Help with homelab setup?

TravelMore

Hello I wanted to setup a home lab separate from my home network. The home lab needs to be separate from my home network so I can test things on it and not break my home network. I am not great w/networking so i'll need more direct guidance. I am not sure the best way to do this. I can provide pics of settings of my network if needed.

My setup currently goes as follows: The Modem LAN port connects to the PF Sense WAN port. The PF Sense LAN port connects to the Netgear POE Switch.
The Netgear switch houses some of my home network equipment (NAS), Pihole (DNS), etc.

For starters I was going to connect a PC an old switch and AP onto my home lab. I was thinking of connecting a device to my Netgear switch and anything off that port would be for my homelab (hopefully keep it separate from my home network).

Any advice is appreciated.

NollipfSense

@travelmore Recommend this and pay attention to thee firewall setting so you can access your lab from your network only but not from your lab to your network.
http://www.netgate.com/resources/videos-creating-a-dmz-on-pfsense

Jarhead

@travelmore
Depends on what you want.

1. Should the lab have internet access?
2. What type of internet do you have now?
3. Do you have a spare interface on existing pfSense?
4. Do you want to access the lab from your existing lan?
5. Is your switch managed or unmanaged?

If it needs internet access, and since I don't know the answer to question 2 yet, put a switch between your modem and existing pfSense, then plug the lab pfSense into another switchport.
Do they both get public IP's? This is what I do and I then set up a vpn between my home and lab firewalls.
If they don't both get IP's, you'll have to come off your existing router. Brings us to question 3.
If you have a spare interface, use that for the lab. That way you can close it off from the home network as much or as little as you want. That's question 4.
If no spare interfaces, question 5, you can use vlans on your switch if it's managed. You would bring 2 vlans to your switch and separate them into your home and lab networks.

There's many options but all depend on what you want.

TravelMore

@jarhead good questions. Thank you.

1. The lab does need internet access.
2. I have coax through my local ISP. w/a 250gb data cap.
3. I have 2 Nics on my pfsense box, 1 is for wan, 1 for lan. see the network diagram below of my current home network. I did try setting up a lan in pfsense and then on my netgear POE switch but not sure what to do next.
4. I do want access from my homenetwork to my homelab.
5. I would guess that my netgear POE switch is managed.

My modem gets a public ip, everything else gets my 192.168.x.x ip.

I have a handful of spare devices (switches, PCs, APs, a cisco ATA,etc).

Jarhead

@travelmore
You should put the modem in bridge mode so your router gets the public ip.

So you'll have to go with vlans with only one lan interface.
Your Netgear switch will work.
First thing you'll want to do is change your default vlan on the switch. Most switches use vlan 1 as default, it's a good idea to change it before adding any other vlans to the switch. You can use any vlan id you want.
If you don't know what you're doing, you can lose access to the switch so I always tell people to change every port except the one connected to your dhcp server and the one you are connected to. Then connect a new cable from a port you changed to your dhcp server and make sure the switch gets an ip on the new vlan. Once it does, you can then change the pc you're using to one of the changed switchports, access the switch from the new ip, and change the last 2 ports to the new vlan. You'll be looking for either "default vlan" or "pvid" setting.
Once you're rid of vlan 1 on all ports, set the port going to pfSense lan as a trunk. You'll leave the existing lan as untagged on the trunk and add a tagged vlan for the lab.

In pfSense create a vlan with your lan as parent, again, use a vlan id you want. This is the one you'll tag on the trunk in the switch.
Go to interfaces/assignments and assign the new vlan as an interface. You can then add rules on it as needed. Give it an ip and a name. It will only be used on the lab wan so a /30 is all you need. Set the lab wan as static and use the /30 on it also.

Back in the switch, add the vlan id you chose in pfSense to the switch. Choose a switchport and change it's pvid to the same id. This is the port you'll connect to the lab wan.

You now have a lab.

TravelMore

@jarhead Thanks for the info. Apologies, the modem is in bridge mode and the Lan port on the modem connects directly to the WAN port on the PF sense box. The Lan port on the pf sense box connects directly to port 4 on the netgear switch.

Due to people working remotely for work on my network right now, I won't change all the ports as you mentioned. I'll have to just work w/1 port that I want to be for lab use.

As you mentioned w/the losing connection to the switch, I did that on accident last week and it took me about 2 hrs to get everything back to normal (accidentally changed the default vlan of the switch to my vlan20 (trying to get a home lab setup) and immediately realized yah I need a lab.

Currently, I have vlan20 setup on my pf sense box (for this homelab thing, yes i need to rename it lol) and on from a wireless pc on my home network (192.168.0.x) i can ping the vlan20 router ip (vlan router ip on pf sense box) which is 192.168.20.1.
!
Also, from my wireless pc on my homenetwork (192.168.0.x) I can ping the vlan20 router ip that is on the pf sense box, which is 192.168.20.1. I think I am headed in the right direction but it only concerns me because I dont want anything from the 192.168.20 to mess up anything w/my actual network (192.168.0).

Correct me if I am wrong, but I think now, I need to select a port on the netgear switch and set it as the default vlan and also the vlan20 then plug in a pc to that port and see if i can get a vlan20 ip.
Should remove the default vlan from that lab port so it only has the vlan20?

