT, guests, etc.
I have a fairly beefy server (16-core, 96GB RAM, 12TB RAID 5) running ESXi with everything virtualized (including pfSense).
- Servers and printers share the same network.
- Parents devices have their own VLAN with DHCP (responds only to named reservations) and rules allowing access to pretty much anything.
- Each kids has their own VLAN with DHCP (responds only to named reservations) and rules controlling what they can access, and schedules to ensure they get some sleep! - The WiFi has one SSID to rule them all, it is integrated with AD and does per user RADIUS VLAN assignment, but that's just icing on the cake.
- Media devices, Roku, PS4, etc have a media VLAN again with DHCP, rules and schedules.
- IoT devides, fridge, thermostat, cameras, etc have their own VLAN with DHCP and rules (generally allow to Internet only)
- Guests have a VLAN (accessed via the WiFi) with DHCP and captive portal, and rules. (I also added a MAC filter to the WiFi to prevent the kid's devices from using the Guest WiFi and bypassing the above controls).
- Several LAB VLANs where I can spin up VMs to test various things
Some planning will certainly be required:
- Figure out how many VLANs you will need. Keep in mind that while you can make it super complicated, managing it also becomes complicated as does troubleshooting.
- Each VLAN will need a separate non-overlapping subnet.
- pfSense will be the default gateway for each subnet.
- Each subnet will need rules to indicate what it is allowed to access (keep in mind that any other interfaces besides LAN have no default rules, so you'll need to create some).
You could add VLANs to the LAN interface, or natively to the other interfaces, it makes no difference unless you are passing a lot of traffic between two different VLANs, in which case it might make sense to have them on separate ports. Configure the managed switch with the VLANs and assign them to the port(s) facing pfSense.
From there move your devices into the desired VLANs (IP renumbering will be required), and create rules as needed.
Lastly, test and test some more.