Skip to content

Instantly share code, notes, and snippets.

@JakaKokosar

JakaKokosar/nacho network.md

Created December 30, 2020 20:00
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save JakaKokosar/46d2e95b465cf9a8737e562a5640635f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save JakaKokosar/46d2e95b465cf9a8737e562a5640635f to your computer and use it in GitHub Desktop.
Download ZIP
nacho network
Raw
nacho network.md

nacho network

This document started out as my notes for building my home network. I was keeping notes because I knew I would have to start over many times and because writing them down helps me remember them.

I thought I would put this online to help others learn.

This document is heavily inspired by https://nguvu.org/pfsense/pfsense-baseline-setup/#Install%20pfSense with a lot of help from nguvu and various folks on reddit.com and https://forum.netgate.com/.

table of contents

  1. nacho network
  2. table of contents
  3. overview
    1. objectives
    2. zones
    3. my devices
    4. my wiring
    5. miscellaneous to do
    6. references
  4. configuration data
  5. set it up
    1. before starting
    2. pfSense
      1. setup wizard
        1. General Information
        2. Time Server Information
        3. Configure WAN Interface
        4. Configure LAN Interface
      2. system settings
        1. System > General Setup
        2. System > Advanced > Admin Access
        3. System > Advanced > Firewall/NAT
        4. System > Advanced > Networking
        5. System > Advanced > Miscellaneous
      3. VLANs, interfaces, and DHCP
      4. NTP
        1. Services > NTP > Settings
      5. DNS
        1. Services > DNS Resolver > General Settings
        2. Services > DNS Resolver > Advanced Settings
      6. firewall
    3. hook everything up
    4. unifi
      1. installation
      2. networks (VLANs)
      3. wifi
      4. trunk port for personal desktop and unifi VM
      5. switch 8 lite port VLAN assignments
    5. other stuff

overview

objectives

  • VLANs to seggregate zones/devices/traffic and minimize exposure between zones (see table below)
  • centralized NTP server -- all LAN/VLAN NTP requests should be handled by the pfSense router
  • centralized DNS server backed by CloudFlare DNS -- all LAN/VLAN DNS requests should be handled by the pfSense router

zones

zone purpose to do
trust
  • trusted devices: personal computers, phones, Roku, etc...
  • open internet access
  • controlled access to other zones (i.e. SSH to servers)
iot
  • IoT devices
  • open internet access
  • no access to other zones or anything else
guest
  • guest devices
  • open internet access
  • no access to other zones or anything else
serve
  • home server with various Docker containers (Plex, Samba, etc...)
  • controlled/limited internet access
  • no access to other zones or anything else
dmz
  • internet exposed Docker containers (web site, Plex, etc...)
  • controlled/limited internet access
  • no access to other zones or anything else
 yes

my devices

alias device zone notes status
fios FIOS ONT ethernet port enabled
pfs pfSense box
  • em0 = WAN
  • em1 = LAN
switch 8 lite Unifi Switch Lite 8 Poe LAN
wifi 6 lite Unifi 6 Lite Access Point LAN
personal desktop personal desktop trust wired
unifi Unifi controller LAN running in VM on personal desktop
personal laptop laptop trust wireless
phones family cell phones trust wireless
roku Roku trust wired
st SmartThings HUB iot wired to do
iot various IoT devices iot wireless to do
work desktop work laptop guest wired
work laptop work laptop guest wireless
nuc Intel NUC serve Debian server
www web site dmz Docker container to do
samba Samba serve Docker container to do

my wiring

  • fios ethernet -> pfs WAN (em0)
  • pfs LAN (em1) -> switch 8 lite
  • switch 8 lite:
    1. wifi 6 lite
    2. work desktop
    3. personal desktop
    4. nuc
    5. roku
    8. pfs

miscellaneous to do

  • new pfSense server with one 10G for LAN (to avoid switch to router bottleneck) and AES-NI
  • new switch with one 10G for uplink

references

configuration data

https://docs.google.com/spreadsheets/d/1L-rZIr-zx0nmQWmY8F8IweCcH0Wr6OeO1OPCs1ltiVI/edit#gid=0

set it up

before starting

  • make sure WAN on pfs is not connected to internet until the FW rules are added
  • do a factory reset on pfs, switch 8 lite, and wifi 6 lite just to make sure we're starting from scratch
  • default pfSense username and password for pfs:
    • username: admin
    • password: pfsense

pfSense

https://docs.netgate.com/pfsense/en/latest/install/download-installer-image.html for how to install pfSense.

