I have finally got around to building out my home network, decided to build a custom firewall and use a TP Link Switch & Access Point.
Original Setup
My original setup was using the ISP supplied Superhub 5 which had 4 ethernet ports and built in Wifi
New Setup
For the new setup I will be using the ISP Router in Modem Mode which will pass through the Internet connection to the Firewall. The Firewall will be connected to the 2.5GBe port on the ISP Router.
Kit List
Below is quick kit list of what I ended up with, compromised a bit on the Access Point which will probably the first thing I upgrade.
| Description | Image |
|---|---|
| Firewall Micro Appliance, 4 Port i226 2.5GbE LAN Fanless Mini PC N4000, DDR4, HDMI, VGA, Gigabit Ethernet AES-NI VPN Router Openwrt Home Media Server |  |
| TP-Link PoE Switch 8-Port Gigabit, 4 802.3af/at PoE+ ports up to 30 W for each PoE port and 64 W for all PoE ports, Metal Casing, Network monitoring, VLAN, QoS, PoE Auto Recovery (TL-SG108PE) |  |
| TP-Link EAP225 Access Point, AC1350 WiFi Dual Band Wireless Access Points, Gigabit Ethernet Port Support 802.3af/Passive PoE, Omada Mesh, Easily Mount to Wall or Ceiling, Free Controller Software |  |
| Tapo Smart Plug Power Strip, Energy Monitoring & MATTER Compatible Alexa Plug Strip Extension Lead, Zero-Crossing Detection,works with Apple Home Alexa and Google Home, Schedule and Timer (Tapo P304M) |  |
| SEBSON CAT6 Ethernet Cable 0.5m, 5 Pack, Gigabit Lan Network Cable RJ45, 1000Mbit/s High Speed, U-UTP, Patch Cable for Router, PC, TV |  |
| SEBSON CAT6 Ethernet Cable 1.5m, 5 Pack, Gigabit Lan Network Cable RJ45, 1000Mbit/s High Speed, U-UTP, Patch Cable for Router, PC, TV | |
| Cat 8 Ethernet Cable 10M, High-Speed 40Gbps 2000Mhz internet Cable Gold Plated RJ45 Connector,for Outdoor&Indoor Weatherproof UV/Lan Cable Cord for Xbox PS4/5 Modem Router PC |  |
TP Links Devices
Although the TP Link Switch & AP can be managed with Omada I will be managing them stand alone.
Firewall Operating System
For the Firewall I will be using OPNSense, have previously used PFSense but OPNSense seems to be the way to go at the moment.
Network Configuration
One of the advantages of moving away from a basic ISP router is the ability to spin up VLANs to split out traffic and segment away the IoT devices.
VLANs
Decided to split out my stuff into 6 VLANs to begin with using /24's, whilst I could use smaller address spaces this just makes it easier.
| IP Range | VLAN | Description | DHCP | GW |
|---|---|---|---|---|
| 192.168.10.0/24 | 10 | Management | [] | |
| 192.168.11.0/24 | 11 | LAN | [X] | |
| 192.168.12.0/24 | 12 | IoT Wifi | [X] | |
| 192.168.13.0/24 | 13 | Gaming | [X] | |
| 192.168.66.0/24 | 66 | Guest | [X] | OPT1 |
| 192.168.67.0/24 | 67 | LAB | [X] | OPT1 |
OPT1 Gateway
For my Guest and LAB networks I will be using a VPN provider for internet access. As the LAB will be used for security testing, malware analysis etc, it is preferable that this does not go out of my public IP. I will also be treating guest devices as untrusted and will be sending them out the same way.
DNS
For DNS I will be using ADGuard to add DNS level Ad filtering. ADGuard will sit on the gateway IP Addresses. Unbound DNS will be moved from port udp/53 to udp/5353 to allow ADGuard to run on udp/53.
For LAB & Guest networks the DNS Servers of the VPN Provider will be used.
Link Aggregation
To maximise throughput from the switch to the firewall I will be looking at setting up link aggregation. Whilst the TP SG108PE does support link aggregation it does not support LACP, instead I we will be using loadbalance mode.
Part 2 comming soon
That's the plan & all for this post. In the next post I will installing OPNSense on the Micro PC.