Introduction
This document provides a comprehensive overview of the network configuration in the home lab. It covers the following key areas:- Firewall Policies: Configuration and rules for network security.
- DHCP Setup: Dynamic IP address allocation and related settings.
- IPSec Tunnels: Secure communication channels between networks.
- DNS Servers: Configuration and management of domain name resolution.
- PXE Servers: Boot services for network-based operating system installation.
System Overview
The home lab is built with a combination of hardware and software components to ensure a robust, flexible, and efficient network and system setup. Below is a breakdown of the infrastructure:Hardware
- PfSense: Serves as the primary router and firewall, providing advanced network management and security.
- TrueNAS SCALE: Functions as the core storage solution, VM hosting platform, and containerized application manager via Docker.
- Netgear GS108E VLAN Switch: A managed switch used for VLAN segmentation and network optimization.
- Netgear GS316 Unmanaged Switch: Provides additional Ethernet connectivity without VLAN capabilities.
- Asus RT-AX3000 Router: Operates in bridge mode exclusively for the IoT network.
- Ubiquiti AmpliFi Router & Secondary AP: Dedicated to providing wireless connectivity, operating in wireless-only mode for seamless network access.
Docker Containers
- Netboot.xyz: A lightweight, network boot solution for provisioning operating systems and tools over the network.
- Immich: An open-source photo and video backup solution optimized for personal cloud storage.
- Plex: A media server for organizing and streaming multimedia content.
- Passbolt: A secure password management tool designed for teams.
- Open-webui: A user-friendly web interface for managing and accessing hosted services.
- Pi-hole: A network-wide ad blocker and DNS server to enhance privacy and browsing speed.
Design Considerations
- The following principles and requirements were considered during the design and implementation of the home lab network:
1. Scalability
- The infrastructure is designed to support future expansion, such as additional VLANs, Docker containers, or devices, without requiring a complete overhaul.
- Use of TrueNAS SCALE and Docker ensures flexible scaling of storage and services.
2. Network Segmentation
- VLAN segmentation (via the Netgear GS108E switch) enhances security by isolating traffic between different networks (e.g., Server LAN, IoT LAN).
- The Asus RT-AX3000 operates exclusively for the IoT network, reducing exposure of critical systems to potentially insecure devices.
3. High Availability and Reliability
- Critical services like DNS (via Pi-hole), and Plex are hosted on Docker containers within TrueNAS SCALE for stability and redundancy.
- The Ubiquiti AmpliFi system ensures robust wireless coverage with a secondary access point to minimize dead zones.
4. Security
- PfSense provides a comprehensive firewall to protect the network from external and internal threats.
- Services such as Passbolt and Pi-hole reinforce security through password management and ad blocking.
- IPSec tunnels are employed to secure communication between remote networks.
5. Ease of Management
- The use of Docker containers simplifies the deployment and maintenance of applications.
- TrueNAS SCALE consolidates VM hosting, storage, and container orchestration into a single platform, reducing management overhead.
- Unmanaged and bridge-mode devices (e.g., GS316 switch and Asus RT-AX3000) reduce complexity in non-critical parts of the network.
6. Performance Optimization
- VLANs and managed switches ensure efficient traffic flow between subnets and prevent unnecessary broadcast traffic.
- TrueNAS SCALE’s hardware capabilities are leveraged for storage and hosting resource-intensive applications like Plex.
- The use of Pi-hole reduces DNS latency and improves network performance.
Design Specifications
| Requirement | Description |
|---|---|
| R1 | The system shall provide secure and isolated network environments for different use cases (e.g., IoT devices, server management, and user networks). |
| R2 | Devices and services must be assigned to specific VLANs to enforce traffic segmentation and enhance security. |
| R3 | The network should support real-time monitoring of system health and service status, including Docker container performance and network usage. |
| R4 | All sensitive data, including user credentials and server configurations, must be securely stored and encrypted. |
| R5 | The infrastructure must be compatible with standard networking protocols and hardware, ensuring interoperability between components (e.g., managed and unmanaged switches, routers, and wireless APs). |
| R6 | The system should support automated deployment and integration of Docker-based services, such as Plex, Pi-hole, and Passbolt, to simplify service management. |
Detailed Design
1. Network Architecture
The network is segmented into the following zones to enhance security and optimize traffic flow:- Server LAN: Hosts core services such as TrueNAS SCALE, Docker containers, and PXE boot services.
- IoT LAN: Isolated network for IoT devices, managed via the Asus RT-AX3000 in bridge mode.
- Client LAN: Primary network for user devices and general internet access.
2. Firewall Policies
-
PfSense acts as the router and primary firewall, with rules configured to enforce the following:
- Server LAN <-> Client LAN: Allowed for management and service access.
- IoT LAN <-> Server LAN: Blocked to prevent unauthorized access to sensitive systems.
- IoT LAN <-> Client LAN: Allowed for management and service access.
- Internet Access: Restricted for certain zones (e.g., IoT devices) to minimize exposure.
- IPSec tunnels are implemented for secure remote access and inter-network communication.
3. Storage and Compute
-
TrueNAS SCALE provides storage for all network zones and hosts critical services:
- VM Hosting: Virtual machines for specialized applications or sandbox environments.
-
Docker Containers: Applications include:
- Netboot.xyz for PXE boot services.
- Immich for media backup and management.
- Plex for multimedia streaming.
- Passbolt for secure password management.
- Open-webui for centralized service management.
- Pi-hole for DNS resolution and ad blocking.
4. Wireless Connectivity
- Ubiquiti AmpliFi Router and Secondary Access Point: Provide wireless coverage for the Client LAN, operating in wireless-only mode to avoid routing conflicts.