setup wizard

General Information

group setting sub setting value
General Information Hostname pfs
General Information Domain local.lan
General Information Primary DNS Server 1.1.1.1
General Information Secondary DNS Server 1.0.0.1
General Information Override DNS Allow DNS servers to be overridden by DHCP/PPP on WAN unchecked

Time Server Information

group setting sub setting value
Time Server Information Time server hostname 0.pfsense.pool.ntp.org
Time Server Information Timezone America/New_York

Configure WAN Interface

group setting sub setting value
RFC1918 Networks Block RFC1918 Private Networks Block private networks from entering via WAN checked
RFC1918 Networks Block bogon networks Block non-Internet routed networks from entering via WAN checked

Configure LAN Interface

group setting sub setting value
Configure LAN Interface LAN IP Address 192.168.1.1
Configure LAN Interface Subnet Mask 24

system settings

System > General Setup

group setting sub setting value
DNS Server Settings DNS Server Override Allow DNS server list to be overridden by DHCP/PPP on WAN unchecked
DNS Server Settings Disable DNS Forwarder Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall unchecked

System > Advanced > Admin Access

group setting sub setting value
webConfigurator WebGUI redirect Disable webConfigurator redirect rule checked
webConfigurator WebGUI Login Autocomplete Enable webConfigurator login autocomplete unchecked
webConfigurator Anti-lockout Disable webConfigurator anti-lockout rule unchecked

System > Advanced > Firewall/NAT

group setting sub setting value
Firewall Advanced Firewall Optimization Options Conservative
Firewall Advanced Firewall Maximum States 1632000
Firewall Advanced Firewall Maximum Table Entries 2000000
Bogon Networks Update Frequency Monthly

System > Advanced > Networking

group setting sub setting value
IPv6 Options Allow IPv6 All IPv6 traffic will be blocked by the firewall unless this box is checked unchecked

System > Advanced > Miscellaneous

group setting sub setting value
Power Savings PowerD Enable PowerD checked
Power Savings AC Power Hiadaptive
Power Savings Battery Power Hiadaptive
Power Savings Unknown Power Hiadaptive
Gateway Monitoring Skip rules when gateway is down Do not create rules when gateway is down checked

VLANs, interfaces, and DHCP

  1. Interfaces > Assignments > VLANs: add VLANs with priority 0 using the VLAN data in configuration data

  2. Interfaces > Assignments > Interface Assignments: add all the available network ports

  3. Interfaces: Go through the OPT# interfaces and configure them:

    heading setting sub setting value
    General Configuration Enable Enable interface checked
    General Configuration Description set to associated VLAN description
    General Configuration IPv4 Configuration Type Static IPv4
    Static IPv4 Configuration IPv4 Address from configuration data
    Reserved Networks Block private networks and loopback addresses unchecked
    Reserved Networks Block bogon networks unchecked

  4. Services > DHCP Server: Go through the VL##_* interfaces and configure them:

    heading setting sub setting value
    General Options Enable Enable DHCP server on ... interface checked
    General Options Range from configuration data

NTP

Services > NTP > Settings

group setting sub setting value
NTP Server Configuration Interface
  • LAN
  • VL10_trust
  • VL20_iot
  • VL30_guest
  • VL40_serve
NTP Server Configuration Time Servers 0.pfsense.pool.ntp.org
NTP Server Configuration Time Servers Is a Pool checked
NTP Server Configuration NTP Graphs Enable RRD graphs of NTP statistics (default: disabled). checked

DNS

Services > DNS Resolver > General Settings

group setting sub setting value
General DNS Resolver Options Network Interfaces
  • LAN
  • VL10_trust
  • VL20_iot
  • VL30_guest
  • VL40_serve
  • Localhost
General DNS Resolver Options Outgoing Network Interfaces
  • WAN
General DNS Resolver Options System Domain Local Zone Type Static
General DNS Resolver Options DHCP Registration Register DHCP leases in the DNS Resolver unchecked
General DNS Resolver Options Static DHCP Register DHCP static mappings in the DNS Resolver checked
General DNS Resolver Options Custom options local-data: "local.lan. 10800 IN SOA pfs.local.lan. root.local.lan. 1 3600 1200 604800 10800"

