Home networking, take 2
I've done a couple of posts over the past few months related to the network I've set up in my flat. Back in April things were necessarily sparse, having only just moved in, but more recently I'd been working towards building something a little more sophisticated.
Due to slight changes in circumstances, I've just shuffled the network around again, as the requirements for what I'm running there have just changed once more. However, I was reasonably pleased with how I had it working before the reshuffle, so I thought I might as well write down the way things were arranged, should I need a reference in the future.
The hardware
I've shuffled the hardware in use around a bit in the last few months. I'm still using a Raspberry Pi 4 as my router, and it's still muxing VLANs and terminating the PPPoE session to the ISP. I swapped out the DSL modem while attempting to debug some connectivity issues a couple of months ago, but that isn't a significant change (it's still a case of DSL going in one end and PPPoE coming out the other).
The most noticable change is the pair of Netgear GS308T switches I bought, which I talked about in my last post here. I've been quite pleased with these devices, as they quite happily shuffle various VLAN tags around without any complaints, and have slightly more sensible access control than the TP-Link switch I was using previously. One of those switches sat in the middle of the flat (at an impromptu distribution point), and the other was on my desk as a breakout switch for the numerous other devices there which needed connectivity.
I've also set up a dedicated WiFi access point, separate from the Pi 4, as the Pi 4's WiFi chipset doesn't really give very good coverage. It's a TP-Link Archer C7 which was lying around otherwise unused, so I've set it up in LAN-extender mode and left it next to the "distribution" switch, which solved the coverage issues I'd been having.
The software
The network is an even greater mess of VLANs now than it was in April (due to the addition of a DMZ), which I covered in my previous post about the switches. The switches and the modem are each on their own separate management VLANs, and the ISP uplink is also on a separate VLAN between the router and the modem. The DMZ and the private LAN are also naturally on separate VLANs, with some iptables magic sprinkled over the router to keep things properly isolated.
When I added the DMZ subnet I took the liberty of redesigning the forwarding firewall, starting with a default-deny policy, and then granting specific VLANs access to the outside world (and the outside world access to specific VLANs). I put some thought into this, especially as I wanted to avoid address spoofing on the DMZ network leading to access to the private LAN, which led to per-interface ingress filtering on the network ranges I had in use there. The result is hopefully a bit more secure, and less likely to contain subtle bugs permitting access from the public bits to the private bits of the network.
The Pi 4 is running (32-bit) Raspbian Raspberry Pi OS, which functions like more or less any other Debian box for most purposes. My LAN-building weapons of choice here are BusyBox udhcpd for DHCP, BIRD for IPv6 autoconfiguration, and unbound as a local resolver. udhcpd is included in Debian's stock BusyBox, and requires very little configuration, and unbound also works pretty much out-of-the-box on Debian too. BIRD is perhaps an odd choice for doing just IPv6 router advertisements (especially when simpler alternatives like radvd exist), but I also have the router plumbed into AS207480 with some WireGuard tunnels, so the ability to do more sophisticated dynamic routing is occasionally useful.
Conclusion
I'm quite pleased with the way I've managed to build out the network here, as I've not really built anything quite of this nature beforehand — in particular, it's been a good opportunity to learn about VLANs in practice, as I've never been in an environment where they've been necessary before. The network no longer exists in quite this form, but it's otherwise quite similar.