Hey guys, I’m hoping for some insight into how to set up my network. Feel free to let me know if this would be better in r/HomeNetworking!

Current setup

Currently, we have a very simply network setup - just a cheap modem/router/wifi combo that servers all of my roommates devices wirelessly, in addition to a line that I ran to a switch in my room.

https://preview.redd.it/hyhqizlan51c1.png?width=960&format=png&auto=webp&s=5c7a8499fae3ecb0a6b03e1bd12514d32142d7d5

Work in progress

I have a small homelab set up with a backup server and some raspberry pis, but I want to experiment with selfhosting a website just to build my knowledge.

To this end, I’ve looked into setting up a pfSense box. Right now I have pfSense installed on a protectli device, which is connected to the Arris router in a LAN-to-WAN configuration:

https://preview.redd.it/1v1x2gzvn51c1.png?width=960&format=png&auto=webp&s=3657751924bb653fe954ac6c9bd9e57dccd8723f

Ultimately, I’m trying to figure out the best way to set up the network for someone who is relatively new to networking. Ultimately I want

  1. To make sure I’m not interrupting my roommates’ internet
  2. To be able to access the self hosted website
  3. To do this all securely

Proposed network

The pfSense box has multiple NICs, so if my understanding is correct I can completely segment my devices from my roommates’. Additionally, I have a smart switch, so I’m hoping to set up separate VLANs for my devices accessible from outside the network, as well as IoT devices

https://preview.redd.it/0lzvphgeo51c1.png?width=960&format=png&auto=webp&s=382f6bb24f32a9bc6ca4ff28c35b813f75b56a6d

Questions

I’m new to networking so any advice is much appreciated. I have a few specific questions, but I’m not sure if they cover all considerations I should be taking! In particular:

  1. Does my proposed network layout make more sense than just putting all my devices on the current LAN-to-WAN subnetwork I have? What needs to be done for this current setup to work - I can think only of port forwarding.
    1. Is one option better than the other for DDNS which I intend to setup with cloudflare?
    2. Is one option safer for my roommates’ devcies (I presume my proposed one is)

If relevant, no roommate devices will need to be able to talk to any of my devices (I think that’s what this pfSense Block RFC1918 Private Networks`option relates to?)

Thank you so much!

  • vasveritas@alien.topBEnglish
    1·
    9 months ago

    If you have a Managed Switch with VLAN capabilities, then your new proposed idea and layout make sense.

    Your current setup kind of looks like it’s double NAT. Which is not great. You want the Protectli router to be the first device after the Arris Surfboard modem. Have the modem be in only modem/bridge mode. We do not want to use the Arris as a router.

  • Bellegr4ine@alien.topBEnglish
    1·
    9 months ago

    1st. Let your roommate use the ISP modem/router as his main network. You don’t want to support him whenever he has internet issues, trust me.

    2nd. Props to you for having a good planning and documentation habbit, this is awesome, trust me.

    3rd. To have your own network with your Pfsense facing internet while still having your room mate on the modem/router, depending on your external interface, i’d either enter the PPPOE Information in your external interface or, if possible with your modem/router, add your pfense mac in the advanced DMZ.

    4th. As for your VLANS, I myself like to have the following VLANS.

    • Work Network
    • Home Network
    • IOT Network
    • Lab Network
    • Wifi Guest Network
    • Sandbox network
    • DMZ Network
    • etc

    Getting late here hope I make sense and help you with your setup. And again, keep documenting. Awesome to see this as a Senior Sysadmin.

    Cheers

  • RagnarLunchbox@alien.topBEnglish
    1·
    9 months ago

    I concur with u/Bellegr4ine amd will add a little more:

    • If your WAN is PPOE then another more elegant solution that might fit is to set up 3 ports on a on the manged switch for use in FRONT of the main router, and have your cable/carrier WAN ethernet output and the wan interfaces of both the wifi router and the pfsense all plugged into these ports.
      • This creates a shared carrier WAN VLAN in front of both firewalls.
      • In most cases, both wifi router and pfsense should get their own public IP, basically splitting one internet connection into two separate public IPs. Many carrriers cant limit this to suport landline phone services
      • This scenario will also work where the carrier also needs a vlan tag to connects to PPOE, just set the VLAN ID of the carrer the came as the carrer requires.
      • The only thing this breaks is the ability to manage QoS on the link because there are two connections, but no central QoS.
      • Both rtouer and PF sense then plug thier LAN output into the approriate VLAN ports on the managed swirch.

    I do this and is allows me to run a family LAN network and also to have a completely separate internet environement for my lab

    • FiziksMayMays@alien.topOPBEnglish
      1·
      9 months ago

      Thanks for the comment! I’m not sure if the WAN is PPPoE on the pfSense box - is this something I configure or is it set by the ISP?

      Oh wait I think I see what you’re saying. My internet is through cable (not ethernet), so I think you are saying to do this:

      internet
   │
   ▼
modem
   │
   ▼
managed switch──────────────┐
    │                       │
    ▼                       ▼
arris router           pfSense box

      Isn’t this a problem because then the managed switch is on the ISP’s network?

      Also, you said that the WAN interfaces of both the arris router and pfsense should be in that managed switch, but then also (last bullet) that the router and pfsense plug their LAN output into the managed switch? Was that just a typo?