Network Setup with PfSense
-
Hi folks -
I am in a bit of a rut with my current home network setup. I know for certain my current setup (Double NAT) is not the optimal setup so am looking for advice on how to best run my network. However, there are some limitation that need to be considered which might reflect in the design. As a note, I have a day job and have been spending copious amounts of time trying to understand (and get better at) networking. But alas, I am stumped and not sure how to proceed.
Current Setup
ISP Modem --> Google Wifi mesh system (router 1) --> Netgear GS108Ev3 Managed Switch --> PfSense (router 2) running on Proxmox --> Old Netgear R7000 in AP mode for WAP.
Google Wifi:
WAN: ISP assigned
LAN: 192.168.86.x/24
-has most of my IoT devicesNetgear Managed Switch:
-IP assigned on 86.x network
-802.1q VLANs to distribute internet to PfSense, other VMs, and r7000 AP.PfSense Box:
WAN: 192.168.86.88 (static)
LAN: 192.168.87.x/24 w/ DHCP
-Virtualised on Proxmox VM
-Single NIC, using VLAN for WAN and LAN via Netgear Managed Switch (looking at at least a dual NIC soon, but have not yet purchased)
-Proxmox host on 87.x networkBackground
I have this dual router set up as my server that PfSense runs on (Proxmox on VM with only single NIC) is really meant for my homelab purposes (and what I understand is somewhat more secure not having Proxmox exposed directly to the web). My roommates use the Google mesh system to connect for work purposes. My issue here is that in terms of reliability, it's a hard sell to have them on anything that relies on the Proxmox (and thus PfSense) due to their lack of ability to understand any of this should it have downtime (or even just the server being turned off due to a power outage) - this is why they are connected to the easy-to-use (but useless) google mesh which is not dependent on my server.
I have been trying for approx last 3 months to get openvpn (running in PfSense) to remotely connect to my 87.x network when away. Since that network is behind the google mesh system, I am so confused on how to get from a remote network into google mesh through to PfSense. I don't understand NAT that well and have tried so many stupid solutions that I'm worried I'm creating an unsafe network.
Ideal Setup:
So here's what I'd like to design the network to do:
-
Google Mesh to stay connected to the internet directly so my roommates do not lose connectivity when I'm not home (or at least as a result of my crazy network setup). I'd be okay putting this behind the Netgear swtich, but don't want it to rely on my server. They know how to reset the google wifi, and that's about it.
-
Separate network for my homelab devices using Proxmox and Pfsense. Ideally not expose Proxmox interface to the web.
-
Continue using the Netgear R7000 as my wireless access point.
-
Have ability to access my VMs on Proxmox remotely; and ideally via OpenVPN.
-
Move IoT devices to be accessible from either network (I can't currently access 87.x devices when using my Google Wifi which is 86.x - I can do the opposite however, access .86.x devices while on 87.x network). I have Sonos on the Google Wifi and need to keep it there as my roommates also need access to using household speakers.
Above all, my top concerns are having A reliable internet connection (for my roommates) and keeping my server secure. Happy to provide further info if needed.
Thank you all for the input and your time.
Best,
Nick
-
-
@nar94k the Google router will need to forward either the OpenVPN ports or all ports to pfSense. pfSense can allow access to the OpenVPN server ports on its WAN, or if you set up a dynamic DNS hostname you can allow that hostname.