Planning out my home network. Recommendations appreciated. Diagram included.

[thepixelgeek]

Now that my FreeNas build is finished, I'm planning out my home network. Recommendations/ideas appreciated.

I'm exploring VLANs, various hardware options, and where/how best to implement. Still learning. VMs could be interesting, but not sure for what yet. Also looking into VPN options.

I just started building a bare metal Pfsense or Untangle firewall. Not sure which yet.

 

[troybs1d]

I use pFsense for both home & work. Home network has a few instances of both physical & virtual pFsense systems for layering security purposes with a handful of VLANs. At my office I virtualize both pFsense & FreeNAS in separate ESXi boxes so running/managing the 25+ VLANs I've implemented in pFsense is quite easy. I tried Untangled but didn't like the pricing tier model of it.

I know there's the 10Gb Network guide but I use Quanta LB4M + LB6 switches & a few Dell PowerConnect 55xx series switches at my house for 10Gb. The Quanta's are cheap and those two models have interchangable (dual) PSUs so a few spares easily accessible is nice. The PowerConnects have stackable 10Gb port using standard HDMI cables & are just as cheap as the Quantas but run quieter. If you need to run fiber between switches across the house Cleerline fiber is almost as easy as terminating your own CAT cables but the termination kit can be a bit much (though cheaper than Orthotics usually). The Quantas aren't picky about Twinax DAC cables btw too. 10Gb SPF+ cards I use are Mellanox but I run my FreeNAS instance(s) in ESXi so that is what is directly interfacing with them & FreeNAS uses the 10Gb capable VMX3 "card" - if interfacing directly with FreeNAS the BSD gurus on this forum a/o STH would be better to speak with on compatibility with BSD.

Also how did you make such a clean diagram? I've been looking for a nice way to do it but everything I looked at I wasn't happy with.

 

[thepixelgeek]

Also how did you make such a clean diagram? I've been looking for a nice way to do it but everything I looked at I wasn't happy with.

Draw.io

Thanks for reply.

 

[Kcaj]

I run OPNsense on this mini PC for a firewall and works excellent! Its running a VPN client & VPN server (remote access), while handling layer 3 and most other services (DHCP, DNS ect) to my home network. It configured so only specific VLANs go out over the VPN and traffic shaping works great. It hasn't skipped a beat and its in an environment that is hotter than it probably should be.

I am not sure about the CCTV, but I just run the UniFi controller for WAPs in a Jail on FreeNAS.

 

[thepixelgeek]

I run OPNsense on this mini PC for a firewall and works excellent! Its running a VPN client & VPN server (remote access), while handling layer 3 and most other services (DHCP, DNS ect) to my home network. It configured so only specific VLANs go out over the VPN and traffic shaping works great. It hasn't skipped a beat and its in an environment that is hotter than it probably should be.

I am not sure about the CCTV, but I just run the UniFi controller for WAPs in a Jail on FreeNAS.

Nice, was looking at OPN as well. I'm having trouble deciding on a firewall between OPNsense, PF, and Untangle.

 

[jlw52761]

I run pfSense Communicty on a FW2 – 2 Port Intel J1800 from Protecli (https://protectli.com/product/fw2/). Shoved 8GB RAM in there with an SSD and it's been rock solid running several services. I run DNS and DHCP internally, one's a Ubuntu VM and one's an iocage jail on FreeNAS. They run in a load-balanced configuration for DHCP and Master/Slave for DNS. I also run Docker, which runs my Unifi Controller, and several other things like Grafana (and all it's plugins).

 

[Kcaj]

If you are going to do any type of encryption i.e a VPN, definitely go for hardware which supports AES-NI

 

[jlw52761]

I do use OpenVPN and IPSec on this device suing the software crypto, but yes, if you got a couple extra $$ then the FW2B – 2 Port Intel J3060 (https://protectli.com/product/fw2b/) version does the AES-NI in hardware. Honestly though, for home use I don't really see much of a hit not having the hardware crypto, and I have IPSec between my two houses and use OpenVPN on my mobile devices.