- Asus RT-AX3000: Dedicated to the IoT network, ensuring low-priority devices are isolated from critical systems.
5. Performance Optimization
- VLAN Management: Optimizes traffic flow and minimizes broadcast traffic.
- Pi-hole: Improves DNS resolution speed and reduces network latency by blocking ads and trackers.
- Resource Allocation: TrueNAS SCALE dynamically allocates resources to Docker containers and VMs to maintain consistent performance.
6. Security Measures
- All sensitive data is encrypted, including TrueNAS datasets and Docker volumes.
- PfSense implements intrusion detection and prevention systems (IDS/IPS) to monitor and mitigate threats.
- Password management through Passbolt ensures secure credential storage and sharing.
7. Backup and Redundancy
- TrueNAS SCALE handles periodic snapshots and backups of critical data.
- External backups are maintained for key configurations, including PfSense and Docker containers.
Testing Plan
- Verify devices in different VLANs cannot communicate unless explicitly allowed by firewall rules.
- Confirm traffic from IoT LAN to Server LAN is blocked, and Server LAN to Client LAN traffic is allowed.
- Ensure each VLAN receives IP addresses from the correct DHCP scope and leases renew properly.
- Test IPSec tunnels for secure connectivity and optimal data transfer between remote networks.
- Validate Pi-hole DNS resolution and confirm ad-blocking is functioning correctly.
- Ensure Docker containers (Netboot.xyz, Immich, Plex, Passbolt, Open-webui, Pi-hole) are accessible and working as expected.
- Test wireless connectivity and signal strength for both Ubiquiti AmpliFi and Asus RT-AX3000 routers.
- Validate TrueNAS SCALE storage performance by reading/writing large files and accessing shared folders.
- Perform a vulnerability scan on the network and test IDS/IPS functionality in PfSense.
- Simulate a failure and confirm system recovery and backup restoration from TrueNAS SCALE.
Maintenance Plan
- Weekly Network Health Check: Review firewall logs, monitor VLAN traffic, and ensure all network devices are online.
- Docker Container Updates: Check for updates to all Docker containers (Plex, Pi-hole, etc.) and apply security patches as needed.
- TrueNAS SCALE Backup: Perform a weekly backup of critical data and configurations, including virtual machines and Docker volumes.
- Firewall Rules Review: Periodically review and update firewall rules to address new security needs and optimize network traffic.
- System Performance Monitoring: Monitor system resource usage (CPU, RAM, storage) on TrueNAS SCALE and Docker containers to identify potential bottlenecks.
- Security Audits: Conduct monthly security audits to check for vulnerabilities, including scanning network devices and reviewing firewall settings.
- IPS/IDS Updates: Update and fine-tune the IDS/IPS signatures on PfSense to ensure optimal protection against new threats.
- DNS Maintenance: Regularly review Pi-hole logs and update blocklists to ensure effective ad-blocking and DNS resolution.
- Wireless Network Optimization: Test wireless coverage and performance to identify any areas needing signal improvement or interference resolution.
- Hardware Inspection: Perform quarterly hardware checks on all physical devices (routers, switches, storage systems) to ensure they are operating correctly and no components are failing.
Firewall Rules
WAN Rules
| Action | Protocol | Source | Source Port | Destination | Destination Port | Description |
|---|---|---|---|---|---|---|
| Block | IPv4 | RFC 1918 networks | * | * | * | Block private networks |
| Block | IPv4 | Not assigned by IANA | * | * | * | Block bogon networks |
| Allow | IPv4 ESP | * | * | WAN address | * | IPSEC |
| Allow | IPv4 TCP/UDP | * | * | WAN address | 500 (ISAKMP) | IPSEC |
Server LAN Rules
| Action | Protocol | Source | Source Port | Destination | Destination Port | Description |
|---|---|---|---|---|---|---|
| Allow | IPv4 | * | * | SERVERLAN Address | 80 | Anti-lockout rule |
| Allow | IPv4 | SERVERLAN subnets | * | CLIENTLAN subnets | * | Allow access to ClientLan |
| Block | IPv4 | SERVERLAN subnets | * | IOTLAN subnets | * | Block access to IoTLan |
| Allow | IPv4 | SERVERLAN subnets | * | * | * | Default allow LAN to any |
Client LAN Rules
| Action | Protocol | Source | Source Port | Destination | Destination Port | Description |
|---|---|---|---|---|---|---|
| Allow | IPv4 | * | * | CLIENTLAN subnets | * | Default allow LAN to any |
| Allow | IPv4 | CLIENTLAN subnets | * | SERVERLAN subnets | * | Allow access to ServerLan |
| Allow | IPv4 | CLIENTLAN subnets | * | IOTLAN subnets | * | Allow access to IoTLan |
| Allow | IPv4 | CLIENTLAN subnets | * | * | * | Default allow LAN to any |
IoT LAN Rules
| Action | Protocol | Source | Source Port | Destination | Destination Port | Description |
|---|---|---|---|---|---|---|
| Allow | IPv4 | IOTLAN subnets | * | CLIENTLAN subnets | * | Allow access to ClientLan |
| Block | IPv4 | IOTLAN subnets | * | SERVERLAN address | * | Block access to ServerLan |
| Allow | IPv4 | IOTLAN subnets | * | * | * | Default allow LAN to any |
IPSec Rules
| Action | Protocol | Source | Source Port | Destination | Destination Port | Description |
|---|---|---|---|---|---|---|
| Allow | IPv4 | * | * | * | * | IPSec traffic |