If the above steps are correct for the next things I need to do I want to make a few things clear.
My goal is to run the lab off a port on the netgear switch, in this lab, which idk if it is possible, I want to setup another pf sense box and a dns(pihole) box etc. so I can make changes/test things or even setup a pfsense box in a lab then take it down (and not need it and say just setup a pc and an AP on my lab network) and do something else. I want the lab to be able to test things as if it were a real environment.

I'll need a connection out to the internet and be able to have internet in the lab if that makes sense. I want to keep my home lab separate from my home network so I don't screw anything up. Especially since I'm not good w/vlans or networking and ip ranges i don't want to mess things up.

Any advice is apprecaited and thank you for taking the time to read this.

Edit: I have my pfsense box setup for dhcp but the DNS servier IP is going to my Pihole.
Don't know if that makes a difference but wanted to add that important info in.

Jarhead

@travelmore Not sure what you mean by "set it as the default vlan and also vlan 20", vlan20 will be the default vlan on that port and the only vlan on that port. If that's what you meant, yes, the above is correct.

I'm assuming port 4 is a trunk port and you have it tagged with vlan20, correct? You would leave it at vlan1 as pvid so your untagged lan will still work.

As far as internet, the vlan20 subnet only needs to be a /30 since it will only connect to the wan of the lab router. So leave it at .1, make it a /30 if it isn't, and set the lab wan to static with the .2/30.
That will give you internet to the lab.

NollipfSense

@travelmore Please mask this info before posting as below.

TravelMore

@nollipfsense Gah, thank you. Sorry usually I mask most things (never know what should be masked and what shouldnt). I completely forgot to even check before uploading the pic to see if i should have masked it.

TravelMore

@jarhead sorry for the unclear statement regarding "set it as the default vlan and also vlan 20". You cleared my question about that when you stated "vlan20 will be the default vlan on that port and the only vlan on that port." Originally, I was thinking the lab port (8) would want the default (vlan1) and the lab port (vlan20) on the port. Not just vlan20.

Below is a current picture of the settings for my Netgear. Port 8 has a laptop plugged in for the lab environment. Currently, from that laptop on port 8 I can ping 192.168.20.1 but I get an ip for my laptop of 192.168.0.x. Even after unplugging the cat5 from the laptop and plugging it back in i still get an ip of 192.168.0.x. That confuses me because I believe the switch is setup correctly for that port based on the picture below. On the Netgear port, 4 is the PF Sense Lan.

Here is the PF sense interface general config settings. I believe these are setup properly as well.

I am new to networking so from what I understand the 192.168.20.1 ip shown below is the 'vlan20 router ip'.

I think it might have something to do w/PF sense but I am not sure. Here is a pic below of the rules I have for the vlan (not sure if they are setup properly).

Not sure what other pics of the PF Sense box you may need. I am trying to be careful setting this up so i don't botch my home network.

Jarhead

@travelmore You have port 8 tagged with vlan 20. Should be untagged.
Set the pvid of port 8 to 20.

TravelMore

@jarhead Thanks. I have made those changes (see below). I think that is correct.

Even w/those settings applied above my laptop still gets a 192.168.0.x ip. I even checked the ipv4 network settings (pic below) set it to a different ip all together, then cleared it to be normal and obtain address automatically again that still didnt work. I even unplugged the network cable a handful of times and it still gives a 192.168.0.x ip.

Not sure what im doing wrong or what i need to look at next.

I verified I can still ping 192.168.20.1 ip.

Jarhead

@travelmore Show me the pfSense Interfaces/vlans page.

TravelMore

@jarhead here you go. Please let me know if you need any other settings pics.

Jarhead

@travelmore
Everything looks good.
Are you sure you're plugging into the correct port?

TravelMore

@jarhead Thanks. Good catch, I went and looked and sure enough, it was plugged into port 7 port 8 was right below it. Once I plugged it into port 8 it worked. Pic below is the settings after plugging it into port 8.

I do have some questions and I am a noob to networking do these might be silly but I just want to make sure I'm understand things correctly.

1. From my understanding, w/this new vlan in place on port 8, in a sense, its like having a separate line from the ISP for the internet in a sense right?
   (where I can test and run whatever I want w/out it affecting anything on my actual home network)

2. Why is IPV6 is showing? (I dont think its enabled anywhere)

3. Is it okay for me to setup a new PF Sense box w/DHCP and a new DNS/ pihole on this 192.168.20.1 network and APs and test things without interfering w/my real network?

Thank you again for your help. I really appreciate it .

Jarhead

@travelmore

1. Technically, but they do share a cable going from switch to pfSense. Other than that cable, it's a completely separate network.

2. I bet it's enabled on that laptop.

3. Yes. That's what I thought you wanted to do from the start.
   Won't need a new piHole though, you can just use the existing one but if you want another, go for it.

So that's why I said to make that network a /30.
A /30 gives you 4 addresses, the network address (in your case 192.168.20.0), 2 usable addresses (.1 and .2) and a broadcast address (.3).
If you go into the vlan20 interface, change the name, then change the IPv4 Address from a /24 to a /30.
Disable the dhcp server.
Then set the WAN on the lab pfSense to 192.168.20.2/30 as a static address.
That will give you a lab network with it's own router.
You can keep it at /24 until you're ready to connect the router, or keep it that way forever but there's no need since once the router is connected you'll never use more than 2 addresses.