Services > DNS Resolver > Advanced Settings

group setting sub setting value
Advanced Privacy Options Query Name Minimization Send minimum amount of QNAME/QTYPE information to upstream servers to enhance privacy checked
Advanced Resolver Options Prefetch Support Message cache elements are prefetched before they expire to help keep the cache up to date checked
Advanced Resolver Options Prefetch DNS Key Support DNSKEYs are fetched earlier in the validation process when a Delegation signer is encountered checked
Advanced Resolver Options Harden DNSSEC Data DNSSEC data is required for trust-anchored zones. checked
Advanced Resolver Options EDNS Buffer Size 4096

firewall

  1. Firewall > NAT > Port Forward: use the port forwarding data in configuration data to add the requried port forward rules
  2. Firewall > Rules: use the firewall data configuration data to add the required firewall rules for each interface
    • some FW rules will already be there; these are linked to previous settings and port forward rules

hook everything up

  • now would be a good time to make sure everything except the WAN on pfs is hooked up.
  • mind what devices you plug into what port on switch 8 lite; you'll need to know what is plugged in where when configuring the VLANs in unifi.

unifi

  • we want all of the unifi stuff, including the controller, on the default LAN interface (untagged VLAN)
    • the switch 8 lite and wifi 6 lite will automatically be on the LAN interface (by default)
    • to make the unifi controller running on a VM on personal desktop, we have to set the NIC of personal desktop to VL10_trust and the NIC of the VM to untagged
  • some of the settings in the unifi controller are not available in the new UI and you may need to switch to the classic UI

installation

  1. make sure everything is hooked up, especially: pfs, switch 8 lite, wifi 6 lite, and personal desktop
  2. create a Debian VM for unifi in personal desktop
  3. in the hypervisor, set personal desktop to VL10_trust and make sure the unifi VM is untagged
  4. once Debian installed in the VM, install the unifi controller: https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776
  5. once the unifi controller is installed, navigate to https://[IP of the VM]:8443 where [IP of the VM] is the IP of your unifi VM
  6. follow the on screen instructions to create an account and set things up
  7. adopt the switch 8 lite and wifi 6 lite
  8. configure your mail server in Settings > Controller

networks (VLANs)

  1. in https://[IP of the VM]:8443 go to Settings > Networks

  2. Create New Network for each of of the VLANs:

    group property name propery value
    Create New Network Name name/description from VLANs
    Create New Network Purpose VLAN Only
    Create New Network VLAN VLAN Tag/ID from VLANs

wifi

  1. go to Settings > Wireless Networks and create the wireless networks per need
  2. to associate a wireless network with a VLAN, select the appropriate network for the Network option

trunk port for personal desktop and unifi VM

  1. go to Settings > Profiles > Switch Ports

  2. create a new port profile

    group property name propery value
    Create new switch port profile Profile Name [whatever you want]
    Create new switch port profile PoE Off
    Networks/VLANs Native Network LAN
    Networks/VLANs Tagged Networks VL10_trust = checked

switch 8 lite port VLAN assignments

  1. go to Devices > click on the switch > click on Ports
  2. edit the port personal desktop is connected to and set the Switch Port Profile to the trunk you created in trunk port for personal desktop and unifi VM
  3. after you apply, reboot personal desktop so it gets an IP in VL10_trust
  4. after you reboot, (re)start the unifi VM and navigate to https://[IP of the VM]:8443 where [IP of the VM] is the IP of your unifi VM
  5. navigate back to navigate to https://[IP of the VM]:8443 and associate the other ports on switch 8 lite with their associated network/VLAN as needed
    • make sure the wifi 6 lite stays on the default All Switch Port Profile because we control which VLAN each wifi is on at the wireless network level (from wifi above)

other stuff

  1. add email capability to pfSense: System > Advanced > Notifications

    group setting sub setting value
    E-Mail E-Mail server smtp.gmail.com
    E-Mail SMTP Port of E-Mail server 465
    E-Mail Secure SMTP Connection Enable SMTP over SSL/TLS checked
    E-Mail Validate SSL/TLS Validate the SSL/TLS certificate presented by the server checked
    E-Mail From e-mail address gmail email address
    E-Mail Notification E-Mail address gmail email address
    E-Mail Notification E-Mail auth username (optional) gmail email address
    E-Mail Notification E-Mail auth password gmail email password
    E-Mail Notification E-Mail auth mechanism PLAIN
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment